Zhong Li,Jiayang Shi,Matthijs van Leeuwen

2024-01-24

Abstract:Event logs are widely used to record the status of high-tech systems, making log anomaly detection important for monitoring those systems. Most existing log anomaly detection methods take a log event count matrix or log event sequences as input, exploiting quantitative and/or sequential relationships between log events to detect anomalies. Unfortunately, only considering quantitative or sequential relationships may result in low detection accuracy. To alleviate this problem, we propose a graph-based method for unsupervised log anomaly detection, dubbed Logs2Graphs, which first converts event logs into attributed, directed, and weighted graphs, and then leverages graph neural networks to perform graph-level anomaly detection. Specifically, we introduce One-Class Digraph Inception Convolutional Networks, abbreviated as OCDiGCN, a novel graph neural network model for detecting graph-level anomalies in a collection of attributed, directed, and weighted graphs. By coupling the graph representation and anomaly detection steps, OCDiGCN can learn a representation that is especially suited for anomaly detection, resulting in a high detection accuracy. Importantly, for each identified anomaly, we additionally provide a small subset of nodes that play a crucial role in OCDiGCN's prediction as explanations, which can offer valuable cues for subsequent root cause diagnosis. Experiments on five benchmark datasets show that Logs2Graphs performs at least on par with state-of-the-art log anomaly detection methods on simple datasets while largely outperforming state-of-the-art log anomaly detection methods on complicated datasets.

Software Engineering,Artificial Intelligence,Machine Learning

Ziyu Guo,Weiyang Kong,Yubao Liu

DOI: https://doi.org/10.1088/1742-6596/2735/1/012016

2024-04-09

Journal of Physics Conference Series

Abstract:Anomaly detection in time series data (e.g., sensor data) is becoming a fundamental research problem that has various applications. Due to the complex inter-sensor relationships, it is challenging to detect anomalous events such as system faults and attacks hidden the high-dimensional time series. Recent advancements in deep learning approaches such as Graph Neural Networks (GNN) have greatly improved anomaly detection performance in time series data. However, existing methods usually use separate components to capture spatial and temporal dependence relationship and ignore the heterogeneities in spatial-temporal data which motivates us to capture them together. In this paper, we propose a novel approach STGDNN (short for Spatial-Temporal Graph Deviation Neural Networks) that learns the spatial-temporal dependence relationship together in structure learning of graph neural networks. In addition, we use the learned spatial-temporal graph structure and attention weights to explain the detected anomalies. The experiments on three real world datasets show our superiority in detection accuracy, anomaly diagnosis, and model interpretation compared with state-of-the-art methods.

Yongzheng Xie,Hongyu Zhang,Muhammad Ali Babar

DOI: https://doi.org/10.48550/arXiv.2209.07869

2022-09-16

Software Engineering

Abstract:Log analysis is one of the main techniques engineers use to troubleshoot faults of large-scale software systems. During the past decades, many log analysis approaches have been proposed to detect system anomalies reflected by logs. They usually take log event counts or sequential log events as inputs and utilize machine learning algorithms including deep learning models to detect system anomalies. These anomalies are often identified as violations of quantitative relational patterns or sequential patterns of log events in log sequences. However, existing methods fail to leverage the spatial structural relationships among log events, resulting in potential false alarms and unstable performance. In this study, we propose a novel graph-based log anomaly detection method, LogGD, to effectively address the issue by transforming log sequences into graphs. We exploit the powerful capability of Graph Transformer Neural Network, which combines graph structure and node semantics for log-based anomaly detection. We evaluate the proposed method on four widely-used public log datasets. Experimental results show that LogGD can outperform state-of-the-art quantitative-based and sequence-based methods and achieve stable performance under different window size settings. The results confirm that LogGD is effective in log-based anomaly detection.

Jiangming Li,Huasen He,Shuangwu Chen,Dong Jin,Jian Yang

DOI: https://doi.org/10.1109/tdsc.2023.3293111

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Anomaly diagnosis relying on system logs to record runtime events is essential for improving the service quality of distributed systems and reducing economic losses. However, most existing log-based anomaly detection approaches depend on the assumption of the fixed quantitative or sequential patterns of a normal log event sequence. This assumption is challenged in the context of practical distributed and parallel systems due to the dynamic pattern of the log sequence, log data noise as well as concurrency of multiple anomalies. Against these challenges, this paper aims to perform the robust log-based anomaly diagnosis by capturing the event context information of the log event graph, called LogGraph, instead of straightforwardly employing the fixed quantitative or sequential patterns of the log records, thus reducing its sensitivity to the log flaws and the concurrency of multiple anomalies. Specifically, in order to handle multiple anomalies concurrency, LogGraph invokes the association rule to decouple log sequences. It further reinterprets a log record sequence into a log event graph modeled by event semantic embedding and event adjacency matrix. An attention-based Gated Graph Neural Network (GGNN) model is developed to capture the semantic information of the log graph, which enables the fine-grained and robust anomaly identification of the proposed scheme. We use real log data sets collected from Hadoop systems and network switches to verify the effectiveness of the proposed LogGraph in log data scenarios that contain noise and multiple anomalies concurrency problems. The experimental results show that the proposed LogGraph achieves high performance and strong robustness in anomaly diagnosis.

Yu Zheng,Huan Yee Koh,Ming Jin,Lianhua Chi,Khoa T. Phan,Shirui Pan,Yi-Ping Phoebe Chen,Wei Xiang

DOI: https://doi.org/10.1109/TNNLS.2023.3325667

2023-11-16

Abstract:Multivariate time-series anomaly detection is critically important in many applications, including retail, transportation, power grid, and water treatment plants. Existing approaches for this problem mostly employ either statistical models which cannot capture the non-linear relations well or conventional deep learning models (e.g., CNN and LSTM) that do not explicitly learn the pairwise correlations among variables. To overcome these limitations, we propose a novel method, correlation-aware spatial-temporal graph learning (termed CST-GL), for time series anomaly detection. CST-GL explicitly captures the pairwise correlations via a multivariate time series correlation learning module based on which a spatial-temporal graph neural network (STGNN) can be developed. Then, by employing a graph convolution network that exploits one- and multi-hop neighbor information, our STGNN component can encode rich spatial information from complex pairwise dependencies between variables. With a temporal module that consists of dilated convolutional functions, the STGNN can further capture long-range dependence over time. A novel anomaly scoring component is further integrated into CST-GL to estimate the degree of an anomaly in a purely unsupervised manner. Experimental results demonstrate that CST-GL can detect anomalies effectively in general settings as well as enable early detection across different time delays.

Machine Learning

Meng Ma,Xuanhao Hua,Yang Zhang,Zhi Zhai

DOI: https://doi.org/10.1016/j.measurement.2024.115035

IF: 5.6

2024-01-01

Measurement

Abstract:Internet of Things systems are developed rapidly, there is a need for anomaly detection to identify malicious data to guarantee that the systems perform under healthy condition. However, the dynamic system state is not only influenced by sequential patterns in the time dimension but also affected by other sensor channels in the spatial dimension. Although many successful models have been established in past research to handle multivariate time series data, most of these models exhibit shortcomings in capturing spatiotemporal dependencies. The Internet of Things offers a promising platform for advanced data analysis, but its unique characteristics present challenges for anomaly detection. This paper introduces a novel spatiotemporal polynomial graph neural network (STPGNN) is proposed for anomaly detection of complex systems within the Internet of Things (IoT) framework. Specifically, we propose an adaptive spatiotemporal feature modeling module that includes two developed adaptive modules: the Adaptive Temporal Module and the Spatial Module. These modules are designed to capture dynamic spatial dependencies across multiple time steps and temporal dependencies over time, respectively. The results are then output through a decoder. Importantly, the multi-head attention mechanism employed in both sub-modules can effectively explore potential spatiotemporal dependency patterns within different subspaces. The proposed model, utilizing the innovative approach of STPGNN, demonstrates superior performance compared to existing techniques, as evidenced by experimental results on the real-world test run dataset. This marks a significant advancement in the field of anomaly detection, particularly for complex systems.

Yi Di,Fujin Wang,Zhibin Zhao,Zhi Zhai,Xuefeng Chen

DOI: https://doi.org/10.1016/j.eswa.2024.124348

IF: 8.5

2024-05-31

Expert Systems with Applications

Abstract:Detecting anomalies in satellites holds immense importance within the aerospace industry. Many current detection methods only focus on temporal correlations and ignore spatial correlations. To take into account both temporal and spatial features, we proposed to employ Graph Neural Networks (GNN). In fact, to develop a GNN approach that is applicable to the satellite power system anomaly detection in real-world scenarios, it is imperative to take into account the specific requirements of the aerospace industry. Our analysis and research indicate that the critical factors lie in model interpretability and data characteristics. First, as model interpretability can bring trustworthiness, traceability, and guidance, it is indispensable for the application of deep learning algorithms in satellite telemetry data anomaly detection. We created a novel graph filter: Adaptive Quadratic Approximation Graph Filter (AQAGF), which is capable of both approximation ability and response time. It is transformed into a spectral graph convolution neural network that can draw the frequency response function to provide the model interpretability. Then, to address the difficulties of telemetry data characteristics: strong noise and missing data, we introduced autoencoder architecture and adversarial training strategy to further design our anomaly detection method, called Interpretable Spatial-Temporal Graph Anomaly Detection (ISTGAD) based on AQAGF, which is robust to noise and data missing. And it is able to capture temporal and spatial correlations together within a transparent working mechanism. Finally, experiments proved that our model has better anomaly detection performance than other state-of-the-art methods, and we also provide visualizations to showcase the interpretability and working mechanism of our model. Our code and data are publicly available at: https://github.com/DiYi1999/ISTGAD .

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Yuyuan Chang,Nurbol Luktarhan,Jingru Liu,Qinglin Chen

DOI: https://doi.org/10.3390/electronics12081877

IF: 2.9

2023-04-17

Electronics

Abstract:The scale of the system and network applications is expanding, and higher requirements are being put forward for anomaly detection. The system log can record system states and significant operational events at different critical points. Therefore, using the system log for anomaly detection can help with system maintenance and avoid unnecessary loss. The system log has obvious timing characteristics, and the execution sequence of the system log has a certain dependency relationship. However, sometimes the length of sequence dependence is long. To handle the problem of longer sequence logs in anomaly detection, this paper proposes a system log anomaly detection method based on efficient channel attention and temporal convolutional network (ETCNLog). It builds a model by treating the system log as a natural language sequence. To handle longer sequence logs more effectively, ETCNLog uses the semantic and timing information of logs. It can automatically learn the importance of different log sequences and detect hidden dependencies within sequences to improve the accuracy of anomaly detection. We run extensive experiments on the actual public log dataset BGL. The experimental results show that the Precision and F1-score of ETCNLog reach 98.15% and 98.21%, respectively, both of which are better than the current anomaly detection methods.

engineering, electrical & electronic,computer science, information systems,physics, applied

Hongyi Xu

2024-10-30

Abstract:Multivariate time series anomaly detection technology plays an important role in many fields including aerospace, water treatment, cloud service providers, etc. Excellent anomaly detection models can greatly improve work efficiency and avoid major economic losses. However, with the development of technology, the increasing size and complexity of data, and the lack of labels for relevant abnormal data, it is becoming increasingly challenging to perform effective and accurate anomaly detection in high-dimensional and complex data sets. In this paper, we propose a hypergraph based spatiotemporal graph convolutional neural network model STGCN_Hyper, which explicitly captures high-order, multi-hop correlations between multiple variables through a hypergraph based dynamic graph structure learning module. On this basis, we further use the hypergraph based spatiotemporal graph convolutional network to utilize the learned hypergraph structure to effectively propagate and aggregate one-hop and multi-hop related node information in the convolutional network, thereby obtaining rich spatial information. Furthermore, through the multi-scale TCN dilated convolution module, the STGCN_hyper model can also capture the dependencies of features at different scales in the temporal dimension. An unsupervised anomaly detector based on PCA and GMM is also integrated into the STGCN_hyper model. Through the anomaly score of the detector, the model can detect the anomalies in an unsupervised way. Experimental results on multiple time series datasets show that our model can flexibly learn the multi-scale time series features in the data and the dependencies between features, and outperforms most existing baseline models in terms of precision, recall, F1-score on anomaly detection tasks. Our code is available on: <a class="link-external link-https" href="https://git.ecdf.ed.ac.uk/msc-23-24/s2044819" rel="external noopener nofollow">this https URL</a>

Machine Learning

Di Ge,Yuhang Cheng,Shuangshuang Cao,Yanmei Ma,Yanwen Wu

DOI: https://doi.org/10.1007/s40747-023-01306-x

IF: 6.7

2024-01-06

Complex & Intelligent Systems

Abstract:Abstract The detection of anomalies in high-dimensional time-series has always played a crucial role in the domain of system security. Recently, with rapid advancements in transformer model and graph neural network (GNN) technologies, spatiotemporal modeling approaches for anomaly detection tasks have been greatly improved. However, most methods focus on optimizing upstream time-series prediction tasks by leveraging joint spatiotemporal features. Through experiments, we found that this modeling approach not only risks the loss of some original anomaly information during data preprocessing, but also focuses on optimizing the performance of the upstream prediction task and does not directly enhance the performance of the downstream detection task. We propose a spatiotemporal anomaly detection model that incorporates an improved attention mechanism in the process of temporal modeling. We adopt a heterogeneous graph contrastive learning approach in spatio modeling to compensate for the representation of anomalous behavioral information, thereby guiding the model through thorough training. Through validation on two widely used real-world datasets, we demonstrate that our model outperforms baseline methods. We also explore the impact of multivariate time-series prediction tasks on the detection task, and visualize the reasons behind the benefits gained by our model.

computer science, artificial intelligence

Chaoyue Ding,Shiliang Sun,Jing Zhao

DOI: https://doi.org/10.1016/j.inffus.2022.08.011

2023-10-17

Abstract:Multimodal time series (MTS) anomaly detection is crucial for maintaining the safety and stability of working devices (e.g., water treatment system and spacecraft), whose data are characterized by multivariate time series with diverse modalities. Although recent deep learning methods show great potential in anomaly detection, they do not explicitly capture spatial-temporal relationships between univariate time series of different modalities, resulting in more false negatives and false positives. In this paper, we propose a multimodal spatial-temporal graph attention network (MST-GAT) to tackle this problem. MST-GAT first employs a multimodal graph attention network (M-GAT) and a temporal convolution network to capture the spatial-temporal correlation in multimodal time series. Specifically, M-GAT uses a multi-head attention module and two relational attention modules (i.e., intra- and inter-modal attention) to model modal correlations explicitly. Furthermore, MST-GAT optimizes the reconstruction and prediction modules simultaneously. Experimental results on four multimodal benchmarks demonstrate that MST-GAT outperforms the state-of-the-art baselines. Further analysis indicates that MST-GAT strengthens the interpretability of detected anomalies by locating the most anomalous univariate time series.

