CN113704201A

CN113704201A - Log anomaly detection method and device and server

Info

Publication number: CN113704201A
Application number: CN202111027875.7A
Authority: CN
Inventors: 来风刚; 祝蓓; 张攀; 周逸; 饶涵宇; 崔员宁; 李静; 高丰; 李明; 吴尚; 程航; 宫帅; 曹弯弯; 毛冬; 张辰; 何东
Original assignee: Nanjing University of Aeronautics and Astronautics; State Grid Corp of China SGCC; State Grid Information and Telecommunication Co Ltd; Information and Telecommunication Branch of State Grid Zhejiang Electric Power Co Ltd; Information and Telecommunication Branch of State Grid Anhui Electric Power Co Ltd
Current assignee: Nanjing University of Aeronautics and Astronautics; State Grid Corp of China SGCC; State Grid Information and Telecommunication Co Ltd; Information and Telecommunication Branch of State Grid Zhejiang Electric Power Co Ltd; Information and Telecommunication Branch of State Grid Anhui Electric Power Co Ltd
Priority date: 2021-09-02
Filing date: 2021-09-02
Publication date: 2021-11-26

Abstract

The invention provides a log abnormity detection method, a device and a server, which are applied to the technical field of computers, wherein a log file acquired by the method comprises N logs generated according to time sequence, the first N-1 logs serve as reference logs, the Nth log serves as a target log, the actual log template and log parameter values of each log are respectively extracted, the log template of the target log is predicted according to the actual log template of each reference log to obtain a template prediction result, the log parameter values of the target log are predicted according to the actual log parameter values of each reference log to obtain a parameter prediction result, if the template prediction result and the actual log template of the target log do not meet a first judgment condition, or the parameter prediction result and the actual log parameter values of the target log do not meet a second judgment condition, the target log is judged to be abnormal, the method carries out abnormity detection on the logs through the log template and the log parameters, the detection is more comprehensive.

Description

Log anomaly detection method and device and server

Technical Field

The invention belongs to the technical field of computers, and particularly relates to a log anomaly detection method, a log anomaly detection device and a server.

Background

In order to ensure safe and reliable operation of large data processing systems such as cloud platforms and data servers, it is necessary to periodically perform anomaly detection on the large data processing systems. In practical applications, anomaly detection belongs to a data mining task that identifies an abnormal state of a data processing system by finding data entries in a dataset that differ from expected behavior.

In the prior art, the running log is an important data source for anomaly detection, and because the running log records running states and related running data of different stages in the program running process, and the system behavior can be known by mining information contained in the log, the running state of the system can be detected based on log anomaly detection, and if the log anomaly is detected, the data processing system can be determined to have anomaly.

The inventor researches and discovers that a large amount of information related to data processing is recorded in the operation log, but most of log abnormality detection methods in the prior art do not fully utilize the information, so that the abnormality detection is not complete.

Disclosure of Invention

In view of the above, an object of the present invention is to provide a method, an apparatus, and a server for detecting log anomalies, where the logs are detected in two aspects, namely, a log template and log parameters, so that the detection is more comprehensive, and the method is helpful for improving the operation stability of a system, and the specific scheme is as follows:

in a first aspect, the present invention provides a log anomaly detection method, including:

acquiring a log file;

the log file comprises N logs generated according to time sequence, the first N-1 logs serve as reference logs, the Nth log serves as a target log, and N is larger than 2;

respectively extracting the actual log template and the log parameter value of each log;

predicting the log template of the target log according to the actual log template of each reference log to obtain a template prediction result;

predicting the log parameter values of the target logs according to the actual log parameter values of the reference logs to obtain parameter prediction results;

and if the template prediction result and the actual log template of the target log do not meet a first judgment condition, or the parameter prediction result and the actual log parameter value of the target log do not meet a second judgment condition, judging that the target log is abnormal.

Optionally, the predicting the log template of the target log according to the actual log template of each reference log to obtain a template prediction result includes:

generating a semantic vector sequence based on the actual log template of each reference log;

the semantic vector sequence comprises the semantic features of the log template of each reference log actual;

inputting the semantic vector sequence into a log mode anomaly detection model to obtain a template prediction result;

the log mode anomaly detection model is obtained based on LSTM neural network training.

Optionally, the generating a semantic vector sequence based on the actual log template of each reference log includes:

respectively preprocessing the actual log template of each reference log to obtain a corresponding word sequence comprising a plurality of words;

respectively converting each word sequence into a corresponding semantic vector;

wherein the semantic features of the semantic vector are derived based on words in the corresponding word sequence;

and arranging the semantic vectors according to the time sequence relation between corresponding reference logs to obtain a semantic vector sequence.

Optionally, the converting each word sequence into a corresponding semantic vector includes:

respectively taking each word in each word sequence as a target word;

calculating the word frequency, the inverse text frequency index and the weight coefficient of the target word;

the weighting coefficient is used for representing the distribution condition of the target words among different log templates;

taking the product of the word frequency, the inverse text frequency index and the weight coefficient as the semantic feature of the target word;

and respectively using the set of semantic features corresponding to the words included in each word sequence as the semantic vector of the corresponding word sequence.

Optionally, the template prediction result includes a plurality of prediction log templates and occurrence probabilities corresponding to the prediction log templates;

the process of determining whether the template prediction result and the actual log template of the target log satisfy a first determination condition includes:

sequencing all the prediction log templates according to the occurrence frequency from high to low;

if the preset number of the prediction log templates comprises the actual log templates of the target logs, judging that the template prediction results and the actual log templates of the target logs meet a first judgment condition;

if the actual log templates of the target logs are not included in the preset number of prediction log templates, judging that the template prediction results and the actual log templates of the target logs do not meet the first judgment condition.

Optionally, the predicting the log parameter values of the target log according to the actual log parameter values of the reference logs to obtain parameter prediction results includes:

generating a parameter value sequence based on the actual log parameter values of the reference logs;

inputting the parameter value sequence into a log parameter value abnormity detection model to obtain a parameter prediction result;

and the log parameter value anomaly detection model is obtained based on LSTM neural network training.

Optionally, the generating a parameter value sequence based on the actual log parameter value of each reference log includes:

dividing the reference logs corresponding to the same log template into a set to obtain at least one reference log set;

respectively standardizing the log parameter values in the reference log sets to obtain corresponding standardized parameter values;

respectively performing significance representation on each standardized parameter value to obtain a characteristic parameter value corresponding to each reference log set;

and respectively sequencing the characteristic parameter values in each reference log set according to the time sequence of the corresponding reference log to obtain a parameter value sequence corresponding to each reference log set.

Optionally, the parameter prediction result includes a log parameter value of the target log prediction;

the process of determining whether the parameter prediction result and the actual log parameter value of the target log satisfy a second determination condition includes:

calculating an average absolute error between the actual log parameter value of the target log and the predicted log parameter value;

if the average absolute error is larger than or equal to a preset threshold value, judging that the parameter prediction result and the actual log parameter value of the target log meet a second judgment condition;

and if the average absolute error is smaller than the preset threshold, judging that the parameter prediction result and the actual log parameter value of the target log do not meet the second judgment condition.

In a second aspect, the present invention provides a log abnormality detection apparatus, including:

an acquisition unit configured to acquire a log file;

the extraction unit is used for respectively extracting the actual log template and the log parameter value of each log;

the first prediction unit is used for predicting the log template of the target log according to the actual log template of each reference log to obtain a template prediction result;

the second prediction unit is used for predicting the log parameter values of the target logs according to the actual log parameter values of the reference logs to obtain parameter prediction results;

and the judging unit is used for judging that the target log is abnormal if the template prediction result and the actual log template of the target log do not meet a first judgment condition or the parameter prediction result and the actual log parameter value of the target log do not meet a second judgment condition.

In a third aspect, the present invention provides a server, comprising: a memory and a processor; the memory stores a program suitable for the processor to execute so as to implement the log anomaly detection method according to any one of the first aspect of the present invention.

The log abnormality detection method provided by the invention comprises the steps of acquiring a log file which comprises N logs generated according to time sequence, taking the first N-1 logs as reference logs and the Nth logs as target logs, respectively extracting actual log templates and log parameter values of the logs, predicting the log templates of the target logs according to the actual log templates of the reference logs to obtain template prediction results, predicting the log parameter values of the target logs according to the actual log parameter values of the reference logs to obtain parameter prediction results, and judging that the target logs are abnormal if the template prediction results and the actual log templates of the target logs do not meet a first judgment condition or the parameter prediction results and the actual log parameter values of the target logs do not meet a second judgment condition, compared with the prior art, the detection method provided by the invention detects the logs abnormally through the log templates and the log parameters, therefore, the detection is more comprehensive, and the operation stability of the system is improved.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

Fig. 1 is a flowchart of a log anomaly detection method according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of an LSTM neural network according to an embodiment of the present invention;

fig. 3 is a block diagram of a log anomaly detection apparatus according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a server according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The log abnormity detection method provided by the invention is applied to electronic equipment, and the electronic equipment can be a data processing server, or other servers capable of acquiring log files and operating corresponding abnormity detection programs, or electronic equipment such as a personal computer, a palm computer and the like, or a server on a network side under certain conditions.

Referring to fig. 1, fig. 1 is a flowchart of a log anomaly detection method provided in an embodiment of the present invention, where the flow of the method may include:

and S100, acquiring a log file.

As mentioned above, the cloud platform, the data processing server and the related electronic device all generate corresponding logs during the operation process, and record the operation states and related operation data of different stages during the program operation process through the logs.

The log file mentioned in the embodiment of the present invention refers to a file that includes all logs within a period of time, that is, the log file includes N logs generated in time sequence, where N is greater than 2. In order to facilitate the explanation of the detection method provided by the present invention, in this embodiment, the first N-1 logs in the log file are defined as reference logs, and correspondingly, the nth log is taken as a target log. The specific acquisition process of the log file can be realized by referring to the prior art, which is not limited by the invention.

And S110, respectively extracting the actual log template and the log parameter value of each log.

Each log corresponds to a corresponding log template, the log template defines the basic format of each log of the type, the field information and other contents to be recorded, and the type and the number of the log templates of the determined electronic equipment are known.

Furthermore, the log further includes a plurality of parameters, such as CPU temperature, memory usage rate, and timestamp, in this embodiment, the log parameter value mainly refers to a timestamp, and the time of the log is determined by extracting the timestamp, and meanwhile, the time interval between consecutive logs can be further determined. As described above, if the program of the electronic device is operating normally, the time interval between the respective logs should be stable and known, and therefore, if the time interval between the logs becomes no longer stable or the time interval deviates greatly from the expected time interval, it can be determined that an abnormality has occurred. The present invention provides an abnormality detection method using this feature.

It should be noted that, in this step, acquiring the actual log template and log parameter values of each log refers to acquiring the log template and log parameter values of the reference log and the target log in the log file.

And S120, predicting the log template of the target log according to the actual log template of each reference log to obtain a template prediction result.

As mentioned above, the occurrence sequence of the log is fixed, correspondingly, the occurrence sequence of the log template is also determined, and the detection of the occurrence sequence of the log template is also called as log pattern detection.

The log contents in the source code of different cloud platform modules or servers are usually constant, and correspondingly, the number of log templates is also constant. Ω ═ M may be used₁,M₂,M₃,…,M_nAnd represents a corresponding log template set, wherein n is the type number of the templates.

Taking the cloud platform as an example, after the log template corresponding to each log in the log file is obtained, the sequence of the log templates may be regarded as a path for executing a task of the cloud platform. If the cloud platform is a normally running cloud platform, the execution must be performed according to the sequence of the code modules, and the output statements are also performed sequentially, the execution path is naturally fixed. Then for a known sequence of log templates, the next template in the sequence is predictable. If the deviation between the actual log template and the predicted log template is large, the cloud platform can be proved to be abnormal.

In the detection method provided by the embodiment of the invention, the log templates arranged according to the time sequence are regarded as texts in a natural language, and the log template sequence is expressed as MS ═ M₁,M₂,M₃,…,M_mIs represented by a characteristicConverting the semantic vector sequence into a semantic vector sequence V ═ V₁，V₂，...V_mIn which V is_iRepresenting the ith log template M of the M log templates_iThe semantic vector of (2).

The following describes a process of generating a semantic vector sequence based on the actual log template of each reference log:

firstly, the actual log templates of the reference logs are respectively preprocessed to obtain corresponding word sequences comprising a plurality of words. As mentioned above, the log template can be regarded as a text in a natural language, and the text preprocessing method mainly includes word segmentation and a function removing word. In the scheme, the actual log templates of the reference logs are segmented by using the predefined separators, and the space separators can solve the segmentation problem of most log templates. Dividing the actual log template of the reference log into a sequence of words W by delimiters₁,W₂,…,W_L]Wherein W is_i，i∈[1,L]Indicating the ith word and L the total number of words in the log template.

Most words in the sequence W have actual meanings but also include functional words such as "a", "the", "is", etc. First, the functional word in W needs to be deleted, and finally some meaningless characters such as "/" etc. are deleted. Since these words not only increase the dimensionality of the feature representation, but also have no effect on semantic information extraction.

Further, the word sequences corresponding to the reference logs are converted into corresponding semantic vectors. Because the log contexts are correlated with each other, but not independent of each other, the semantic features of the log can be obtained by mining the log context information. After preprocessing, the embodiment of the present invention converts the word sequence W of each log template into a semantic vector V for feature representation, and the process should satisfy the following two requirements:

1) semantic vectors corresponding to log templates with large differences are highly differentiated. For example, the sequences [ open, file, failed ] and [ connect, to ] are two different template sequences, and thus the corresponding semantic vectors should be different. That is to say the cosine similarity of the two vectors is small.

2) The semantic vector should be able to identify unstable logs with similar semantics, the similar log templates should have some compatibility. For example, [ open, file, failed ] and [ open, file, failed, where ], the two template vectors, although different, have the same semantics and therefore need to be able to be represented as similar semantic vectors.

In the prior art, the TF-IDF algorithm is a method widely used for feature representation in information retrieval and data mining, and is used for evaluating the importance of a word to a document in a document set or a corpus, wherein the importance of the word is proportional to the number of times the word appears in the document and is also inversely proportional to the frequency of the word appearing in the corpus.

In the word sequence W, different words W_iDifferent information is provided for the feature representation result, TF-IDF can effectively reflect the importance degree of the information, different words are given different weights, and the requirement of high distinction is met. W obtained after template pretreatment_iConsider as a word, record the time window t, t + Δ t]All log templates in the document are used as a document D, and all D sets are D. And taking each word in each word sequence as a target word, and calculating the word frequency, the inverse text frequency and the weight coefficient of the target word, wherein the weight coefficient is used for representing the distribution condition of the target word among different log templates.

Specifically, if the appearance frequency of the target word is higher, the target word is considered to be more representative of the template feature representation, and the word frequency is calculated by using TF, as shown in the following formula:

wherein n is_wdRepresents the number of times the target word appears in document d;

N_dis the total number of words of document d.

However, if the target word is present in most of the log templates, it is not beneficial to distinguish the templates, and the importance of the target word should be reduced and calculated using IDF, as shown in the following formula:

wherein | D | represents the total number of documents in the set D;

M_wdthe number of documents of document D containing the target word in set D is indicated.

Alternatively, consider that the prior art TF-IDF algorithm ignores the distribution of words in the log template. For example, the target word has a higher frequency in some log templates and a lower frequency in other log templates, which indicates that the target word has a certain contribution to the template high-distinction feature representation, based on this, the embodiment of the present invention proposes a TF-IDF algorithm that introduces a weight coefficient w, where the weight coefficient w measures the distribution of the target word among different log templates, and the calculation method is shown as follows:

wherein N represents the number of log templates;

df_wdrepresenting the number of templates containing the target word in the set D;

df_wmthe number of templates containing the target word in the template set is indicated.

Based on the above formula, it can be seen that the larger w indicates that the target word fluctuates more in the template, the more uneven the distribution, and the greater the distinguishing representation effect on the template.

After the parameters are obtained, calculating the product of the word frequency, the inverse text frequency index and the weight coefficient of the target word, and changing the product into the semantic feature TF-IDF-w of the target word:

TF-IDF-w＝TF*TDF*w

after the semantic features of the words in the word sequences are obtained, the set of the semantic features corresponding to the words included in the word sequences is used as the semantic vector of the corresponding word sequence. And arranging the semantic vectors according to the time sequence relation between the corresponding reference logs to obtain a semantic vector sequence.

After the semantic vector sequence is obtained, the log mode abnormity detection model obtained by pre-training the LSTM neural network is called, and the obtained semantic vector sequence is input into the log mode abnormity detection model, so that a template prediction result can be obtained.

As for the specific training process of the log pattern anomaly detection model, the following description will be provided, and will not be detailed here.

And S130, predicting the log parameter values of the target log according to the actual log parameter values of the reference logs to obtain parameter prediction results.

Considering that all the anomalies cannot be detected by mode anomaly detection based on a log template, for example, a cloud platform is subjected to Dos attack to cause the task execution time to be lengthened, the log still adopts the log template which is the same as that of a normal mode at this time, but the parameter values in the log are obviously different from those in the normal mode. Thus, further detection may be based on the log parameter values.

As previously mentioned, the log belongs to time series data, and the time characteristic of the log may be considered in the selection of the parameter value. The log analysis can obtain a log template M, a timestamp T and the like, the difference value of timestamps of two continuous logs represents the time interval of generation of the two logs, the time interval of the logs corresponding to the normal running task is stable, and the time interval is suddenly increased or shortened, so that the cloud platform is possibly abnormal, and therefore the time interval can also be used as a parameter for abnormality detection. The time stamp is used as a log parameter for anomaly detection, the time stamp of each log is extracted, and the time interval between adjacent logs is calculated as a log parameter value corresponding to the log. For the logs with the same log template, the parameter values of the logs are sequentially generated into a sequence, namely, the reference logs corresponding to the same log template are divided into a set to obtain at least one reference log set, and several parameter value sequences can be generated by several reference log sets, so that each type of log template corresponds to one parameter value sequence. Because each log is output according to the time sequence of task execution, the corresponding parameter value sequence can be regarded as an independent time sequence, and therefore the parameter anomaly detection problem can be converted into a time sequence prediction problem.

The following describes the process of generating a sequence of parameter values based on the actual log parameter values of each reference log:

firstly, dividing the reference logs corresponding to the same log template into a set to obtain at least one reference log set, and performing standardization processing on actual log parameter values of each reference log in each reference log set to obtain corresponding standardized parameter values.

The standardization of data is the basic operation of data mining and is also an important operation. Different evaluation indexes often have different dimensions and dimension units, which affect the result of data analysis, and in order to eliminate the dimension influence between the indexes, data standardization processing is required. The normalization process can also speed up the convergence of the training network.

Optionally, the invention standardizes each log parameter value by using a Z-score method, the method standardizes data by using a mean value and a standard deviation of original data, and the processed data conform to a standard normal distribution. The normalized formula is shown below:

where μ is the mean of all data and σ is the standard deviation of all data.

Furthermore, each standardized parameter value is subjected to significance representation, and a characteristic parameter value corresponding to each reference log set is obtained.

Because the standardized parameter values belong to label-free data, how to realize accurate anomaly detection based on the label-free data is a difficult point in the field of log anomaly detection. The invention adopts an SR significance detection method to significantly represent parameter value data, and performs anomaly detection on the basis of the result. The reason why the data after the saliency representation is used for predicting instead of the original data is that the original data is generally a non-stationary sequence, and the sequence after the saliency representation is a stationary sequence, which is beneficial to making better prediction.

SR is a simple and efficient image saliency detection algorithm based on Fast Fourier Transform (FFT), belongs to an unsupervised method, and has proven its effectiveness in the field of image saliency detection. From the perspective of information theory, the image information h (image) can be divided into two parts, as shown in the following formula:

H(Image)＝H(Innovation)+H(Prior Knowledge)

h (innovation) represents a significant target region in the image, and h (color knowledge) represents a background region that needs to be removed. When the image saliency detection is realized, a background area of an image should be filtered firstly, and a salient area is left. The image saliency detection and time series anomaly detection tasks can be considered similar in nature because the time series anomaly points correspond to what is salient in the visual perspective in the picture.

The SR algorithm adopted by the invention mainly comprises the following steps, and a log parameter sequence X is given as { X ═ X₁,x₂,x₃,…,x_nThe step of significance representation of parameter value data comprises:

firstly, an amplitude spectrum A (f) of a sequence X is calculated through FT, and the calculation formula is as follows:

step two, calculating a phase spectrum P (f) corresponding to the sequence X, wherein the calculation formula is as follows:

taking logarithm of A (f) to obtain L (f), wherein the calculation formula is as follows:

L(f)＝log(A(f))

step four, utilizing h_q(f) And (f) carrying out mean filtering on the L (f) to obtain AL (f), wherein the calculation formula is as follows:

AL(f)＝h_m(f)·L(f)

step five, wherein h_m(f) For an m × m smoothing filter, the calculation formula is as follows:

step six, calculating a spectrum residual error R (f), wherein R (f) is a compressed representation of an input sequence X and represents a significant part of X, and the calculation formula is as follows:

R(f)＝L(f)-AL(f)

step seven, converting the sequence into significance mapping of a spatial domain through IFT, wherein a calculation formula is as follows:

wherein g (f) is a Gaussian convolution kernel.

The significance expression process, which is not illustrated in the above, can be implemented based on the prior art and is not expanded herein.

And aiming at each reference log combination, sequencing the corresponding characteristic parameter values according to the time sequence of the corresponding reference log to obtain the parameter value sequence corresponding to the reference log set.

Further, the log parameter value anomaly detection model is constructed based on the LSTM neural network. And aiming at the parameter value sequence corresponding to each log template, training an independent log parameter value abnormality detection model for each log template, and inputting each parameter value sequence into the corresponding log parameter value abnormality detection model to obtain a corresponding parameter prediction result.

As for the training process of the log parameter value anomaly detection model, the following description will be provided, and will not be detailed here.

S140, judging whether the template prediction result and the actual log template of the target log do not meet the first judgment condition or whether the parameter prediction result and the actual log parameter value of the target log do not meet the second judgment condition, if so, executing S150.

Optionally, the template prediction result includes a plurality of prediction log templates and occurrence probabilities corresponding to the prediction log templates, the prediction log templates are sorted from high to low according to occurrence frequency, and if a preset number, for example, 3, of the prediction log templates include the actual log template of the target log, it is determined that the template prediction result and the actual log template of the target log satisfy a first determination condition; on the contrary, if the actual log templates of the target logs are not included in the prediction log templates of the preset number, the prediction result of the template and the actual log templates of the target logs are judged not to meet the first judgment condition. The selection of the preset number needs to be set in combination with the actual detection precision requirement, and the specific value of the preset number is not limited by the invention.

Optionally, the parameter prediction result includes a log parameter value predicted by the target log, an average absolute error between an actual log parameter value of the target log and the predicted log parameter value is calculated, and if the obtained average absolute error is greater than or equal to a preset threshold, it is determined that the parameter prediction result and the actual log parameter value of the target log meet a second determination condition; on the contrary, if the obtained average absolute error is smaller than the preset threshold, the judgment parameter prediction result and the actual log parameter value of the target log do not meet the second judgment condition. Similar to the selection of the preset number, the preset threshold mentioned here also needs to be set based on the specific detection precision requirement, and the specific value of the preset threshold is not limited by the present invention.

S150, judging that the target log is abnormal.

And under the condition that the prediction result and the actual log template of the target log do not meet the first judgment condition or the parameter prediction result and the actual log parameter value of the target log do not meet the second judgment condition, judging that the target log is abnormal, and further determining that the cloud platform or the server is abnormal.

In summary, compared with the prior art, the detection method provided by the invention detects the abnormality of the log through the log template and the log parameters, so that the detection is more comprehensive, and the operation stability of the system is improved.

Furthermore, the invention can identify and process unknown log templates by extracting the log templates to obtain semantic features, thereby improving the range and accuracy of abnormal detection, and improving the detection capability of the model by the significance expression of the log parameter values.

The training process of the log pattern abnormality detection model and the log parameter value abnormality detection model described above will be described below.

Optionally, referring to fig. 2, fig. 2 is a schematic diagram of a network architecture of an LSTM neural network designed by the embodiment of the present invention.

The LSTM neural network is a variant of the recurrent neural network, and is designed specifically for sequence data. In general, an LSTM may store context information in each block and continually adjust the LSTM block for the next block's computation. That is, the input of the current LSTM block depends on the input of the current block and the output of the previous block. Thus, the LSTM may mine context information generated in the log execution path. The LSTM is composed of an input layer, a hidden layer, and an output layer. Input feature vector sequence X ═ X_t-W-1,…,x_t－1And) the length of the sequence is W, each semantic vector in the sequence is taken as the input of one LSTM block, i.e. each layer is composed of W LSTM blocks, the hidden state of each LSTM is also transferred to the next LSTM block, and then the new hidden state and output are calculated in combination with the input, as shown in fig. 2. For example, at time t, the input to the LSTM includes the network input value x at the current time_tLast time LSTM output h_t-1And cell state c at the previous time_t-1(ii) a Outputting an output value h including the time_tAnd c_t. The model can obtain a hidden vector sequence H ═ (H)_t－W-1,…,h_t-1) The output vector sequence Y ═ Y (Y)_t－W-1,…,y_t-1). This is also why LSTM can capture historical sequence information.

Each cell in the lower LSTM hidden layer is fully connected to each cell in the upper LSTM hidden layer by a feed-forward connection. The training phase also needs to find an appropriate parameter configuration so that the anomaly detection model finally outputs an optimal result.

In particular, in the present embodiment, ADAM is used as an optimizer, catalytic _ cross is used as a loss function, and softmax is used as a nonlinear activation function in the output layer. The training steps are as follows:

step one, assuming that the log set is D ═ X₁,X₂,X₃,...,X_i,...,X_dAccording to 7: and 3, dividing the data set into a training set and a testing set, dividing the whole data set into k equal parts according to the time (namely the time window), wherein k is equal to d, and inputting the time pieces of data into an LSTM model for training each time. Setting a model set M-M according to the sequence window length, the LSTM layer number and the number of memory units of the candidate LSTM model₁,m₂,...,m_n}；

Step two, taking out a model M from the model set M_jAnd initializing the model m_jThe network weight of (a);

inputting the timestep bar data into an LSTM model for training, and calculating Loss Loss according to a coordinated _ cross Loss function_mj. The categorical _ crosssentryloss function is shown below:

wherein, y_iIs the true value of the,

then is the predicted value of the LSTM model;

step four, if the loss J is not converged, iteratively updating the weight by adjusting the learning rate until the J tends to be converged;

inputting the test data into the prediction model obtained in the step 4 to obtain a prediction result, and comparing the actual value to calculate the anomaly detection accuracy;

and step six, returning to the step two to train again, and selecting the model with the highest accuracy rate from all the models in the M as the optimal model to obtain the log mode anomaly detection model.

For the log parameter value anomaly detection model, sample data is a characteristic parameter value which is subjected to significance representation. SR significance detection adopts a single threshold segmentation method to mark an abnormal point O (x)_i) As shown in the following formula:

wherein x is_iRepresenting an arbitrary point in the sequence. S (x)_i) Are the corresponding points in the saliency map.

When S (x)_i) An anomaly is found if the threshold is greater than a specified threshold. However, the rule is too simple and not accurate enough, and the invention provides a prediction model SR-LSTM based on SR algorithm and LSTM neural network, namely a log parameter value abnormity detection model for abnormity detection. And taking the parameter value sequence processed by the SR algorithm as the input of an LSTM model, and learning a classification prediction model by using the LSTM to detect the log parameter value abnormity. The output training LSTM model based on the SR algorithm can fully utilize information in the log parameter value sequence, and has better anomaly detection effect than the LSTM model trained by using original parameter value data which is not processed by the SR algorithm.

The invention injects abnormal parameter values which are not contained in the test data set into the data sequence after the significance representation to generate a synthetic data set, and trains the LSTM model by using the synthetic data set. And randomly selecting partial points in the parameter value sequence, and calculating abnormal parameter values to replace original parameter values to obtain a significance map of the abnormal parameter values. The calculation method of the abnormal parameter value is shown as the following formula:

wherein the content of the first and second substances,

local mean values representing the first few points; mean is a measure ofAnd var is the mean and variance of all points within the current sequence; r is a random number between 0 and 1. The log parameter value anomaly detection model of the present invention uses Mean Absolute Error (MAE) loss function and ADAM optimizer at this stage.

The specific process of training the log parameter value anomaly detection model based on the LSTM neural network can be implemented in combination with the foregoing and the prior art, and is not expanded here.

The log anomaly detection device described below may be regarded as a functional module architecture that needs to be set in the central device to implement the log anomaly detection method provided by the embodiment of the present invention; the following description may be cross-referenced with the above.

Referring to fig. 3, fig. 3 is a block diagram of a log anomaly detection apparatus according to an embodiment of the present invention, where the detection apparatus according to the embodiment includes:

an acquisition unit 10 for acquiring a log file;

an extracting unit 20, configured to extract a log template and a log parameter value of each log;

the first prediction unit 30 is configured to predict the log template of the target log according to the actual log template of each reference log, so as to obtain a template prediction result;

the second prediction unit 40 is configured to predict a log parameter value of the target log according to an actual log parameter value of each reference log, so as to obtain a parameter prediction result;

the judging unit 50 is configured to judge that the target log is abnormal if the template prediction result and the actual log template of the target log do not satisfy a first judging condition, or the parameter prediction result and the actual log parameter value of the target log do not satisfy a second judging condition.

Optionally, the first detecting unit 30 is configured to predict the log template of the target log according to the actual log template of each reference log, and obtain a template prediction result, and includes:

the semantic vector sequence comprises the semantic features of the log template of each reference log;

Optionally, the first detecting unit 30 is configured to generate a semantic vector sequence based on an actual log template of each reference log, and includes:

respectively converting each word sequence into corresponding semantic vectors;

the semantic features of the semantic vector are obtained based on words in the corresponding word sequence;

and arranging the semantic vectors according to the time sequence relation between the corresponding reference logs to obtain a semantic vector sequence.

Optionally, the first detecting unit 30 is configured to convert each word sequence into a corresponding semantic vector, and includes:

respectively taking each word in each word sequence as a target word;

wherein, the weight coefficient is used for representing the distribution condition of the target words among different log templates;

and respectively taking the set of semantic features corresponding to the words included in each word sequence as the semantic vector of the corresponding word sequence.

the judging unit 50 is configured to judge whether the template prediction result and the actual log template of the target log satisfy a first judgment condition, and includes:

if the pre-set number of prediction log templates comprise the actual log templates of the target logs, judging that the prediction results of the templates and the actual log templates of the target logs meet a first judgment condition;

and if the actual log templates of the target logs are not included in the preset number of prediction log templates, judging that the prediction results of the templates and the actual log templates of the target logs do not meet a first judgment condition.

Optionally, the second detecting unit 40 is configured to predict the log parameter value of the target log according to the actual log parameter value of each reference log, and obtain a parameter prediction result, and includes:

the log parameter value anomaly detection model is obtained based on LSTM neural network training.

Optionally, the second detecting unit 40 is configured to generate a parameter value sequence based on an actual log parameter value of each reference log, and includes:

and respectively sequencing the characteristic parameter values in each reference log set according to the time sequence of the corresponding reference log to obtain the parameter value sequence corresponding to each reference log set.

the determining unit 50 is configured to determine whether the parameter prediction result and the actual log parameter value of the target log satisfy a second determination condition, and includes:

calculating the average absolute error between the actual log parameter value and the predicted log parameter value of the target log;

and if the average absolute error is smaller than a preset threshold value, judging that the parameter prediction result and the actual log parameter value of the target log do not meet a second judgment condition.

Optionally, fig. 4 is a block diagram of a server according to an embodiment of the present invention, which is shown in fig. 4, and may include: at least one processor 100, at least one communication interface 200, at least one memory 300, and at least one communication bus 400;

in the embodiment of the present invention, the number of the processor 100, the communication interface 200, the memory 300, and the communication bus 400 is at least one, and the processor 100, the communication interface 200, and the memory 300 complete the communication with each other through the communication bus 400; it is clear that the communication connections shown by the processor 100, the communication interface 200, the memory 300 and the communication bus 400 shown in fig. 4 are merely optional;

optionally, the communication interface 200 may be an interface of a communication module, such as an interface of a GSM module;

the processor 100 may be a central processing unit CPU or an application Specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention.

The memory 300, which stores application programs, may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.

The processor 100 is specifically configured to execute an application program in the memory to implement any embodiment of the log anomaly detection method described above.

The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A log anomaly detection method is characterized by comprising the following steps:

acquiring a log file;

2. The method according to claim 1, wherein the predicting the log template of the target log according to the actual log template of each reference log to obtain a template prediction result comprises:

3. The log anomaly detection method according to claim 2, wherein the generating a semantic vector sequence based on the actual log template of each of the reference logs comprises:

4. The log anomaly detection method according to claim 3, wherein said separately converting each of said word sequences into a corresponding semantic vector comprises:

respectively taking each word in each word sequence as a target word;

5. The log anomaly detection method according to claim 1, wherein the template prediction result comprises a plurality of prediction log templates and occurrence probabilities corresponding to the prediction log templates;

6. The method according to claim 1, wherein the predicting the log parameter values of the target log according to the actual log parameter values of the reference logs to obtain parameter prediction results comprises:

7. The log anomaly detection method as recited in claim 6, wherein the generating a sequence of parameter values based on actual log parameter values for each of the reference logs comprises:

8. The log anomaly detection method according to claim 1, wherein the parameter prediction result includes a log parameter value of the target log prediction;

9. A log abnormality detection apparatus characterized by comprising:

an acquisition unit configured to acquire a log file;

10. A server, comprising: a memory and a processor; the memory stores a program adapted to be executed by the processor to implement the log anomaly detection method according to any one of claims 1 to 8.