Max Landauer,Florian Skopik,Markus Wurzenberger,Andreas Rauber

DOI: https://doi.org/10.1016/j.cose.2020.101739

2020-05-01

Abstract:<p>Log files give insight into the state of a computer system and enable the detection of anomalous events relevant to cyber security. However, automatically analyzing log data is difficult since it contains massive amounts of unstructured and diverse messages collected from heterogeneous sources. Therefore, several approaches that condense or summarize log data by means of clustering techniques have been proposed. Picking the right approach for a particular application domain is, however, non-trivial, since algorithms are designed towards specific objectives and requirements. This paper therefore surveys existing approaches. It thereby groups approaches by their clustering techniques, reviews their applicability and limitations, discusses trends and identifies gaps. The survey reveals that approaches usually pursue one or more of four major objectives: overview and filtering, parsing and signature extraction, static outlier detection, and sequences and dynamic anomaly detection. Finally, this paper also outlines a concept and tool that support the selection of appropriate approaches based on user-defined requirements.</p>

computer science, information systems

YANG Li-gang,SU Hang-ye,ZHANG Ying,CHU Jian

DOI: https://doi.org/10.3969/j.issn.1007-130x.2007.08.037

2007-01-01

Abstract:The typical cluster algorithms, such as Kmeans, mostly need to decide the number of clusters before training. However,it is difficult to achieve this in fact, and it is of blindness to do this based on experience. In this paper, a clustering algorithm based on SOM is presented. SOM has powerful visualization ability, and our eyes can exploit models under low-dimension circumstances quickly. The method we present here makes use of these two advantages. Also we partition telecom customers with this method for the sake of grasping the characteristics of customer clusters. The application is meaningful in making the best telecom policy.

Adetokunbo A.O. Makanju,A. Nur Zincir-Heywood,Evangelos E. Milios

DOI: https://doi.org/10.1145/1557019.1557154

2009-01-01

Abstract:The importance of event logs, as a source of information in systems and network management cannot be overemphasized. With the ever increasing size and complexity of today&#x27;s event logs, the task of analyzing event logs has become cumbersome to carry out manually. For this reason recent research has focused on the automatic analysis of these log files. In this paper we present IPLoM (Iterative Partitioning Log Mining), a novel algorithm for the mining of clusters from event logs. Through a 3-Step hierarchical partitioning process IPLoM partitions log data into its respective clusters. In its 4th and final stage IPLoM produces cluster descriptions or line formats for each of the clusters produced. Unlike other similar algorithms IPLoM is not based on the Apriori algorithm and it is able to find clusters in data whether or not its instances appear frequently. Evaluations show that IPLoM outperforms the other algorithms statistically significantly, and it is also able to achieve an average F-Measure performance 78% when the closest other algorithm achieves an F-Measure performance of 10%.

Babak Nabiyev,Fuad Ahmadov,,

DOI: https://doi.org/10.25045/jpit.v13.i2.05

2022-07-06

Problems of Information Technology

Abstract:Today, the application of information technology in all areas of our lives has led to wider spread and popularity of cybercrime. In modern industrial control systems and cyber-physical systems, log files are very important in terms of detecting cyber incidents, identifying and preventing threats and anomalies. However, today, a large volume of log files generated in these systems greatly complicates the process of extracting useful information from them. This, in turn, highlights the need for intellectual analysis of log files. To this end, this article explores a number of clustering and classification methods and algorithms for the intellectual analysis of log files. Thus, K-means, CURE, EM, kNN, Naive Bayes and DT algorithms are selected out of these algorithms and their working principle is studied, explained, and the application of each algorithm on KDD CUP 99 data set is studied and compared.

Wei Liu,Baifeng Ning,Gangfeng Yan,Keng Xu

DOI: https://doi.org/10.1109/EI250167.2020.9347257

2020-01-01

Abstract:With the development of smart grid, power grid security monitoring is becoming more and more important. Non-intrusive load monitoring is helpful to understand the operating status of electrical equipment and is of great significance to the economic and safe operation of the power grid.This paper provide a non-intrusive load safety monitoring method for smart grid based on clustering algorithm. Based on improved generalized likelihood ratio detection, this paper introduces the voting window to establish an event detector model, and introduces event detection metrics to determine the value of related parameters and obtain the best event detector. In view of the difficulty in distinguishing electrical appliances with similar power in load decomposition, this paper uses DFT to extract the harmonic characteristics of bus current signals, and establishes a load feature library combined with active power. Then affinity propagation clustering algorithm is used to establish the load feature library to realize the load decomposition. Finally, the effectiveness of the proposed method is verified on REDD data sets.

Imam Riadi,Jazi Eko Istiyanto,Ahmad Ashari,Subanar

DOI: https://doi.org/10.48550/arXiv.1307.0072

2013-06-29

Computers and Society

Abstract:Internet crimes are now increasing. In a row with many crimes using information technology, in particular those using Internet, some crimes are often carried out in the form of attacks that occur within a particular agency or institution. To be able to find and identify the types of attacks, requires a long process that requires time, human resources and utilization of information technology to solve these problems. The process of identifying attacks that happened also needs the support of both hardware and software as well. The attack happened in the Internet network can generally be stored in a log file that has a specific data format. Clustering technique is one of methods that can be used to facilitate the identification process. Having grouped the data log file using K-means clustering technique, then the data is grouped into three categories of attack, and will be continued with the forensic process that can later be known to the source and target of attacks that exist in the network. It is concluded that the framework proposed can help the investigator in the trial process.

Chris Egersdoerfer,Dong Dai,Di Zhang

DOI: https://doi.org/10.48550/arXiv.2301.07846

2023-01-19

Abstract:With the increasing prevalence of scalable file systems in the context of High Performance Computing (HPC), the importance of accurate anomaly detection on runtime logs is increasing. But as it currently stands, many state-of-the-art methods for log-based anomaly detection, such as DeepLog, have encountered numerous challenges when applied to logs from many parallel file systems (PFSes), often due to their irregularity and ambiguity in time-based log sequences. To circumvent these problems, this study proposes ClusterLog, a log pre-processing method that clusters the temporal sequence of log keys based on their semantic similarity. By grouping semantically and sentimentally similar logs, this approach aims to represent log sequences with the smallest amount of unique log keys, intending to improve the ability of a downstream sequence-based model to effectively learn the log patterns. The preliminary results of ClusterLog indicate not only its effectiveness in reducing the granularity of log sequences without the loss of important sequence information but also its generalizability to different file systems' logs.

Distributed, Parallel, and Cluster Computing,Machine Learning

Hui Yu,Xingjian Shi

DOI: https://doi.org/10.1109/npc.2007.116

2007-09-01

Abstract:In view of the problem how to detect the network unknown attacks, a security log analysis audit model based on optimized clustering algorithm is proposed in this paper. Since the main question which influence the clustering algorithm application in the log analysis is uneasy to determine the network attack type and the cluster number, so we bring forward an optimized cluster algorithm to solve this problem. By means of simulated experiments, this algorithm is proved feasible, efficient and extensible for unknown intrusion detection.

Max Landauer,Markus Wurzenberger,Florian Skopik,Giuseppe Settanni,Peter Filzmoser

DOI: https://doi.org/10.1016/j.cose.2018.08.009

2018-11-01

Abstract:Technological advances and increased interconnectivity have led to a higher risk of previously unknown threats. Cyber Security therefore employs Intrusion Detection Systems that continuously monitor log lines in order to protect systems from such attacks. Existing approaches use string metrics to group similar lines into clusters and detect dissimilar lines as outliers. However, such methods only produce static views on the data and do not sufficiently incorporate the dynamic nature of logs. Changes of the technological infrastructure therefore frequently require cluster reformations. Moreover, such approaches are not suited for detecting anomalies related to frequencies, periodic alterations and interdependencies of log lines. We therefore propose a dynamic log file anomaly detection methodology that incrementally groups log lines within time windows. Thereby, a novel clustering mechanism establishes links between otherwise isolated collections of clusters. Cluster evolution techniques analyze clusters from neighboring time windows and determine transitions such as splits or merges. A self-learning algorithm then detects anomalies in the temporal behavior of these evolving clusters by analyzing metrics derived from their developments. We apply a prototype in an illustrative scenario consisting of a log file containing known anomalies. We thereby investigate the influences of certain parameters on the detection ability and the runtime. The evaluation of this scenario shows that 61.8% of the dynamic changes of log line clusters are correctly identified, while the false alarm rate is only 0.7%. The ability of efficiently detecting these anomalies while self-adjusting to changes of the system environment suggests the applicability of the introduced approach.

computer science, information systems

Monika Sharma,Prerna Kumari,M A Rizvi

DOI: https://doi.org/10.1109/csnt.2018.8820277

2018-11-01

Abstract:it is established fact that the out of data available on the internet much of it is unnecessary information which may be bug navigation requests, picture request, and incorrect demands. To avoid such situation the proposed logical data cleaning method is capable of cleaning irrelevant data by deducting from the web log records. We have applied four algorithm such as K-Means, Fuzzy C-Means, Divisive hierarchical clustering and Agglomerative hierarchical clustering on a dataset of “Educational Process Mining”, derived by the UCI Repository System for analyzing the distinct outcomes among them, Based on the co-relation coefficient that is Fuzzy silhouette index, Average silhouette width, Divisive coefficient and Agglomerative coefficient

Weigang Liu

DOI: https://doi.org/10.1155/2022/4927504

2022-06-10

Wireless Communications and Mobile Computing

Abstract:Attacks on network systems are becoming more and more common, the current state of increasingly sophisticated attack methods, the emergence of intrusion prevention technology is the inevitable result of the development of computer technology and network technology, and research on intrusion prevention has become a new focus of network security technology research in recent years. In order to ensure the security of computer network confidential information, the authors propose a semisupervised clustering intrusion detection algorithm. An overview of machine learning, followed by an explanation of the theory of cluster analysis, simulation experiments were carried out using the K -means algorithm and the semisupervised clustering algorithm proposed by the author, for 10,000 records, the K -means clustering algorithm and the semisupervised clustering algorithm described in this paper are used, respectively, and intrusion detection data tests were performed. At the same time, different K values were selected, three datasets were selected from "kddcup.newtestdata_10_percent_corrected," the test data were tested separately, and their average value was taken as the test result. From the simulation results, the detection rate of the semisupervised clustering algorithm is higher than that of the K -means clustering algorithm, and the false alarm rate and K -means algorithms have also been improved. Therefore, the author's semisupervised algorithm enhances the stability of the system, and the performance of the K -means algorithm is improved to a certain extent. When the value of K gradually increases, the false alarm rate also increases; however, when K is 20, the detection rate is maximized, from this, it can be known that when K is 20, its detection rate reaches 91.76%, and the false alarm rate is 8.54%. The detection rate of the author's algorithm is significantly higher than the other two algorithms, the false positive rate is slightly higher than K -means, and the false positive rate is lower than that of the other algorithm, proving the superior performance of our algorithm.

computer science, information systems,telecommunications,engineering, electrical & electronic

Feng Yao,Ang Li,Ping Ding,Lei Li

DOI: https://doi.org/10.1109/spac46244.2018.8965496

2018-12-01

Abstract:With the continuous evolution of the IT infrastructure of State Grid Data Center and the growing operational data in the electric power system, how to quickly and automatically cluster the operation log in the data center of State Grid has become a key issue in the IT operation and maintenance of the data center. As the most commonly used algorithms in data mining, a clustering algorithm from data mining is adopted to handle the operational log data of State Grid IT data center, which can be used to effectively discover the changes of the topology structure during the operation of the IT infrastructure. Specifically, because the traditional sequential clustering algorithm lacks the ability to discover potential links in logs, this paper proposes a self-destructive nuclear clustering algorithm SDN-means, which aims at the business and data characteristics of the IT infrastructure system of State Grid data center, in order to effectively classify the operational log data of State Grid IT data center during the operation of State Grid. Through the analysis of the running logs of State Grid data center with obvious time series characteristics, the proposed SDN-means algorithm can effectively outperform the existing approaches on the operation of the data center of State Grid.

Oksana Nikiforova,Andrejs Romanovs,Vitaly Zabiniako,Jurijs Kornienko

DOI: https://doi.org/10.1109/access.2024.3365424

IF: 3.9

2024-03-02

IEEE Access

Abstract:This paper explores the analysis of user behavior in information systems through audit records, creating a behavior model represented as a graph. The model captures actions over a specified period, facilitating real-time comparison to identify insider threats exploring anomalies detected in behavior models. "e-StepControl," developed by "ABC software" Ltd., incorporates this approach for monitoring user behavior in different business environments. The study proposes enhancing this solution with automatic user clustering, achieved by grouping individuals exhibiting similar behavior patterns using AI/ML algorithms. The research evaluates various clustering methods, discussing their suitability for grouping users based on their behavior. The subsequent step involves leveraging user class behavior models to identify anomalies by comparing an individual's actions with the behavior model expected in their specific user group. This extension aims to enhance the system's ability to detect potentially malicious activities, providing data security administrators with timely alerts in case of deviations from typical behavior.