Machine Learning,Artificial Intelligence

Caihong Wang,Du Xu,Zonghang Li

2024-09-18

Abstract:In the era of rapid Internet development, log data has become indispensable for recording the operations of computer devices and software. These data provide valuable insights into system behavior and necessitate thorough analysis. Recent advances in text analysis have enabled deep learning to achieve significant breakthroughs in log anomaly detection. However, the high cost of manual annotation and the dynamic nature of usage scenarios present major challenges to effective log analysis. This study proposes a novel log feature extraction model called DualGCN-LogAE, designed to adapt to various scenarios. It leverages the expressive power of large models for log content analysis and the capability of graph structures to encapsulate correlations between logs. It retains key log information while integrating the causal relationships between logs to achieve effective feature extraction. Additionally, we introduce Log2graphs, an unsupervised log anomaly detection method based on the feature extractor. By employing graph clustering algorithms for log anomaly detection, Log2graphs enables the identification of abnormal logs without the need for labeled data. We comprehensively evaluate the feature extraction capability of DualGCN-LogAE and the anomaly detection performance of Log2graphs using public log datasets across five different scenarios. Our evaluation metrics include detection accuracy and graph clustering quality scores. Experimental results demonstrate that the log features extracted by DualGCN-LogAE outperform those obtained by other methods on classic classifiers. Moreover, Log2graphs surpasses existing unsupervised log detection methods, providing a robust tool for advancing log anomaly detection research.

Cryptography and Security

Siwei Guan,Binjie Zhao,Zhekang Dong,Mingyu Gao,Zhiwei He

DOI: https://doi.org/10.3390/e24060759

IF: 2.738

2022-05-28

Entropy

Abstract:The rapid development of smart factories, combined with the increasing complexity of production equipment, has resulted in a large number of multivariate time series that can be recorded using sensors during the manufacturing process. The anomalous patterns of industrial production may be hidden by these time series. Previous LSTM-based and machine-learning-based approaches have made fruitful progress in anomaly detection. However, these multivariate time series anomaly detection algorithms do not take into account the correlation and time dependence between the sequences. In this study, we proposed a new algorithm framework, namely, graph attention network and temporal convolutional network for multivariate time series anomaly detection (GTAD), to address this problem. Specifically, we first utilized temporal convolutional networks, including causal convolution and dilated convolution, to capture temporal dependencies, and then used graph neural networks to obtain correlations between sensors. Finally, we conducted sufficient experiments on three public benchmark datasets, and the results showed that the proposed method outperformed the baseline method, achieving detection results with F1 scores higher than 95% on all datasets.

physics, multidisciplinary

Yue Wang,Hao Peng,Gang Wang,Xianghong Tang,Xuejian Wang,Chunyang Liu

DOI: https://doi.org/10.1016/j.engappai.2023.106144

IF: 8

2023-03-24

Engineering Applications of Artificial Intelligence

Abstract:Massive amounts of industrial data, which are often gathered by industrial control systems (ICS), have been generated by the fast growth of industrial intelligence. One of the hottest topics in ICS is how to extract the most useful information from industrial "Big Data" and provide a more comprehensive service for monitoring the condition of industrial production processes. As the industrial environment gets increasingly complicated, production tasks change often and malicious attacks are on the rise. It remains a grand challenge to perform fine-grained anomaly detection in high-dimensional, noisy industrial data. In response to this problem, we propose a spatio-temporal graph neural network-based anomaly detection framework for fine-grained state monitoring of ICSs. First, based on prior knowledge, we propose a method for feature dimensionality reduction and dynamic graph modeling. After that, the variational mode decomposition (VMD) module is then utilized to remove noise from industrial data. Finally, we propose a spatio-temporal feature extraction module for fine-grained anomaly detection. Numerical experiments are conducted on a real-world ICS dataset called HAI. The results demonstrate that the proposed framework can effectively deal with high-dimensional, high-noise, and imbalanced industrial data. The framework's concepts are interconnected and extensible to various industrial scenarios, including metallurgy, smart shop floors, etc. In terms of recall, precision, and F1 -Score, a comparison between the proposed framework and eight representative methods reveals the merits of the proposed framework.

automation & control systems,computer science, artificial intelligence,engineering, electrical & electronic, multidisciplinary

