Design of Log-Based Anomaly Detection System Based on Temporal and Logical Relationship

doi:10.3969/j.issn.1671-1122.2022.11.001

Abstract

Abstract:

With the development of computer systems, logs have become an important data source for maintaining stable operation of computer systems. System logs record the status and important event information of key points during system operation, which can help technicians locate system faults and analyze their causes, provide data support for problem solving, and monitor illegal operations and provide help for system recovery, so log anomaly detection is of great significance. However, most of the existing researches only utilize a single feature of logs for anomaly detection. To this end, the paper designed a machine learning-based log anomaly detection system, which implemented a complete process of log collection, log parsing, log feature extraction and log anomaly detection; a machine learning method that incorporates log temporal and logical relationships is proposed to make better use of log features to increase the accuracy of detection results.

Key words: machine learning, system log, anomaly detection

CLC Number:

TP309

NIU Yinuo, ZHANG Yifei, GAO Neng, MA Cunqing. Design of Log-Based Anomaly Detection System Based on Temporal and Logical Relationship[J]. Netinfo Security, 2022, 22(11): 1-6.

Figures/Tables 10

References 15

[1]	KONTAKI M, GOUNARIS A, Papadopoulos A N, et al. Efficient and Flexible Algorithms for Monitoring Distance-Based Outliers Over Data Streams[J]. Information Systems, 2016, 55(7): 37-53. doi: 10.1016/j.is.2015.07.006 URL
[2]	DUAN Xiaoyu, YING Shi, YUAN Wanli, et al. A Generative Adversarial Networks for Log Anomaly Detection[J]. Computer Systems Science and Engineering, 2021(1): 135-148.
[3]	WANG Bingming, YING Shi, YANG Zhe. A Log-Based Anomaly Detection Method with Efficient Neighbor Searching and Automatic K Neighbor Selection[J]. Scientific Programming, 2020(6): 1-17.
[4]	ZHU Jieming, HE Shilin, LIU Jinyang, et al. Tools and Benchmarks for Automated Log Parsing[C]// ACM. 41st International Conference on Software Engineering:Software Engineering in Practice (ICSE-SEIP). New York:ACM, 2019: 121-130.
[5]	DU Min, LI Feifei, ZHENG Guineng, et al. DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning[C]// ACM. Sigsac Conference on Computer & Communications Security. New York: ACM, 2017: 1285-1298.
[6]	ESWARAN D, FALOUTSOS C, GUHA S, et al. SpotLight: Detecting Anomalies in Streaming Graphs[C]// ACM. the 24th ACM SIGKDD International Conference. New York: ACM, 2018: 1378-1386.
[7]	LIU Fucheng, WEN Yu, ZHANG Dongxue, et al. Log2vec: A Heterogeneous Graph Embedding Based Approach for Detecting Cyber Threats within Enterprise[C]// ACM. the 2019 ACM SIGSAC Conference. New York: ACM, 2019: 1777-1794.
[8]	WANG Jin, TANG Yangning, HE Shiming, et al. LogEvent2vec: LogEvent-to-Vector Based Anomaly Detection for Large-Scale Logs in Internet of Things[J]. Sensors (Basel, Switzerland), 2020, 20(9): 2451-2470. doi: 10.3390/s20092451 URL
[9]	YANG Lin, CHEN Junjie, WANG Zan, et al. Semi-Supervised Log-Based Anomaly Detection via Probabilistic Label Estimation[C]// ACM. 43rd International Conference on Software Engineering (ICSE). New York: ACM, 2021: 1448-1460.
[10]	Wang Jin, ZHAO Changqing, HE Shiming, et al. LogUAD: Log Unsupervised Anomaly Detection Based on Word2Vec[J]. Computer Systems Science and Engineering, 2022, 41(3): 1207-1222. doi: 10.32604/csse.2022.022365 URL
[11]	GERHARDS R, GmbH A. RFC 5424 The Syslog Protocol[EB/OL]. (2009-10-11)[2022-03-27]. .
[12]	LIN Fengxu, LIU Jinyang, ZHENG Jian, et al. The Usage of Rsyslog in Log Collection[J]. Cyberspace Security, 2019(4): 18-22.
[13]	MESSAOUDI S, PANICHELLA A, BIANCULLI D, et al. A Search-Based Approach for Accurate Identification of Log Message Formats[C]// ACM. 26th International Conference on Program Comprehension (ICPC). New York:ACM, 2018: 167-177.
[14]	HE Pinjia, ZHU Jieming, ZHENG Zibin, et al. Drain: An Online Log Parsing Approach with Fixed Depth Tree[C]// IEEE. 2017 IEEE International Conference on Web Services (ICWS). New York:IEEE, 2017: 33-40.
[15]	MA Daoying, ZHANG Aidong. An Adaptive Density-Based Clustering Algorithm for Spatial Database with Noise[C]// IEEE. International Conference on Data Mining. New York: IEEE, 2004: 467-470.

时间	模型名称	检测方法	模型方法	特点
2016	LogMine	基于规则	基于map reduce框架搭建的分布式算法	能够处理大量数据
2017	DeepLog	基于自然语言处理	基于LSTM将日志建模为自然语言序列	利用日志的时序性
2018	SpotLight	基于图	基于随机草图检测流图	利用流程关系
2019	Log2vec	基于图	图构造+图嵌入	利用了日志的逻辑关系
2020	LogEvent2vec	基于聚类	利用Word2vec将日志事件转化为向量	直接利用了结构化的日志
2021	PLELog	深度学习	标签+半监督	减少了聚类产生的噪音
2022	LogUAD	基于聚类	Word2vec+TF-IDF+无监督	利用日志间词序列权重