Max Landauer,Markus Wurzenberger,Florian Skopik,Giuseppe Settanni,Peter Filzmoser

DOI: https://doi.org/10.1016/j.cose.2018.08.009

2018-11-01

Abstract:Technological advances and increased interconnectivity have led to a higher risk of previously unknown threats. Cyber Security therefore employs Intrusion Detection Systems that continuously monitor log lines in order to protect systems from such attacks. Existing approaches use string metrics to group similar lines into clusters and detect dissimilar lines as outliers. However, such methods only produce static views on the data and do not sufficiently incorporate the dynamic nature of logs. Changes of the technological infrastructure therefore frequently require cluster reformations. Moreover, such approaches are not suited for detecting anomalies related to frequencies, periodic alterations and interdependencies of log lines. We therefore propose a dynamic log file anomaly detection methodology that incrementally groups log lines within time windows. Thereby, a novel clustering mechanism establishes links between otherwise isolated collections of clusters. Cluster evolution techniques analyze clusters from neighboring time windows and determine transitions such as splits or merges. A self-learning algorithm then detects anomalies in the temporal behavior of these evolving clusters by analyzing metrics derived from their developments. We apply a prototype in an illustrative scenario consisting of a log file containing known anomalies. We thereby investigate the influences of certain parameters on the detection ability and the runtime. The evaluation of this scenario shows that 61.8% of the dynamic changes of log line clusters are correctly identified, while the false alarm rate is only 0.7%. The ability of efficiently detecting these anomalies while self-adjusting to changes of the system environment suggests the applicability of the introduced approach.

computer science, information systems

Diana N. Sidorova,Evgeniy N. Pivkin,,

DOI: https://doi.org/10.17212/2782-2230-2022-1-41-60

2022-03-30

Digital Technology Security

Abstract:Security event log files give an idea of the state of the information system and allow you to find anomalies in user behavior and cybersecurity incidents. The existing event logs (application, system, security event logs) and their division into certain types are considered. But automated analysis of security event log data is difficult because it contains a large amount of unstructured data that has been collected from various sources. Therefore, this article presents and describes the problem of analyzing information security event logs. And to solve this problem, new and not particularly studied methods and algorithms for data clustering were considered, such as Random forest (random forest), incremental clustering, IPLoM algorithm (Iterative Partitioning Log Mining - iterative analysis of the partitioning log). The Random forest algorithm creates decision trees for data samples, after which it is provided with a forecast for each sample, and the best solution is selected by voting. This method reduces overfitting by averaging the scores. The algorithm is also used in such types of problems as regression and classification. Incremental clustering defines clusters as groups of objects that belong to the same class or concept, which is a specific set of pairs. When clusters are defined, they can overlap, allowing for a degree of "fuzziness for samples" that lie at the boundaries of different clusters. The IPLoM algorithm uses the unique characteristics of log messages to iteratively partition the log, which helps to extract message types efficiently.

Chris Egersdoerfer,Dong Dai,Di Zhang

DOI: https://doi.org/10.48550/arXiv.2301.07846

2023-01-19

Abstract:With the increasing prevalence of scalable file systems in the context of High Performance Computing (HPC), the importance of accurate anomaly detection on runtime logs is increasing. But as it currently stands, many state-of-the-art methods for log-based anomaly detection, such as DeepLog, have encountered numerous challenges when applied to logs from many parallel file systems (PFSes), often due to their irregularity and ambiguity in time-based log sequences. To circumvent these problems, this study proposes ClusterLog, a log pre-processing method that clusters the temporal sequence of log keys based on their semantic similarity. By grouping semantically and sentimentally similar logs, this approach aims to represent log sequences with the smallest amount of unique log keys, intending to improve the ability of a downstream sequence-based model to effectively learn the log patterns. The preliminary results of ClusterLog indicate not only its effectiveness in reducing the granularity of log sequences without the loss of important sequence information but also its generalizability to different file systems' logs.

Distributed, Parallel, and Cluster Computing,Machine Learning

Babak Nabiyev,Fuad Ahmadov,,

DOI: https://doi.org/10.25045/jpit.v13.i2.05

2022-07-06

Problems of Information Technology

Abstract:Today, the application of information technology in all areas of our lives has led to wider spread and popularity of cybercrime. In modern industrial control systems and cyber-physical systems, log files are very important in terms of detecting cyber incidents, identifying and preventing threats and anomalies. However, today, a large volume of log files generated in these systems greatly complicates the process of extracting useful information from them. This, in turn, highlights the need for intellectual analysis of log files. To this end, this article explores a number of clustering and classification methods and algorithms for the intellectual analysis of log files. Thus, K-means, CURE, EM, kNN, Naive Bayes and DT algorithms are selected out of these algorithms and their working principle is studied, explained, and the application of each algorithm on KDD CUP 99 data set is studied and compared.

Markus Wurzenberger,Florian Skopik,Roman Fiedler,Wolfgang Kastner

DOI: https://doi.org/10.48550/arXiv.2101.07113

2021-01-18

Cryptography and Security

Abstract:Most of today's security solutions, such as security information and event management (SIEM) and signature based IDS, require the operator to evaluate potential attack vectors and update detection signatures and rules in a timely manner. However, today's sophisticated and tailored advanced persistent threats (APT), malware, ransomware and rootkits, can be so complex and diverse, and often use zero day exploits, that a pure signature-based blacklisting approach would not be sufficient to detect them. Therefore, we could observe a major paradigm shift towards anomaly-based detection mechanisms, which try to establish a system behavior baseline -- either based on netflow data or system logging data -- and report any deviations from this baseline. While these approaches look promising, they usually suffer from scalability issues. As the amount of log data generated during IT operations is exponentially growing, high-performance analysis methods are required that can handle this huge amount of data in real-time. In this paper, we demonstrate how high-performance bioinformatics tools can be applied to tackle this issue. We investigate their application to log data for outlier detection to timely reveal anomalous system behavior that points to cyber attacks. Finally, we assess the detection capability and run-time performance of the proposed approach.

Qingwei Lin,Hongyu Zhang,Jian-Guang Lou,Yu Zhang,Xuewei Chen

DOI: https://doi.org/10.1145/2889160.2889232

2016-05-14

Abstract:Logs play an important role in the maintenance of large-scale online service systems. When an online service fails, engineers need to examine recorded logs to gain insights into the failure and identify the potential problems. Traditionally, engineers perform simple keyword search (such as "error" and "exception") of logs that may be associated with the failures. Such an approach is often time consuming and error prone. Through our collaboration with Microsoft service product teams, we propose LogCluster, an approach that clusters the logs to ease log-based problem identification. LogCluster also utilizes a knowledge base to check if the log sequences occurred before. Engineers only need to examine a small number of previously unseen, representative log sequences extracted from the clusters to identify a problem, thus significantly reducing the number of logs that should be examined, meanwhile improving the identification accuracy. Through experiments on two Hadoop-based applications and two large-scale Microsoft online service systems, we show that our approach is effective and outperforms the state-of-the-art work proposed by Shang et al. in ICSE 2013. We have successfully applied LogCluster to the maintenance of many actual Microsoft online service systems. In this paper, we also share our success stories and lessons learned.

Florian Skopik,Max Landauer,Markus Wurzenberger

DOI: https://doi.org/10.1109/msec.2021.3113275

2021-01-01

Abstract:Logs are incrementally produced textual data that reflect events and their impact on technical systems. Their efficient analysis is key for operational cybersecurity. We investigate approaches beyond applying simple regular expressions and provide insights into novel machine learning mechanisms for parsing and analyzing log data for online anomaly detection.

computer science, information systems, software engineering

Max Landauer,Sebastian Onder,Florian Skopik,Markus Wurzenberger

DOI: https://doi.org/10.1016/j.mlwa.2023.100470

2023-05-15

Abstract:Automatic log file analysis enables early detection of relevant incidents such as system failures. In particular, self-learning anomaly detection techniques capture patterns in log data and subsequently report unexpected log event occurrences to system operators without the need to provide or manually model anomalous scenarios in advance. Recently, an increasing number of approaches leveraging deep learning neural networks for this purpose have been presented. These approaches have demonstrated superior detection performance in comparison to conventional machine learning techniques and simultaneously resolve issues with unstable data formats. However, there exist many different architectures for deep learning and it is non-trivial to encode raw and unstructured log data to be analyzed by neural networks. We therefore carry out a systematic literature review that provides an overview of deployed models, data pre-processing mechanisms, anomaly detection techniques, and evaluations. The survey does not quantitatively compare existing approaches but instead aims to help readers understand relevant aspects of different model architectures and emphasizes open issues for future work.

Machine Learning

Imam Riadi,Jazi Eko Istiyanto,Ahmad Ashari,Subanar

DOI: https://doi.org/10.48550/arXiv.1307.0072

2013-06-29

Computers and Society

Abstract:Internet crimes are now increasing. In a row with many crimes using information technology, in particular those using Internet, some crimes are often carried out in the form of attacks that occur within a particular agency or institution. To be able to find and identify the types of attacks, requires a long process that requires time, human resources and utilization of information technology to solve these problems. The process of identifying attacks that happened also needs the support of both hardware and software as well. The attack happened in the Internet network can generally be stored in a log file that has a specific data format. Clustering technique is one of methods that can be used to facilitate the identification process. Having grouped the data log file using K-means clustering technique, then the data is grouped into three categories of attack, and will be continued with the forensic process that can later be known to the source and target of attacks that exist in the network. It is concluded that the framework proposed can help the investigator in the trial process.

Markus Wurzenberger,Georg Höld,Max Landauer,Florian Skopik

DOI: https://doi.org/10.1016/j.cose.2023.103631

IF: 5.105

2023-12-06

Computers & Security

Abstract:Log lines consist of static parts that characterize their structure and enable assignment of event types, and event parameters, i.e., variable parts that provide specific information on system processes, such as host and user names, IP addresses, and file operations. Many detection approaches only focus on anomalous event type occurrences, i.e., they parse log lines to derive unique event identifiers and subsequently detect anomalies in event sequences or event count vectors, but neglect variable parts of log lines entirely during analysis. This is especially problematic, when monitoring strongly structured log data that contains only a small number of distinct event types, for example, logs that consist of strict key value pairs, i.e., parameters that occur consistently throughout all log lines, such as it is case in access and audit logs. Thus, novel approaches are required, which focus on analysis of log lines' variable parts. In this paper, we propose the variable type detector (VTD), a novel unsupervised approach that autonomously analyzes variable log line parts to enable anomaly detection. It assigns data types to each variable, which also include probability distributions for discrete and continuous variables. The VTD raises an alarm if a variable's data type changes. Furthermore, it implements a robust indicator function that reduces false positives by tracking the data type history of each variable and reports only significant data type changes. Additionally, an event indicator enables event-based anomaly detection by taking into account the data types of all variables of a single event type. The evaluation conducted on open-source log data, demonstrates the effectiveness of the VTD compared to conventional anomaly detection approaches, such as time series analysis and PCA. Consequently, the VTD acts as a solution that extends the intrusion detection capabilities of security information and event management (SIEM) and integrates with modern concepts of endpoint detection and response (EDR) and extended detection and responses (XDR), while simultaneously serving as an asset for process monitoring that supports user and entity behavior analytics (UEBA).

computer science, information systems

Absalom E. Ezugwu,Abiodun M. Ikotun,Olaide O. Oyelade,Laith Abualigah,Jeffery O. Agushaka,Christopher I. Eke,Andronicus A. Akinyelu

DOI: https://doi.org/10.1016/j.engappai.2022.104743

IF: 8

2022-04-01

Engineering Applications of Artificial Intelligence

Abstract:Clustering is an essential tool in data mining research and applications. It is the subject of active research in many fields of study, such as computer science, data science, statistics, pattern recognition, artificial intelligence, and machine learning. Several clustering techniques have been proposed and implemented, and most of them successfully find excellent quality or optimal clustering results in the domains mentioned earlier. However, there has been a gradual shift in the choice of clustering methods among domain experts and practitioners alike, which is precipitated by the fact that most traditional clustering algorithms still depend on the number of clusters provided a priori. These conventional clustering algorithms cannot effectively handle real-world data clustering analysis problems where the number of clusters in data objects cannot be easily identified. Also, they cannot effectively manage problems where the optimal number of clusters for a high-dimensional dataset cannot be easily determined. Therefore, there is a need for improved, flexible, and efficient clustering techniques. Recently, a variety of efficient clustering algorithms have been proposed in the literature, and these algorithms produced good results when evaluated on real-world clustering problems. This study presents an up-to-date systematic and comprehensive review of traditional and state-of-the-art clustering techniques for different domains. This survey considers clustering from a more practical perspective. It shows the outstanding role of clustering in various disciplines, such as education, marketing, medicine, biology, and bioinformatics. It also discusses the application of clustering to different fields attracting intensive efforts among the scientific community, such as big data, artificial intelligence, and robotics. This survey paper will be beneficial for both practitioners and researchers. It will serve as a good reference point for researchers and practitioners to design improved and efficient state-of-the-art clustering algorithms.

Shi-wen CHENG,Dan PEI,Chang-jin WANG

DOI: https://doi.org/10.3969/j.issn.1000-1220.2018.05.001

2018-01-01

Abstract:In the process of ICPs′ actual operations,the service business maintained by operations team often encounter a variety of problems.Thus one critical goal of troubleshooting is to cluster the large amounts of error log and give the feedback to the developer. To address the challenge of sheer amount of non-standard error logs,a method of error log clustering of Internet software is proposed. This method reduces the log scale by extracting log template and compression,improves the clustering accuracy and reduces the data dimension by calculating document frequency to extract feature words,and improves the clustering effect using Canopy clustering and K-means clustering.Experimental results in an Internet company′s operations show that the proposed method not only has an ideal clustering effect,but also meets the performance requirements in the production environment.

Hui Yu,Xingjian Shi

DOI: https://doi.org/10.1109/npc.2007.116

2007-09-01

Abstract:In view of the problem how to detect the network unknown attacks, a security log analysis audit model based on optimized clustering algorithm is proposed in this paper. Since the main question which influence the clustering algorithm application in the log analysis is uneasy to determine the network attack type and the cluster number, so we bring forward an optimized cluster algorithm to solve this problem. By means of simulated experiments, this algorithm is proved feasible, efficient and extensible for unknown intrusion detection.

Markus Wurzenberger,Florian Skopik,Roman Fiedler,Wolfgang Kastner

DOI: https://doi.org/10.1145/2995959.2995973

2016-10-28

Abstract:Since the number of cyber attacks by insider threats and the damage caused by them has been increasing over the last years, organizations are in need for specific security solutions to counter these threats. To limit the damage caused by insider threats, the timely detection of erratic system behavior and malicious activities is of primary importance. We observed a major paradigm shift towards anomaly-focused detection mechanisms, which try to establish a baseline of system behavior -- based on system logging data -- and report any deviations from this baseline. While these approaches are promising, they usually have to cope with scalability issues. As the amount of log data generated during IT operations is exponentially growing, high-performance security solutions are required that can handle this huge amount of data in real time. In this paper, we demonstrate how high-performance bioinformatics tools can be leveraged to tackle this issue, and we demonstrate their application to log data for outlier detection, to timely detect anomalous system behavior that points to insider attacks.

Lei Pan,Huichang Zhu

DOI: https://doi.org/10.4018/jcit.330145

2023-09-12

Journal of Cases on Information Technology

Abstract:Log anomaly detection holds great significance in computer systems and network security. A large amount of log data is generated in the background of various information systems and equipment, so automated methods are required to identify abnormal behavior that may indicate security threats or system malfunctions. The traditional anomaly detection methods usually rely on manual statistical discovery, or match by regular expression which are complex and time-consuming. To prevent system failures, minimize troubleshooting time, and reduce service interruptions, a log template-based anomaly detection method has been proposed in this context. This approach leverages log template extraction, log clustering, and classification technology to timely detect abnormal events within the information system. The effectiveness of this method has been thoroughly tested and compared against traditional log anomaly detection systems. The results demonstrate improvements in log analysis depth, event recognition accuracy, and overall efficiency.

English Else

Philipp Kuehn,Dilara Nadermahmoodi,Moritz Kerk,Christian Reuter

DOI: https://doi.org/10.48550/arXiv.2210.14067

2024-03-15

Abstract:The ever-increasing number of threats and the existing diversity of information sources pose challenges for Computer Emergency Response Teams (CERTs). To respond to emerging threats, CERTs must gather information in a timely and comprehensive manner. But the volume of sources and information leads to information overload. This paper contributes to the question of how to reduce information overload for CERTs. We propose clustering incoming information as scanning this information is one of the most tiresome, but necessary, manual steps. Based on current studies, we establish conditions for such a framework. Different types of evaluation metrics are used and selected in relation to the framework conditions. Furthermore, different document embeddings and distance measures are evaluated and interpreted in combination with clustering methods. We use three different corpora for the evaluation, a novel ground truth corpus based on threat reports, one security bug report (SBR) corpus, and one with news articles. Our work shows, it is possible to reduce the information overload by up to 84.8% with homogeneous clusters. A runtime analysis of the clustering methods strengthens the decision of selected clustering methods. The source code and dataset will be made publicly available after acceptance.

Cryptography and Security

Lenka Benova,Ladislav Hudec

DOI: https://doi.org/10.3390/s24030746

IF: 3.9

2024-01-24

Sensors

Abstract:In this study, we present a novel machine learning framework for web server anomaly detection that uniquely combines the Isolation Forest algorithm with expert evaluation, focusing on individual user activities within NGINX server logs. Our approach addresses the limitations of traditional methods by effectively isolating and analyzing subtle anomalies in vast datasets. Initially, the Isolation Forest algorithm was applied to extensive NGINX server logs, successfully identifying outlier user behaviors that conventional methods often overlook. We then employed DBSCAN for detailed clustering of these anomalies, categorizing them based on user request times and types. A key innovation of our methodology is the incorporation of post-clustering expert analysis. Cybersecurity professionals evaluated the identified clusters, adding a crucial layer of qualitative assessment. This enabled the accurate distinction between benign and potentially harmful activities, leading to targeted responses such as access restrictions or web server configuration adjustments. Our approach demonstrates a significant advancement in network security, offering a more refined understanding of user behavior. By integrating algorithmic precision with expert insights, we provide a comprehensive and nuanced strategy for enhancing cybersecurity measures. This study not only advances anomaly detection techniques but also emphasizes the critical need for a multifaceted approach in protecting web server infrastructures.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Gianluigi Folino,Carla Otranto Godano,Francesco Sergio Pisani

DOI: https://doi.org/10.1007/s11227-023-05049-x

IF: 3.3

2023-01-17

The Journal of Supercomputing

Abstract:Abstract Nowadays, the speed of the user and application logs is so quick that it is almost impossible to analyse them in real time without using high-performance systems and platforms. In cybersecurity, human behaviour is responsible directly or indirectly for the most common attacks (i.e. ransomware and phishing). To monitor user behaviour, it is necessary to process fast user logs coming from different and heterogeneous sources, having part of the data or some entire sources missing. A framework based on the elastic stack (ELK) to process and store log data in real time from different users and applications is proposed for this aim. This system generates an ensemble of models to classify user behaviour and detect anomalies in real time, exploiting the advantages of the ELK-based software architecture and of the Kubernetes platform. In addition, a distributed evolutionary algorithm is used to classify the users by exploiting their digital footprints derived from many data sources. Experiments conducted on two real-life data sets verify the approach’s goodness in detecting anomalies in user behaviour, coping with missing data and lowering the number of false alarms.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Oksana Nikiforova,Andrejs Romanovs,Vitaly Zabiniako,Jurijs Kornienko

DOI: https://doi.org/10.1109/access.2024.3365424

IF: 3.9

2024-03-02

IEEE Access

Abstract:This paper explores the analysis of user behavior in information systems through audit records, creating a behavior model represented as a graph. The model captures actions over a specified period, facilitating real-time comparison to identify insider threats exploring anomalies detected in behavior models. "e-StepControl," developed by "ABC software" Ltd., incorporates this approach for monitoring user behavior in different business environments. The study proposes enhancing this solution with automatic user clustering, achieved by grouping individuals exhibiting similar behavior patterns using AI/ML algorithms. The research evaluates various clustering methods, discussing their suitability for grouping users based on their behavior. The subsequent step involves leveraging user class behavior models to identify anomalies by comparing an individual's actions with the behavior model expected in their specific user group. This extension aims to enhance the system's ability to detect potentially malicious activities, providing data security administrators with timely alerts in case of deviations from typical behavior.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhaoli Liu,Tao Qin,Xiaohong Guan,Hezhi Jiang,Chenxu Wang

DOI: https://doi.org/10.1109/ACCESS.2018.2843336

IF: 3.9

2018-01-01

IEEE Access

Abstract:Logs are generated by systems to record the detailed runtime information about system operations, and log analysis plays an important role in anomaly detection at the host or network level. Most existing detection methods require a priori knowledge, which cannot be used to detect the new or unknown anomalies. Moreover, the growing volume of logs poses new challenges to anomaly detection. In this paper, we propose an integrated method using K-prototype clustering and k-NN classification algorithms, which uses a novel clustering-filtering-refinement framework to perform anomaly detection from massive logs. First, we analyze the characteristics of system logs and extract 10 features based on the session information to characterize user behaviors effectively. Second, based on these extracted features, the K-prototype clustering algorithm is applied to partition the data set into different clusters. Then, the obvious normal events which usually present as highly coherent clusters are filtered out, and the others are regarded as anomaly candidates for further analysis. Finally, we design two new distance-based features to measure the local and global anomaly degrees for these anomaly candidates. Based on these two new features, we apply the k-NN classifier to generate accurate detection results. To verify the integrated method, we constructed a log collection and anomaly detection platform in the campus network center of Xi'an Jiaotong University. The experimental results based on the data sets collected from the platform show our method has high detection accuracy and low computational complexity.