Leyan Deng,Defu Lian,Zhenya Huang,Enhong Chen

DOI: https://doi.org/10.1109/tnnls.2021.3136171

IF: 14.255

2022-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:Traffic anomalies, such as traffic accidents and unexpected crowd gathering, may endanger public safety if not handled timely. Detecting traffic anomalies in their early stage can benefit citizens&#x27; quality of life and city planning. However, traffic anomaly detection faces two main challenges. First, it is challenging to model traffic dynamics due to the complex spatiotemporal characteristics of traffic data. Second, the criteria of traffic anomalies may vary with locations and times. In this article, we propose a spatiotemporal graph convolutional adversarial network (STGAN) to address these above challenges. More specifically, we devise a spatiotemporal generator to predict the normal traffic dynamics and a spatiotemporal discriminator to determine whether an input sequence is real or not. There are high correlations between neighboring data points in the spatial and temporal dimensions. Therefore, we propose a recent module and leverage graph convolutional gated recurrent unit (GCGRU) to help the generator and discriminator learn the spatiotemporal features of traffic dynamics and traffic anomalies, respectively. After adversarial training, the generator and discriminator can be used as detectors independently, where the generator models the normal traffic dynamics patterns and the discriminator provides detection criteria varying with spatiotemporal features. We then design a novel anomaly score combining the abilities of two detectors, which considers the misleading of unpredictable traffic dynamics to the discriminator. We evaluate our method on two real-world datasets from New York City and California. The experimental results show that the proposed method detects various traffic anomalies effectively and outperforms the state-of-the-art methods. Furthermore, the devised anomaly score achieves more robust detection performances than the general score.

Zhe Liu,Xiang Huang,Jingyun Zhang,Zhifeng Hao,Li Sun,Hao Peng

DOI: https://doi.org/10.1145/3627673.3679614

2024-08-23

Abstract:Unsupervised anomaly detection in time series is essential in industrial applications, as it significantly reduces the need for manual intervention. Multivariate time series pose a complex challenge due to their feature and temporal dimensions. Traditional methods use Graph Neural Networks (GNNs) or Transformers to analyze spatial while RNNs to model temporal dependencies. These methods focus narrowly on one dimension or engage in coarse-grained feature extraction, which can be inadequate for large datasets characterized by intricate relationships and dynamic changes. This paper introduces a novel temporal model built on an enhanced Graph Attention Network (GAT) for multivariate time series anomaly detection called TopoGDN. Our model analyzes both time and feature dimensions from a fine-grained perspective. First, we introduce a multi-scale temporal convolution module to extract detailed temporal features. Additionally, we present an augmented GAT to manage complex inter-feature dependencies, which incorporates graph topology into node features across multiple scales, a versatile, plug-and-play enhancement that significantly boosts the performance of GAT. Our experimental results confirm that our approach surpasses the baseline models on four datasets, demonstrating its potential for widespread application in fields requiring robust anomaly detection. The code is available at <a class="link-external link-https" href="https://github.com/ljj-cyber/TopoGDN" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Artificial Intelligence

Saswati Ray,Sana Lakdawala,Mononito Goswami,Chufan Gao

DOI: https://doi.org/10.48550/arXiv.2111.08082

IF: 5.414

2021-11-15

Machine Learning

Abstract:In this work, we propose GLUE (Graph Deviation Network with Local Uncertainty Estimation), building on the recently proposed Graph Deviation Network (GDN). GLUE not only automatically learns complex dependencies between variables and uses them to better identify anomalous behavior, but also quantifies its predictive uncertainty, allowing us to account for the variation in the data as well to have more interpretable anomaly detection thresholds. Results on two real world datasets tell us that optimizing the negative Gaussian log likelihood is reasonable because GLUE's forecasting results are at par with GDN and in fact better than the vector autoregressor baseline, which is significant given that GDN directly optimizes the MSE loss. In summary, our experiments demonstrate that GLUE is competitive with GDN at anomaly detection, with the added benefit of uncertainty estimations. We also show that GLUE learns meaningful sensor embeddings which clusters similar sensors together.

