信息网络安全 ›› 2022, Vol. 22 ›› Issue (11): 1-6.doi: 10.3969/j.issn.1671-1122.2022.11.001

• 等级保护 • 上一篇    下一篇

融合时序和逻辑关系的日志异常检测系统设计

牛艺诺1,2, 张逸飞1, 高能1(), 马存庆1   

  1. 1. 中国科学院信息工程研究所信息安全国家重点实验室,北京 100093
    2. 中国科学院大学网络空间安全学院,北京 100049
  • 收稿日期:2022-06-20 出版日期:2022-11-10 发布日期:2022-11-16
  • 通讯作者: 高能 E-mail:gaoneng@iie.ac.cn.
  • 作者简介:牛艺诺(1999—),男,黑龙江,硕士研究生,主要研究方向为网络安全与信息系统安全|张逸飞(1994—),男,陕西,助理研究员,博士,主要研究方向为数据挖掘|高能(1976—),女,陕西,研究员,博士,主要研究方向为信息安全|马存庆(1984—),男,青海,高级工程师,博士,主要研究方向为信息安全
  • 基金资助:
    国家自然科学基金(61902398)

Design of Log-Based Anomaly Detection System Based on Temporal and Logical Relationship

NIU Yinuo1,2, ZHANG Yifei1, GAO Neng1(), MA Cunqing1   

  1. 1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
    2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
  • Received:2022-06-20 Online:2022-11-10 Published:2022-11-16
  • Contact: GAO Neng E-mail:gaoneng@iie.ac.cn.

摘要:

随着计算机系统的发展,日志已经成为维护计算机系统稳定运行的重要数据来源。系统日志记录了系统运行时的状态和关键点的重要事件信息,可以帮助技术人员定位系统故障并分析其原因,为解决问题提供了数据支持,还可以监控非法操作并为恢复系统提供帮助,因此日志异常检测具有重要意义。但现有研究大多只利用了日志的单一特征进行异常检测,为此,文章设计了一个基于机器学习的日志异常检测系统,实现了日志收集、日志解析、日志特征提取和日志异常检测的完整流程;提出了融合日志时序关系和逻辑关系的机器学习方法,可以更好地利用日志特征,以增加检测结果的准确性。

关键词: 机器学习, 系统日志, 异常检测

Abstract:

With the development of computer systems, logs have become an important data source for maintaining stable operation of computer systems. System logs record the status and important event information of key points during system operation, which can help technicians locate system faults and analyze their causes, provide data support for problem solving, and monitor illegal operations and provide help for system recovery, so log anomaly detection is of great significance. However, most of the existing researches only utilize a single feature of logs for anomaly detection. To this end, the paper designed a machine learning-based log anomaly detection system, which implemented a complete process of log collection, log parsing, log feature extraction and log anomaly detection; a machine learning method that incorporates log temporal and logical relationships is proposed to make better use of log features to increase the accuracy of detection results.

Key words: machine learning, system log, anomaly detection

中图分类号: