CN114817189A - Log detection method and device and computer readable storage medium - Google Patents

Log detection method and device and computer readable storage medium Download PDF

Info

Publication number
CN114817189A
CN114817189A CN202210379818.3A CN202210379818A CN114817189A CN 114817189 A CN114817189 A CN 114817189A CN 202210379818 A CN202210379818 A CN 202210379818A CN 114817189 A CN114817189 A CN 114817189A
Authority
CN
China
Prior art keywords
preset
log
detected
matrix
logs
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210379818.3A
Other languages
Chinese (zh)
Inventor
郑雨婷
李�一
肖天
张涛
朱小萌
成晨
金雨超
程新洲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202210379818.3A priority Critical patent/CN114817189A/en
Publication of CN114817189A publication Critical patent/CN114817189A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • G06F16/1815Journaling file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2465Query processing support for facilitating data mining operations in structured databases
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The application provides a log detection method, a log detection device and a computer-readable storage medium, relates to the field of data detection, and can determine an abnormal time window comprising an abnormal log from a plurality of time windows. The method comprises the following steps: acquiring a plurality of logs to be detected in a preset time period comprising a plurality of time windows; determining a matrix to be detected based on a plurality of preset log templates and a plurality of logs to be detected; one element in the matrix to be detected represents the corresponding number of logs to be detected in a time window of a preset log template; determining a plurality of difference degrees between frequency vectors of a plurality of time windows in a matrix to be detected and a preset matrix; one frequency vector represents the number of logs to be detected corresponding to a plurality of preset log templates in one time window, and one element in the preset matrix represents the number of normal logs corresponding to one preset log template in one time window; an anomaly time window including an anomaly log is determined from a plurality of time windows based on the plurality of degrees of dissimilarity.

Description

Log detection method and device and computer readable storage medium
Technical Field
The present application relates to the field of data detection, and in particular, to a log detection method and apparatus, and a computer-readable storage medium.
Background
During the operation of the network system, logs are generated periodically to record information during the operation of the system in detail. The log generated when the network system operates normally is called normal log, and the log generated when the network system operates abnormally is called abnormal log. By analyzing the abnormal log, the fault of the network system can be diagnosed.
Before analyzing the abnormal log, an abnormal time window including the abnormal log needs to be determined from a plurality of time windows, so as to analyze the abnormal log in the window.
Disclosure of Invention
The application provides a log detection method, a log detection device and a computer-readable storage medium, which can determine an abnormal time window comprising an abnormal log from a plurality of time windows.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, a log detection method is provided, which may be performed by a log detection apparatus, and includes: acquiring a plurality of logs to be detected within a preset time period; the preset time period comprises a plurality of time windows; determining a matrix to be detected based on a plurality of preset log templates and a plurality of logs to be detected; one element in the matrix to be detected represents the corresponding number of logs to be detected in a time window of a preset log template; respectively determining the difference between the frequency vector of each time window in the matrix to be detected and a preset matrix to obtain a plurality of differences; one frequency vector is used for representing the number of logs to be detected corresponding to a plurality of preset log templates in one time window, and one element in the preset matrix represents the number of normal logs corresponding to one preset log template in one time window; an exception time window including an exception log is determined from a plurality of time windows based on the plurality of degrees of dissimilarity.
Based on the scheme, the matrix to be detected is determined according to the preset log templates and the logs to be detected, and the logs corresponding to each element in the preset matrix are normal logs, so that the abnormal time window including the abnormal logs in the matrix to be detected can be determined by comparing the difference between the frequency vector of each time window in the matrix to be detected and the preset matrix including the normal logs.
With reference to the first aspect, in some embodiments of the first aspect, determining a matrix to be detected based on a plurality of preset log templates and a plurality of logs to be detected includes: respectively determining the number of logs to be detected corresponding to each preset log template in each time window to obtain an initial matrix to be detected; and multiplying target elements in the initial matrix to be detected by a preset coefficient to obtain the matrix to be detected, wherein the target elements correspond to abnormal log templates in the plurality of preset log templates.
Based on the scheme, the target elements corresponding to the abnormal log template in the initial matrix to be detected are multiplied by the preset coefficient, so that the difference between the abnormal time window comprising the abnormal logs and the preset matrix can be increased, and the abnormal time window can be conveniently determined from the multiple time windows.
With reference to the first aspect, in certain embodiments of the first aspect, the log detection method further includes: acquiring a plurality of normal logs within a preset time period; and respectively determining the number of the normal logs corresponding to each preset log template in each time window based on a plurality of preset log templates and a plurality of normal logs to obtain a preset matrix.
Based on the scheme, the number of the corresponding normal logs of each preset log template in each time window is determined, so that the preset matrix can be determined.
With reference to the first aspect, in certain embodiments of the first aspect, the determining an anomaly time window including an anomaly log from a plurality of time windows according to the plurality of degrees of dissimilarity includes: determining a normal distribution graph of a plurality of mahalanobis distances; determining a standard deviation interval of the normal distribution diagram; and determining the time window corresponding to the target mahalanobis distance which is not in the standard deviation interval as comprising the abnormal time window.
Based on the scheme, when the degree of difference is the mahalanobis distance, the standard deviation section of the normal distribution diagram of the mahalanobis distances is determined, the target mahalanobis distance which is not in the standard deviation section is determined from the mahalanobis distances, the time window corresponding to the target mahalanobis distance can be determined to include the abnormal time window, and the mahalanobis distance can eliminate the mutual interference between elements, so that the accuracy of log detection can be improved.
In a second aspect, a log detection apparatus is provided for implementing the log detection method of the first aspect. The log detection device comprises modules, units or means (means) corresponding to the implementation of the method, and the modules, units or means can be implemented by hardware, software or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions.
With reference to the second aspect, in some embodiments of the second aspect, the log detection apparatus comprises: the device comprises an acquisition module and a processing module; the acquisition module is used for acquiring a plurality of logs to be detected within a preset time period; the preset time period comprises a plurality of time windows; the processing module is used for determining a matrix to be detected based on a plurality of preset log templates and a plurality of logs to be detected; one element in the matrix to be detected represents the corresponding number of logs to be detected in a time window of a preset log template; the processing module is further used for respectively determining the difference degree between the frequency vector of each time window in the matrix to be detected and a preset matrix to obtain a plurality of difference degrees; one frequency vector is used for representing the number of logs to be detected corresponding to a plurality of preset log templates in one time window, and one element in the preset matrix represents the number of normal logs corresponding to one preset log template in one time window; and the processing module is further used for determining an abnormal time window comprising the abnormal log from a plurality of time windows according to the plurality of difference degrees.
With reference to the second aspect, in some embodiments of the second aspect, the determining, by a processing module, a matrix to be detected based on a plurality of preset log templates and a plurality of logs to be detected includes: respectively determining the number of logs to be detected corresponding to each preset log template in each time window to obtain an initial matrix to be detected; and multiplying target elements in the initial matrix to be detected by a preset coefficient to obtain the matrix to be detected, wherein the target elements correspond to abnormal log templates in the plurality of preset log templates.
With reference to the second aspect, in some embodiments of the second aspect, the processing module is further configured to: acquiring a plurality of normal logs within a preset time period; and respectively determining the number of the normal logs corresponding to each preset log template in each time window based on a plurality of preset log templates and a plurality of normal logs to obtain a preset matrix.
With reference to the second aspect, in some embodiments of the second aspect, the degree of difference is mahalanobis distance, and the processing module is further configured to determine an exception time window including an exception log from a plurality of time windows according to the plurality of degrees of difference, including: determining a normal distribution graph of a plurality of mahalanobis distances; determining a standard deviation interval of the normal distribution diagram; and determining the time window corresponding to the target mahalanobis distance which is not in the standard deviation interval as comprising the abnormal time window.
In a third aspect, a log detection apparatus is provided, including: at least one processor, a memory for storing processor-executable instructions; wherein the processor is configured to execute the instructions to implement the log detection method as provided by the first aspect and any one of its possible design forms.
In a fourth aspect, there is provided a computer-readable storage medium, wherein instructions, when executed by a processor of a log detection apparatus, enable the log detection apparatus to perform the log detection method as provided by the first aspect and any one of its possible design approaches.
In a fifth aspect, there is provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the method of the first aspect described above.
In a sixth aspect, a chip system is provided, comprising: a processor and an interface circuit; an interface circuit for receiving a computer program or instructions and transmitting the same to a processor; the processor is adapted to execute the computer program or instructions to cause the system-on-chip to perform the method according to the first aspect.
Drawings
Fig. 1 is a schematic architecture diagram of a log detection system provided in the present application;
fig. 2 is a schematic flowchart of a log detection method provided in the present application;
fig. 3 is a schematic flowchart of a process for determining a matrix to be detected according to the present application;
FIG. 4a is a schematic flow chart illustrating a process for determining an abnormal time window according to the present application;
FIG. 4b is an example of a normal distribution plot for a plurality of Mahalanobis distances provided herein;
FIG. 4c is an exemplary plot of standard deviation intervals in a normal distribution graph as provided herein;
fig. 5 is a diagram illustrating an exemplary process for determining a preset matrix according to the present disclosure;
fig. 6 is a schematic structural diagram of a log detection apparatus provided in the present application;
fig. 7 is a schematic structural diagram of another log detection apparatus provided in the present application.
Detailed Description
To facilitate understanding of the technical solutions of the embodiments of the present application, a brief introduction of the terms related to the present application is first given as follows.
1. Mahalanobis distance. Mahalanobis distance is proposed by the indian statistician mahalanobis to represent the distance between a point and a distribution. The method is an effective method for calculating the difference degree of two unknown sample sets. The mahalanobis distance between two points is independent of the unit of measure of the raw data, and the mahalanobis distance between two points calculated from the normalized data and the centered data (i.e., the difference between the raw data and the mean) is the same. Mahalanobis distance can also exclude interference from correlations between elements.
2. The Laviand criterion. The Lauda criterion is that if a group of detection data only contains random errors, the detection data is calculated to obtain a standard deviation interval, and if the error exceeding the standard deviation interval is considered to be not random errors but gross errors. Sample data that is normally or approximately normally distributed can be processed. In a normal distribution, σ represents the standard deviation and μ represents the mean. The 3 σ rule is that the probability of the numerical distribution in (μ - σ, μ + σ) is 0.6826, the probability of the numerical distribution in (μ -2 σ, μ +2 σ) is 0.9544, and the probability of the numerical distribution in (μ -3 σ, μ +3 σ) is 0.9974. It is considered that the values of the data are almost all concentrated in the (μ -3 σ, μ +3 σ) interval, and the ratio of the data exceeding this range is only 0.3% or less.
In the description of the present application, "plurality" means two or more than two unless otherwise specified. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.
In addition, in order to facilitate clear description of technical solutions of the embodiments of the present application, in the embodiments of the present application, terms such as "first" and "second" are used to distinguish the same items or similar items having substantially the same functions and actions. Those skilled in the art will appreciate that the terms "first," "second," etc. do not denote any order or quantity, nor do the terms "first," "second," etc. denote any order or importance.
Also, in the embodiments of the present application, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or illustrations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present relevant concepts in a concrete fashion for ease of understanding.
It should be appreciated that reference throughout this specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the various embodiments are not necessarily referring to the same embodiment throughout the specification. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in the various embodiments of the present application, the sequence numbers of the processes do not mean the execution sequence, and the execution sequence of the processes should be determined by the functions and the inherent logic of the processes, and should not constitute any limitation to the implementation process of the embodiments of the present application.
It is to be understood that, in the present application, "when …", "if" and "if" all refer to the corresponding processing under certain objective conditions, and are not time-limited, and do not require action that necessarily requires judgment when implemented, nor do they imply that there are other limitations.
It is understood that some optional features in the embodiments of the present application may be implemented independently without depending on other features in some scenarios, such as a currently-based solution, to solve corresponding technical problems and achieve corresponding effects, or may be combined with other features according to requirements in some scenarios. Accordingly, the apparatuses provided in the embodiments of the present application may also implement these features or functions, which are not described herein again.