Qian Yang,Jiaming Zhang,Junjie Zhang,Cailing Sun,Shanyi Xie,Shangdong Liu,Yimu Ji

DOI: https://doi.org/10.3390/electronics13112032

IF: 2.9

2024-05-24

Electronics

Abstract:Cyber–physical systems (CPSs) serve as the pivotal core of Internet of Things (IoT) infrastructures, such as smart grids and intelligent transportation, deploying interconnected sensing devices to monitor operating status. With increasing decentralization, the surge in sensor devices expands the potential vulnerability to cyber attacks. It is imperative to conduct anomaly detection research on the multivariate time series data that these sensors produce to bolster the security of distributed CPSs. However, the high dimensionality, absence of anomaly labels in real-world datasets, and intricate non-linear relationships among sensors present considerable challenges in formulating effective anomaly detection algorithms. Recent deep-learning methods have achieved progress in the field of anomaly detection. Yet, many methods either rely on statistical models that struggle to capture non-linear relationships or use conventional deep learning models like CNN and LSTM, which do not explicitly learn inter-variable correlations. In this study, we propose a novel unsupervised anomaly detection method that integrates Sparse Autoencoder with Graph Transformer network (SGTrans). SGTrans leverages Sparse Autoencoder for the dimensionality reduction and reconstruction of high-dimensional time series, thus extracting meaningful hidden representations. Then, the multivariate time series are mapped into a graph structure. We introduce a multi-head attention mechanism from Transformer into graph structure learning, constructing a Graph Transformer network forecasting module. This module performs attentive information propagation between long-distance sensor nodes and explicitly models the complex temporal dependencies among them to enhance the prediction of future behaviors. Extensive experiments and evaluations on three publicly available real-world datasets demonstrate the effectiveness of our approach.

engineering, electrical & electronic,computer science, information systems,physics, applied

Weiping Wang,Yongyi Chen,Lin Su,Jiang Zhou,Fan Zhang,Kexiong Fei

DOI: https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom57177.2022.00016

2022-12-01

Abstract:In this research, we propose Log2Graph, a new insider threat detection method based on graph convolution neural network (GCN). This method first retrieves the corresponding logs and features from log files through feature extraction. Specifically, we use an auxiliary feature of anomaly index to describe relationship between entities, such as users and hosts, instead of establish complex connections between them. Second, these logs and features are augmented through a combination of oversampling and downsampling, to prepare for the next-stage supervised learning process. Third, we use three elaborated rules to construct the graph of each user by connecting the logs according to chronological and logical relationship. At last, the graph convolution neural network constructed is used to detect insider threats. Our validation and evaluation results confirm that Log2Graph can greatly improve the performance of detecting insider threats compared against baseline and existing methods.

Computer Science

Mengmeng Zhao,Haipeng Peng,Lixiang Li,Yeqing Ren

DOI: https://doi.org/10.3390/s24051522

IF: 3.9

2024-02-27

Sensors

Abstract:Time series anomaly detection is very important to ensure the security of industrial control systems (ICSs). Many algorithms have performed well in anomaly detection. However, the performance of most of these algorithms decreases sharply with the increase in feature dimension. This paper proposes an anomaly detection scheme based on Graph Attention Network (GAT) and Informer. GAT learns sequential characteristics effectively, and Informer performs excellently in long time series prediction. In addition, long-time forecasting loss and short-time forecasting loss are used to detect multivariate time series anomalies. Short-time forecasting is used to predict the next time value, and long-time forecasting is employed to assist the short-time prediction. We conduct a large number of experiments on industrial control system datasets SWaT and WADI. Compared with most advanced methods, we achieve competitive results, especially on higher-dimensional datasets. Moreover, the proposed method can accurately locate anomalies and realize interpretability.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation