Xueshuo Xie,Zongming Jin,Jiming Wang,Lei Yang,Ye Lu,Tao Li

DOI: https://doi.org/10.1016/j.jnca.2020.102659

IF: 7.574

2020-01-01

Journal of Network and Computer Applications

Abstract:Log data records system state and runtime behaviors, and is usually used to diagnose system failures and detect anomalies. However, the accuracy of log-based anomaly detection algorithms will reduce dramatically in dynamic logs since the system more complex than ever before, a phenomenon known as concept drift. In this paper, we design a confidence-guide anomaly detection model that combines multiple algorithms, called Multi-CAD. We first propose a statistical value p_value to measure the non-conformity between logs and establish a link in the new log and previous logs, and can also choose multiple suitable algorithms as the non-conformity measure to calculate scores for combined detection instead of to make a decision. And then, we design a confidence-guided parameter adjustment method to anti-concept drift in dynamic logs and update the score set with the corresponding label from a trusted result that contains a label, non-conformity score, and confidence by a feedback mechanism as the previous experience for the following-up detection. Finally, we demonstrate that Multi-CAD will make a balance performance in precision rate, recall rate, and F_measure, and detect actual anomalies on multiple datasets. An extensive set of experiment results highlight that Multi-CAD will increase almost 20% on average in recall rate and F_measure compared with four typical algorithms on the HDFS benchmark dataset, where it achieves 98.2% in precision rate, 95.2% in recall rate, and 96.7% in F_measure.

Yu Sun,Gangfeng Yan,Xiasheng Shi

DOI: https://doi.org/10.1088/1757-899x/631/4/042046

2019-01-01

IOP Conference Series Materials Science and Engineering

Abstract:Abstract Traditional methods for detecting data anomalies of power equipment fail to fully mine the data characteristics. And it has shortcomings such as complex calculation, poor flexibility and low accuracy. To solve the problem of abnormal fault detection of electric equipment, the abnormal detection algorithm based on statistical analysis and machine learning is used in the paper. The reconstruction method based on Long Short Term Memory (LSTM) time sequence is proposed for time series data abnormal detection. Experiments show that the new method is effective in detecting and correcting abnormal data, which reduces the detection time and improves the accuracy of state estimation results. There are huge differences within the positive samples in anomaly detection, so several methods are studied in the paper. One-class SVM algorithm is often used in novelty detection and isolation forest algorithm is used in outlier detection. Machine learning methods which is based on statistical analysis will play an increasingly important role in the fields of equipment monitoring and predictive maintenance, safety of electric equipment.

Xuze Xia,Wei Zhang,Jianhui Jiang

DOI: https://doi.org/10.1109/prdc47002.2019.00034

2019-01-01

Abstract:Anomaly detection plays an important role in large-scale distributed systems. System logs are significant source of troubleshooting and problem diagnosis. Most of the existing anomaly detection methods apply only one machine learning model to extract feature from structured logs. However, each machine learning model has different strength towards different target system. It is hard for developers to know which is the best method to their practical problem at hand. This paper proposes two methods for anomaly detection based on the machine learning ensemble models. The first method takes mixture of experts to combine the weighted prediction of ensemble members to generate the final prediction. The second method divides the sample into n parts, then use n models to extracting features. Experimental results demonstrate the validity and accuracy of the proposed methods.

Yitong Ren,Zhaojun Gu,Zhi Wang,Zhihong Tian,Chunbo Liu,Hui Lu,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.3390/electronics9020232

IF: 2.9

2020-01-31

Electronics

Abstract:With the rapid development of the Internet of Things, the combination of the Internet of Things with machine learning, Hadoop and other fields are current development trends. Hadoop Distributed File System (HDFS) is one of the core components of Hadoop, which is used to process files that are divided into data blocks distributed in the cluster. Once the distributed log data are abnormal, it will cause serious losses. When using machine learning algorithms for system log anomaly detection, the output of threshold-based classification models are only normal or abnormal simple predictions. This paper used the statistical learning method of conformity measure to calculate the similarity between test data and past experience. Compared with detection methods based on static threshold, the statistical learning method of the conformity measure can dynamically adapt to the changing log data. By adjusting the maximum fault tolerance, a system administrator can better manage and monitor the system logs. In addition, the computational efficiency of the statistical learning method for conformity measurement was improved. This paper implemented an intranet anomaly detection model based on log analysis, and conducted trial detection on HDFS data sets quickly and efficiently.

engineering, electrical & electronic,computer science, information systems,physics, applied

Lanlan Xi,Yang Xin,Shoushan Luo,Yanlei Shang,Qifeng Tang

DOI: https://doi.org/10.1109/ccai50917.2021.9447458

2021-01-01

Abstract:In order to realize Intelligent Disaster Recovery and break the traditional reactive backup mode, it is necessary to forecast the potential system anomalies, and proactively backup the real-time datas and configurations. System logs record the running status as well as the critical events (including errors and warnings), which can help to detect system performance, debug system faults and analyze the causes of anomalies. What's more, with the features of real-time, hierarchies and easy-access, log data can be an ideal source for monitoring system status. To reduce the complexity and improve the robustness and practicability of existing log-based anomaly detection methods, we propose a new anomaly detection mechanism based on hierarchical weights, which can deal with unstable log data. We firstly extract semantic information of log strings, and get the word-level weights by SIF algorithm to embed log strings into vectors, which are then feed into attention-based Long Short-Term Memory(LSTM) deep learning network model. In addition to get sentence-level weight which can be used to explore the interdependence between different log sequences and improve the accuracy, we utilize attention weights to help with building workflow to diagnose the abnormal points in the execution of a specific task. Our experimental results show that the hierarchical weights mechanism can effectively improve accuracy of perdition task and reduce complexity of the model, which provides the feasibility foundation support for Intelligent Disaster Recovery.

Zhaoli Liu,Tao Qin,Xiaohong Guan,Hezhi Jiang,Chenxu Wang

DOI: https://doi.org/10.1109/ACCESS.2018.2843336

IF: 3.9

2018-01-01

IEEE Access

Abstract:Logs are generated by systems to record the detailed runtime information about system operations, and log analysis plays an important role in anomaly detection at the host or network level. Most existing detection methods require a priori knowledge, which cannot be used to detect the new or unknown anomalies. Moreover, the growing volume of logs poses new challenges to anomaly detection. In this paper, we propose an integrated method using K-prototype clustering and k-NN classification algorithms, which uses a novel clustering-filtering-refinement framework to perform anomaly detection from massive logs. First, we analyze the characteristics of system logs and extract 10 features based on the session information to characterize user behaviors effectively. Second, based on these extracted features, the K-prototype clustering algorithm is applied to partition the data set into different clusters. Then, the obvious normal events which usually present as highly coherent clusters are filtered out, and the others are regarded as anomaly candidates for further analysis. Finally, we design two new distance-based features to measure the local and global anomaly degrees for these anomaly candidates. Based on these two new features, we apply the k-NN classifier to generate accurate detection results. To verify the integrated method, we constructed a log collection and anomaly detection platform in the campus network center of Xi'an Jiaotong University. The experimental results based on the data sets collected from the platform show our method has high detection accuracy and low computational complexity.

Zhou Funa,Wen Chenglin,Chen Zhiguo

DOI: https://doi.org/10.1109/ccdc.2013.6561712

2013-01-01

Abstract:Theory foundation of multivariate statistical anomaly detection is hypothesis test, which require that all data to establish the statistical model must be samples of a unique set of random variables. In most cases, due to the affect of environment and load variation of the system, this assumption can't be satisfied. In addition, during different operation substage of a system, faults with different frequency may be occurred. This will decrease the anomaly detection efficiency. In this paper, we propose a multi- model anomaly detection method, which can adaptively select history data on different scale to establish the statistical anomaly detection model. Thus we can use the multi- model to well detect every possible fault. Simulation shows its efficiency of this algorithm.

Pengfei Han,Huakang Li,Gang Xue,Chao Zhang

DOI: https://doi.org/10.1111/coin.12573

2023-04-23

Computational Intelligence

Abstract:Anomaly detection is a key step in ensuring the security and reliability of large‐scale distributed systems. Analyzing system logs through artificial intelligence methods can quickly detect anomalies and thus help maintenance personnel to maintain system security. Most of the current works only focus on the temporal or spatial features of distributed system logs, and they cannot sufficiently extract the global features of distributed system logs to achieve a good correct rate of anomaly detection. To further address the shortcomings of existing methods, this paper proposes a deep learning model with global spatiotemporal features to detect the presence of anomalies in distributed system logs. First, we extract semi‐structured log events from log templates and model them as natural language. In addition, we focus on the temporal characteristics of logs using the bidirectional long short‐term memory network and the spatial invocation characteristics of logs using the Transformer. Extensive experimental evaluations show the advantages of our proposed model for distributed system log anomaly detection tasks. The optimal F1‐Score on three open‐source datasets and our own collected distributed system datasets reach 98.04%, 94.34%, 88.16%, and 97.40%, respectively.

computer science, artificial intelligence

Siyang Lu,Xiang Wei,Yandong Li,Liqiang Wang

DOI: https://doi.org/10.1109/DASC/PiCom/DataCom/CyberSciTec.2018.00037

2018-01-01

Abstract:Nowadays, big data systems are being widely adopted by many domains for offering effective data solutions, such as manufacturing, healthcare, education, and media. Big data systems produce tons of unstructured logs that contain buried valuable information. However, it is a daunting task to manually unearth the information and detect system anomalies. A few automatic methods have been developed, where the cutting-edge machine learning technique is one of the most promising ways. In this paper, we propose a novel approach for anomaly detection from big data system logs by leveraging Convolutional Neural Networks (CNN). Different from other existing statistical methods or traditional rule-based machine learning approaches, our CNN-based model can automatically learn event relationships in system logs and detect anomaly with high accuracy. Our deep neural network consists of logkey2vec embeddings, three 1D convolutional layers, dropout layer, and max-pooling. According to our experiment, our CNN-based approach has better accuracy(reaches to 99%) compared to other approaches using Long Short term memory (LSTM) and Multilayer Perceptron (MLP) on detecting anomaly in Hadoop Distributed File System (HDFS) logs.

Xiaoqing Zhao,Zhongyuan Jiang,Jianfeng Ma

DOI: https://doi.org/10.1109/IJCNN55064.2022.9892726

2022-01-01

Abstract:The modern system is becoming more and more complex in scale and structure. Mastering the operation status is crucial to ensure the stable and reliable operation of the system. Log anomaly detection is the critical means of system state monitoring and anomaly response. However, the characteristics of complex log data structure, large amount of data and hidden abnormal behavior patterns bring new challenges to efficient and automated log anomaly detection. This paper summarized the basic framework of log anomaly detection, including log collection and filtering, log parsing, feature extraction and anomaly detection. We have reviewed the relevant technologies and methods involved in each link. In particular, various deep learning detection models in recent years are analyzed, such as the use of recurrent neural network and convolutional neural network to capture the context information of log sequences, the use of generative adversarial network to make up for the deficiency of abnormal data, and the training of federated learning between different systems. We hope that our work can help beginners understand log anomaly detection and relevant experts keep abreast of the latest research trends.

Bo Wang,Qingyi Hua,Haoming Zhang,Xin Tan,Yahui Nan,Rui Chen,Xinfeng Shu

DOI: https://doi.org/10.1016/j.aej.2021.12.061

IF: 6.626

2022-09-01

Alexandria Engineering Journal

Abstract:With the development of software, massive information systems generate large-scale data resources involving a large amount of log information, which is of lots of meaningful contents. Accurate analysis and anomaly prediction based on logs are particularly important for building safe and reliable systems. It is evident that current anomaly prediction is not accurate enough, and there are few applications to the study of real-time reliability evaluation. Therefore, this paper uses ensemble learning model to analyze and predict anomaly of the massive system logs based on the complete procedures of log processing, including log analysis, feature extraction, anomaly detection, prediction evaluation, and real-time reliability evaluation. Compared with the traditional machine learning methods, the proposed model is able to improve the accuracy, recall rate and F1 value of anomaly prediction. The evaluation results are used to correct the real-time reliability in view of the low predicted recall rate, which greatly improves the accuracy of real-time reliability and thus provides accurate data basis and anomaly location basis for Artificial Intelligence for IT Operations. In this paper we have made the following innovations and contributions in anomaly detection and reliability measurement. The whole process was established from original log to real-time reliability measurement. New methods were adopted to improve the accuracy, recall and F1 value of anomaly detection. A real-time reliability measurement method is proposed.

engineering, multidisciplinary

Tingting Zhang,Markus Falt,Stefan Forsstrom

DOI: https://doi.org/10.1109/icsrs53853.2021.9660694

2021-11-24

Abstract:Modern enterprise IT systems generate large amounts of log data to record system state, potential errors, and performance metrics. Manual analysis of log data is becoming more difficult as these systems become more complex. Therefore, machine learning based anomaly detection of system logs is a vital component for the future of system management. Existing log anomaly detection models commonly rely on learning the general normal behavior of the target systems to accurately detect anomalies. They are however limited by the often sparse existing system knowledge. Therefore, this paper proposes a general anomaly detection method which requires little or no knowledge of the target system. This is done by assuming there are semantic similarities in different systems’ log data. Labeled log data from other systems can then be used for training the anomaly detection model. The model uses self-attention transformers and ensemble learning techniques to learn the semantic representation of normal and abnormal log messages. The proposed method achieves a performance comparable to other log anomaly detection methods while requiring little knowledge of the target system.

Baojiang Cui,Shanshan He

DOI: https://doi.org/10.1109/imis.2016.50

2016-01-01

Abstract:Anomaly detection is playing an increasingly important role in network security, and the ability to detect and process anomalies for big data in real-time is a difficult task. In this conditions, this paper presents a model which combine cloud computing with machine learning. Hadoop is a widely used open source cloud computing framework to big data. The traffic data stored in HDFS and processed by MapReduce. Besides these, machine learning module selected best performance algorithm from multiple algorithms by called Weka interface. Moreover, naïve Bayes, decision tree and SVM are used to validate the accuracy and efficiency. Finally, experimental results demonstrate that this method has a good performance in detection with above 90% of accuracy.

Chunbo Liu,Lanlan Pan,Zhaojun Gu,Jialiang Wang,Yitong Ren,Zhi Wang

DOI: https://doi.org/10.1155/2020/8827185

2020-11-14

Wireless Communications and Mobile Computing

Abstract:System logs can record the system status and important events during system operation in detail. Detecting anomalies in the system logs is a common method for modern large-scale distributed systems. Yet threshold-based classification models used for anomaly detection output only two values: normal or abnormal, which lacks probability of estimating whether the prediction results are correct. In this paper, a statistical learning algorithm Venn-Abers predictor is adopted to evaluate the confidence of prediction results in the field of system log anomaly detection. It is able to calculate the probability distribution of labels for a set of samples and provide a quality assessment of predictive labels to some extent. Two Venn-Abers predictors LR-VA and SVM-VA have been implemented based on Logistic Regression and Support Vector Machine, respectively. Then, the differences among different algorithms are considered so as to build a multimodel fusion algorithm by Stacking. And then a Venn-Abers predictor based on the Stacking algorithm called Stacking-VA is implemented. The performances of four types of algorithms (unimodel, Venn-Abers predictor based on unimodel, multimodel, and Venn-Abers predictor based on multimodel) are compared in terms of validity and accuracy. Experiments are carried out on a log dataset of the Hadoop Distributed File System (HDFS). For the comparative experiments on unimodels, the results show that the validities of LR-VA and SVM-VA are better than those of the two corresponding underlying models. Compared with the underlying model, the accuracy of the SVM-VA predictor is better than that of LR-VA predictor, and more significantly, the recall rate increases from 81% to 94%. In the case of experiments on multiple models, the algorithm based on Stacking multimodel fusion is significantly superior to the underlying classifier. The average accuracy of Stacking-VA is larger than 0.95, which is more stable than the prediction results of LR-VA and SVM-VA. Experimental results show that the Venn-Abers predictor is a flexible tool that can make accurate and valid probability predictions in the field of system log anomaly detection.

computer science, information systems,telecommunications,engineering, electrical & electronic

Qingfeng Du,Liang Zhao,Jincheng Xu,Yongqi Han,Shuangli Zhang

DOI: https://doi.org/10.1007/978-3-030-86472-9_31

2021-01-01

Abstract:Anomaly detection is one of the key technologies to ensure the performance and reliability of software systems. Because of the rich information provided by logs, log-based anomaly detection approaches have attracted great interest nowadays. However, it's time-consuming to check the large amount of logs manually due to the ever-increasing scale and complexity of the system. In this work, we propose a log-based automated anomaly detection approach called LogAttention, which embeds log patterns into semantic vectors and subsequently uses a self-attention based neural network to detect anomalies in the log pattern sequences. LogAttention has the ability to capture contextual and semantic information in the log patterns and to attend far more long-range dependencies in the log pattern sequence. We evaluate LogAttention on two publicly available log datasets, and the experimental results demonstrate that our proposed approach can achieve better results compared to the existing baselines.

Yi Han,Feng Lin,Yi Chai,Kaiming Qie,Lin Wang,Yuanyuan Wang,Zhang Cheng,Minyi Guo

2023-01-01

Abstract:This paper proposes an anomaly detection algorithm for logs based on self-attention mechanism and BiGRU model to deal with the multiple characteristics exhibited by logs during system anomalies. First, two BiGRU models are utilized to process the log template sequence and log template frequency vector, respectively. Then, the outputs of the two BiGRU models are concatenated and input into a self-attention layer to fuse different features. Finally, the distribution probability of the next log template is output to achieve log anomaly detection. The proposed method is evaluated on the Hadoop Log File System (HDFS) dataset and achieves an precision of approximately 96.7 $$\%$$ . Compared to other log anomaly detection algorithms such as DeepLog and LogAnomaly, our method demonstrates better performance on this dataset.

Yalan Guo,Yulei Wu,Yanchao Zhu,Bingqiang Yang,Chunjing Han

DOI: https://doi.org/10.1109/ijcnn52387.2021.9533294

2021-07-18

Abstract:Large-scale software systems are generally deployed on distributed machines. Logs are usually collected from those machines for comprehensive and accurate system fault analysis. However, there are potential challenges during log transmission from distributed machines to third-party data analytics services. First, uploading massive raw logs causes tremendous bandwidth consumption. Moreover, user privacy contained in logs is easy to get leaked during transmission. To address these issues, we introduce federated learning for anomaly detection using distributed log data. However, gradient updates of model parameters transmitted between the server (third-party data analytics services) and participants (distributed machines) in federated learning have been proved of possible recovery by attackers, so encryption of gradient updates is necessary for enhanced privacy protection. Considering that encryption time is proportional to the number of parameters, we propose a lightweight federated learning method for anomaly detection, named FLOGCNN, using distributed log data. The sever in FLOGCNN aggregates gradient updates according to the sample size of participants to generate an integrated model. For local training, participants apply an anomaly detection model based on one-dimensional convolution with much fewer parameters. Extensive experiments are conducted for FLOGCNN using open log datasets. Results demonstrate that FLOGCNN outperforms baseline methods on anomaly detection and reduces 97.08% parameters in comparison with one baseline method. Furthermore, we perform exploratory experiments on lightweight models and results manifest that logs with simple semantic information are suitable for lightweight anomaly detection models.

Shuzhan Wang,Ruxue Jiang,Zhaoqi Wang,Yan Zhou

2024-09-14

Abstract:Computer network anomaly detection and log analysis, as an important topic in the field of network security, has been a key task to ensure network security and system reliability. First, existing network anomaly detection and log analysis methods are often challenged by high-dimensional data and complex network topologies, resulting in unstable performance and high false-positive rates. In addition, traditional methods are usually difficult to handle time-series data, which is crucial for anomaly detection and log analysis. Therefore, we need a more efficient and accurate method to cope with these problems. To compensate for the shortcomings of current methods, we propose an innovative fusion model that integrates Isolation Forest, GAN (Generative Adversarial Network), and Transformer with each other, and each of them plays a unique role. Isolation Forest is used to quickly identify anomalous data points, and GAN is used to generate synthetic data with the real data distribution characteristics to augment the training dataset, while the Transformer is used for modeling and context extraction on time series data. The synergy of these three components makes our model more accurate and robust in anomaly detection and log analysis tasks. We validate the effectiveness of this fusion model in an extensive experimental evaluation. Experimental results show that our model significantly improves the accuracy of anomaly detection while reducing the false alarm rate, which helps to detect potential network problems in advance. The model also performs well in the log analysis task and is able to quickly identify anomalous behaviors, which helps to improve the stability of the system. The significance of this study is that it introduces advanced deep learning techniques, which work anomaly detection and log analysis.

Machine Learning,Cryptography and Security

João Henriques,Filipe Caldeira,Tiago Cruz,Paulo Simões

DOI: https://doi.org/10.3390/electronics9071164

IF: 2.9

2020-07-17

Electronics

Abstract:Computing and networking systems traditionally record their activity in log files, which have been used for multiple purposes, such as troubleshooting, accounting, post-incident analysis of security breaches, capacity planning and anomaly detection. In earlier systems those log files were processed manually by system administrators, or with the support of basic applications for filtering, compiling and pre-processing the logs for specific purposes. However, as the volume of these log files continues to grow (more logs per system, more systems per domain), it is becoming increasingly difficult to process those logs using traditional tools, especially for less straightforward purposes such as anomaly detection. On the other hand, as systems continue to become more complex, the potential of using large datasets built of logs from heterogeneous sources for detecting anomalies without prior domain knowledge becomes higher. Anomaly detection tools for such scenarios face two challenges. First, devising appropriate data analysis solutions for effectively detecting anomalies from large data sources, possibly without prior domain knowledge. Second, adopting data processing platforms able to cope with the large datasets and complex data analysis algorithms required for such purposes. In this paper we address those challenges by proposing an integrated scalable framework that aims at efficiently detecting anomalous events on large amounts of unlabeled data logs. Detection is supported by clustering and classification methods that take advantage of parallel computing environments. We validate our approach using the the well known NASA Hypertext Transfer Protocol (HTTP) logs datasets. Fourteen features were extracted in order to train a k-means model for separating anomalous and normal events in highly coherent clusters. A second model, making use of the XGBoost system implementing a gradient tree boosting algorithm, uses the previous binary clustered data for producing a set of simple interpretable rules. These rules represent the rationale for generalizing its application over a massive number of unseen events in a distributed computing environment. The classified anomaly events produced by our framework can be used, for instance, as candidates for further forensic and compliance auditing analysis in security management.

engineering, electrical & electronic,computer science, information systems,physics, applied

Bingming Wang,Shi Ying,Zhe Yang

DOI: https://doi.org/10.1155/2020/4365356

2020-01-01

Scientific Programming

Abstract:Using the k-nearest neighbor (kNN) algorithm in the supervised learning method to detect anomalies can get more accurate results. However, when using kNN algorithm to detect anomaly, it is inefficient at finding k neighbors from large-scale log data; at the same time, log data are imbalanced in quantity, so it is a challenge to select proper k neighbors for different data distributions. In this paper, we propose a log-based anomaly detection method with efficient selection of neighbors and automatic selection of k neighbors. First, we propose a neighbor search method based on minhash and MVP-tree. The minhash algorithm is used to group similar logs into the same bucket, and MVP-tree model is built for samples in each bucket. In this way, we can reduce the effort of distance calculation and the number of neighbor samples that need to be compared, so as to improve the efficiency of finding neighbors. In the process of selecting k neighbors, we propose an automatic method based on the Silhouette Coefficient, which can select proper k neighbors to improve the accuracy of anomaly detection. Our method is verified on six different types of log data to prove its universality and feasibility.