computer science, information systems,telecommunications,engineering, electrical & electronic

Grigorii Asyaev,Alexander Sokolov,Alexey Ruchay

DOI: https://doi.org/10.3390/math11183939

IF: 2.4

2023-09-17

Mathematics

Abstract:This paper considers the main approaches to building algorithms for the decision support systems of information protection strategies against cyberattacks in the networks of automated process control systems (the so-called recommender systems). The advantages and disadvantages of each of the considered algorithms are revealed, and their applicability to the processing of the information security events of the UNSW-NB 15 dataset is analyzed. The dataset used contains raw network packets collected using the IXIA PerfectStorm software in the CyberRange laboratory of the Australian Cyber Security Centre (Canberra) in order to create a hybrid of the simulation of the real actions and the synthetic behavior of the network traffic generated during attacks. The possibility of applying four semantic proximity algorithms to partition process the data into clusters based on attack type in a distribution control system (DCS) is analyzed. The percentage of homogeneous records belonging to a particular type of attack is used as the metric that determines the optimal method of cluster partitioning. This metric was chosen under the assumption that cyberattacks located "closer" to each other in the multidimensional space have similar defense strategies. A hypothesis is formulated about the possibility of transferring knowledge about attacks from the vector feature space into a semantic form using semantic proximity methods. The percentage of homogeneous entries was maximal when the cosine proximity measure was used, which confirmed the hypothesis about the possibility of applying the corresponding algorithm in the recommender system.

mathematics

Pengcheng Shen,Chunguang Li

DOI: https://doi.org/10.1109/tsp.2014.2327010

IF: 4.875

2014-01-01

IEEE Transactions on Signal Processing

Abstract:Distributed data collection and analysis over networks are ubiquitous, especially over the wireless sensor networks (WSNs). Distributed clustering is one of the most important topics in distributed data analysis. It is desired to explore the hidden structure of the data collected/stored in geographically distributed nodes. In recent years, several distributed data clustering techniques have been developed based on the K-means algorithm or the Gaussian mixture model. In these methods, data structures are captured by measures only based on the first and the second order statistics. When the structure of cluster data is complicated, these statistics are insufficient and may lead to unsatisfactory clustering results. In such a case, using information theoretic measures can achieve better clustering performance since they take the whole distribution of cluster data into account. In this work, we incorporate an information theoretic measure into the cost function of the distributed clustering, to present a linear and a kernel distributed clustering algorithms. In the algorithms, each node solves a local clustering problem through diffusion cooperation with its neighboring nodes. In order to preserve privacy and save communication costs, in the cooperation, nodes merely exchange a few parameters instead of original data with their one-hop neighbors. Simulation results show that the proposed distributed algorithms can achieve almost as good clustering results as the corresponding centralized information theoretic clustering algorithms on both synthetic and real data.

Yue Shi-hong,Li Ping,Guo Ji-dong,Zhou Shui-geng

DOI: https://doi.org/10.1007/bf02842480

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:Clustering, as a powerful data mining technique for discovering interesting data distributions and patterns in the underlying database, is used in many fields, such as statistical data analysis, pattern recognition, image processing, and other business applications. Density-based Spatial Clustering of Applications with Noise (DBSCAN) (Esteret al., 1996) is a good performance clustering method for dealing with spatial data although it leaves many problems to be solved. For example, DBSCAN requires a necessary user-specified threshold while its computation is extremely time-consuming by current method such as OPTICS, etc. (Ankerstet al., 1999), and the performance of DBSCAN under different norms has yet to be examined. In this paper, we first developed a method based on statistical information of distance space in database to determine the necessary threshold. Then our examination of the DBSCAN performance under different norms showed that there was determinable relation between them. Finally, we used two artificial databases to verify the effectiveness and efficiency of the proposed methods.

Zhaoli Liu,Tao Qin,Xiaohong Guan,Hezhi Jiang,Chenxu Wang

DOI: https://doi.org/10.1109/ACCESS.2018.2843336

IF: 3.9

2018-01-01

IEEE Access

Abstract:Logs are generated by systems to record the detailed runtime information about system operations, and log analysis plays an important role in anomaly detection at the host or network level. Most existing detection methods require a priori knowledge, which cannot be used to detect the new or unknown anomalies. Moreover, the growing volume of logs poses new challenges to anomaly detection. In this paper, we propose an integrated method using K-prototype clustering and k-NN classification algorithms, which uses a novel clustering-filtering-refinement framework to perform anomaly detection from massive logs. First, we analyze the characteristics of system logs and extract 10 features based on the session information to characterize user behaviors effectively. Second, based on these extracted features, the K-prototype clustering algorithm is applied to partition the data set into different clusters. Then, the obvious normal events which usually present as highly coherent clusters are filtered out, and the others are regarded as anomaly candidates for further analysis. Finally, we design two new distance-based features to measure the local and global anomaly degrees for these anomaly candidates. Based on these two new features, we apply the k-NN classifier to generate accurate detection results. To verify the integrated method, we constructed a log collection and anomaly detection platform in the campus network center of Xi'an Jiaotong University. The experimental results based on the data sets collected from the platform show our method has high detection accuracy and low computational complexity.

Shi-wen CHENG,Dan PEI,Chang-jin WANG

DOI: https://doi.org/10.3969/j.issn.1000-1220.2018.05.001

2018-01-01

Abstract:In the process of ICPs′ actual operations,the service business maintained by operations team often encounter a variety of problems.Thus one critical goal of troubleshooting is to cluster the large amounts of error log and give the feedback to the developer. To address the challenge of sheer amount of non-standard error logs,a method of error log clustering of Internet software is proposed. This method reduces the log scale by extracting log template and compression,improves the clustering accuracy and reduces the data dimension by calculating document frequency to extract feature words,and improves the clustering effect using Canopy clustering and K-means clustering.Experimental results in an Internet company′s operations show that the proposed method not only has an ideal clustering effect,but also meets the performance requirements in the production environment.

D. A. Khudyakov

DOI: https://doi.org/10.25205/1818-7900-2023-21-1-62-72

2023-08-28

Abstract:Software system developers must respond quickly to failures in order to avoid reputational and financial losses for their customers. Therefore, it is important to detect behavioral anomalies in the operation of software systems in a timely manner. At the moment, various tools for automatic monitoring of systems are being actively developed, but logs are the main tool for analyzing failures. Logs contain information about the operation of the system at various points of execution. Modern systems often have a distributed microservice architecture, which significantly complicates the task of analyzing logs. Logs of such systems are collected centrally from different microservices, forming a huge flow of information that is very difficult to analyze manually. However, the problem of identifying logs related to a specific request to the system is solved by distributed tracing, the use of which opens up wide opportunities for the introduction of automatic analysis. There are already many solutions for detecting anomalies in logs, but they do not take advantage of distributed tracing. The article is considered to solving the problem of detecting behavioral anomalies in the work of distributed software systems based on automatic analysis of log traces. The solution is based on the synthesis of machine learning methods. Log traces are preprocessed and cleaned using process mining methods. Next, vectorization and clustering of log messages is performed. After that, a long short-term memory network (LSTM) is used to analyze deviations in the sequences of processed logs. As a result of the work performed, a prototype of the anomaly detection system was developed and tested.

Noor Saud Abd,Kamel Karoui

2024-11-22

Abstract:In the current digital age, the volume of data generated by various cyber activities has become enormous and is constantly increasing. The data may contain valuable insights that can be harnessed to improve cyber security measures. However, much of this data is unclassified and qualitative, which poses significant challenges to traditional analysis methods. Clustering facilitates the identification of hidden patterns and structures in data through grouping similar data points, which makes it simpler to identify and address threats. Clustering can be defined as a data mining (DM) approach, which uses similarity calculations for dividing a data set into several categories. Hierarchical, density-based, along with partitioning clustering algorithms are typical. The presented work use K-means algorithm, which is a popular clustering technique. Utilizing K-means algorithm, we worked with two different types of data: first, we gathered data with the use of XG-boost algorithm following completing the aggregation with K-means algorithm. Data was gathered utilizing Kali Linux environment, cicflowmeter traffic, and Putty Software tools with the use of diverse and simple attacks. The concept could assist in identifying new attack types, which are distinct from the known attacks, and labeling them based on the characteristics they will exhibit, as the dynamic nature regarding cyber threats means that new attack types often emerge, for which labeled data might not yet exist. The model counted the attacks and assigned numbers to each one of them. Secondly, We tried the same work on the ready data inside the Kaggle repository called (Intrusion Detection in Internet of Things Network), and the clustering model worked well and detected the number of attacks correctly as shown in the results section.

Cryptography and Security,Artificial Intelligence