In this application, the same or similar parts between the respective embodiments may be referred to each other unless otherwise specified. In the embodiments and implementation methods in the embodiments in the present application, unless otherwise specified or conflicting in logic, terms and/or descriptions between different embodiments and implementation methods in the embodiments have consistency and can be mutually cited, and technical features in different embodiments and implementation methods in the embodiments can be combined to form a new embodiment, implementation mode, implementation method or implementation method according to the inherent logic relationship. The following embodiments of the present application do not limit the scope of the present application.
Fig. 1 is a schematic structural diagram of a log detection system provided by the present application, and a technical solution of the present application may be applied to the log detection system shown in fig. 1, as shown in fig. 1, a log detection system 10 includes a log detection device 11 and a log sending device 12.
The log detection device 11 and the log transmission device 12 are directly or indirectly connected, and in the connection relationship, the connection may be in a wired manner or in a wireless manner, which is not limited in the embodiment of the present application.
The log detection means 11 may be configured to receive and detect the log to be detected from the log transmission means 12.
The log sending means 12 may be configured to send the log to be detected or the normal log to the log detecting means 11.
It should be noted that the log detection device 11 and the log transmission device 12 may be independent devices, or may be integrated in the same device, and this disclosure does not specifically limit this.
When the log detection device 11 and the log transmission device 12 are integrated in the same device, the communication mode between the log detection device 11 and the log transmission device 12 is the communication between the internal modules of the device. In this case, the communication flow between the log detection device 11 and the log transmission device 12 is the same as the communication flow between the two devices in the case where the two devices are independent of each other.
In the following embodiments provided by the present disclosure, the present disclosure is explained taking an example in which the log detecting means 11 and the log transmitting means 12 are provided independently of each other.
In practical applications, the log detection method provided in the embodiment of the present application may be applied to the log detection apparatus 11, and may also be applied to an apparatus included in the log detection apparatus 11.
The following describes a log detection method provided in the embodiment of the present application, with reference to the accompanying drawings, by taking an example in which the log detection method is applied to the log detection apparatus 11.
Fig. 2 is a schematic flowchart of a log detection method provided in the present application, and as shown in fig. 2, the method includes the following steps:
s201, a log detection device obtains a plurality of logs to be detected in a preset time period.
Wherein the preset time period comprises a plurality of time windows.
As a possible implementation manner, the log detection apparatus may obtain a plurality of logs to be detected within a preset time period from the log sending apparatus shown in fig. 1.
It should be noted that the preset time period may be one day, or the preset time period may be half a day. Of course, the preset time period may have other dates or other time lengths, which is not limited in this application. The time window may be 1 hour, in which case, if the preset time period is one day, the preset time period includes 24 time windows, and if the preset time period is half a day, the preset time period includes 12 time windows. Of course, the time window may have other time lengths, which is not limited in this application.
The log to be detected comprises the time generated by the log to be detected, and the time is positioned in a time window. A plurality of logs to be detected can exist in each time window, and the logs to be detected in different time windows are different.
S202, the log detection device determines a matrix to be detected based on a plurality of preset log templates and a plurality of logs to be detected.
One element in the matrix to be detected represents the corresponding number of the logs to be detected in a time window of a preset log template.
As a possible implementation manner, the log detection device determines the number a1 of logs to be detected corresponding to a first preset log template in a first time window, uses a1 as an element of a first row and a first column of a matrix to be detected, and so on, to obtain the matrix to be detected.
As another possible implementation manner, the log detection apparatus determines a number a1 of logs to be detected corresponding to a first preset log template in a first time window, uses a1 as an element in a first row and a first column of an initial matrix to be detected, and so on, to obtain the initial matrix to be detected.
Then, the log detection device multiplies the target elements in the initial matrix to be detected by a preset coefficient to obtain the matrix to be detected.
It should be noted that, for a specific description of the possible implementation manner, reference may be made to a related description of a flow diagram shown in fig. 3 for determining the matrix to be detected, which is not described herein again.
It should be noted that the preset log template may be a log template based on log keywords, for example, a log is sysonitor [39896] | system [1] (parent: swapper/0[0]) send SIGTERM to irqbalance [72173], the keywords of the log are send … to …, and the corresponding preset log template includes send to. The preset log template may also be a log template of a log-based network element identifier, for example, if a log is sysronitor [39896] | system [1] (parent: swap/0 [0]) sensor to irqbalance [72173], and the network element identifier of the log is sysronitor …, then the corresponding preset log template includes sysronitor. Certainly, the preset log template may also be a log template based on other characteristics of the log, which is not limited in the present application.
It should be noted that the preset log template may further include an identifier of the preset log template, for example, if the preset log template is a log template based on log keywords, and a log is a sysoninor [39896] | system [1] (parent: swap/0 [0]) send SIGTERM to irqbalance [72173], then the corresponding preset log template includes T1: s end to.
It can be understood that, in the case that the preset log template includes the identifier of the preset log template, the preset log template may be marked with the identifier of the preset log template, so as to simplify the description of the preset log template.
As an example, an expression form of the matrix to be detected provided by the present application is as follows:
Figure BDA0003592299790000051
in this example, one element in the matrix to be detected represents the corresponding number of logs to be detected in a time window of a preset log template. For example, the element in the first row and the first column indicates that the number of the logs to be detected corresponding to the first preset log template in the first time window is a1, the element in the second row and the second column indicates that the number of the logs to be detected corresponding to the second preset log template in the second time window is e1, and so on.
It should be noted that each row in the matrix to be detected shown in this example may represent the number of logs to be detected corresponding to one preset log template in a plurality of time windows, respectively, and in this case, each row in the matrix to be detected represents the number of logs to be detected corresponding to a plurality of preset log templates in one time window, respectively.
Each row in the matrix to be detected shown in this example may also represent the number of logs to be detected corresponding to each of the plurality of preset log templates in one time window, and in this case, each row in the matrix to be detected represents the number of logs to be detected corresponding to each of the plurality of preset log templates in the plurality of time windows.
S203, the log detection device respectively determines the difference degree between the frequency vector of each time window in the matrix to be detected and a preset matrix to obtain a plurality of difference degrees.
One frequency vector is used for representing the number of logs to be detected corresponding to a plurality of preset log templates in one time window, and one element in the preset matrix represents the number of normal logs corresponding to one preset log template in one time window.
In one possible design, the elements in the predetermined matrix correspond to the elements in the matrix to be detected. The element in the preset matrix corresponds to the element in the matrix to be detected, which can be understood as that the preset log template corresponding to the element in the preset matrix is the same as the preset log template corresponding to the element in the matrix to be detected, and the time window corresponding to the element in the preset matrix is the same as the time window corresponding to the element in the matrix to be detected.
For example, if an element 1 in the preset matrix represents a corresponding normal number of logs of the preset log template 1 in the time window 1, an element 2 corresponding to the element 1 in the matrix to be detected represents a corresponding number of logs to be detected of the preset log template 1 in the time window 1. With a predetermined matrix of
Figure BDA0003592299790000061
The matrix to be detected is
Figure BDA0003592299790000062
For example, a2 corresponds to a1, b2 corresponds to b1, c2 corresponds to c1, and so on. The method comprises the steps that a2 represents the corresponding normal log number of a preset log template 1 in a time window 1, and a1 represents the corresponding log number to be detected of the preset log template 1 in the time window 1; b2 represents the corresponding normal log number of the preset log template 2 in the time window 2, and b1 represents the corresponding number of the logs to be detected of the preset log template 2 in the time window 2; c2 represents the corresponding normal log number of the preset log template 3 in the time window 3, and then c1 represents the corresponding log number to be detected of the preset log template 3 in the time window 3.
As an example, taking the representation form example of the matrix to be detected shown in S202 as an example, if each row in the matrix to be detected represents the number of logs to be detected corresponding to a preset log template in a plurality of time windows, in this case, the frequency vector of the first time window in the matrix to be detected is as follows:
Figure BDA0003592299790000063
as another example, taking the expression form example of the matrix to be detected shown in S202 as an example, if each row in the matrix to be detected represents the number of logs to be detected corresponding to each of the plurality of preset log templates in one time window, in this case, the frequency vector of the first time window in the matrix to be detected is as follows:
[a1 b1 c1]
it should be noted that the difference may be a mahalanobis distance, or the difference may also be a chi-squared value. Of course, the difference degree may be other data capable of representing the difference, and the application is not limited thereto.
As a possible implementation manner, under the condition that the difference degree is mahalanobis distance, the log detection device firstly determines an average value of normal log numbers respectively corresponding to each preset log template in a preset matrix in a plurality of time windows to obtain an average value matrix, and then determines covariance between frequency vectors of any two preset log templates in the preset matrix to obtain a covariance matrix. For the frequency vector of a time window in the matrix to be detected, the log detection device obtains the mahalanobis distance corresponding to the frequency vector of the time window according to the frequency vector, the average value matrix and the covariance matrix of the time window.
As an example, in the case that the degree of difference is mahalanobis distance, the preset matrix is taken as
Figure BDA0003592299790000064
The matrix to be detected is
Figure BDA0003592299790000071
Each row in the preset matrix represents the normal number of the logs respectively corresponding to one preset log template in a plurality of time windows, and each row in the matrix to be detected represents the number of the logs to be detected respectively corresponding to one preset log template in a plurality of time windows.
Firstly, the log detection device determines the average value of the normal log quantity respectively corresponding to each preset log template in a preset matrix in a plurality of time windows to obtain an average value m matrix, wherein the m matrix is
Figure BDA0003592299790000072
Secondly, the log detection device determines two preset days in a preset matrixCovariance between the frequency vectors of the template to obtain a covariance sigma matrix of
Figure BDA0003592299790000073
Wherein A is [ a2 b2 c2]And [ a2 b2 c2]Covariance between, B is [ a 2B 2 c2]And [ d2 e2 f2]Covariance between, F is [ d2 e 2F 2]And [ a2 b2 c2]Covariance between G is [ d2 e2 f2]And [ d2 e2 f2]Covariance between, and so on.
Finally, for the frequency vector y of the ith time window in the matrix to be detected i The log detecting means determines y according to the following formula 1 i Mahalanobis distance Di from the preset matrix.
Figure BDA0003592299790000074
Wherein (y) i -m) T The matrix is (y) i -m) a transposed matrix of matrices, Σ -1 The matrix is the inverse of the sigma matrix.
Note that, since y is determined i Σ of the Σ matrix relating to the preset matrix at mahalanobis distance Di from the preset matrix -1 The matrix and the requirement for the matrix to be invertible is that the matrix is a full-rank matrix, so if the Σ matrix is not a full-rank matrix, the log detection apparatus may process the predetermined matrix based on a Principal Component Analysis (PCA) algorithm. The following is specifically set forth:
firstly, the log detection device determines the average value of the number of normal logs corresponding to each preset log template in a plurality of time windows in a preset matrix, and subtracts the corresponding average value from each element in the preset matrix to obtain a standardized preset matrix.
Secondly, the log detection device determines a covariance matrix of the standardized preset matrix, performs characteristic decomposition on the covariance matrix, and obtains an eigenvalue of the covariance matrix and an eigenvector corresponding to the eigenvalue.
Secondly, the log detection device sorts the characteristic values from large to small, and the first k are selected to be not 0Characteristic value of (D), let λ 1 ≥λ 2 ≥…≥λ k The corresponding orthonormal eigenvectors are respectively denoted as p 1 ,p 2 …p k
Secondly, the log detection device projects the standardized preset matrix to a matrix [ p ] formed by the selected characteristic vectors 1 p 2 … p k ]And obtaining the preset matrix after dimensionality reduction.
And finally, the log detection device also performs the PCA dimension reduction step on the matrix to be detected, and the number k of the eigenvalues is the same as the number k of the eigenvalues when the PCA is performed on the preset matrix.
As another possible implementation manner, in the case that the degree of difference is a chi-square value, for a frequency vector of a time window in the matrix to be detected, the log detection device first determines the chi-square value of each element in the frequency vector of the time window, and then accumulates the chi-square values of a plurality of elements in the frequency vector of the time window to obtain the chi-square value of the frequency vector of the time window.
S204, the log detection device determines an abnormal time window comprising the abnormal log from a plurality of time windows according to the plurality of difference degrees.
It should be noted that, if a certain time window is determined as an abnormal time window, it indicates that an abnormal log exists in the time window.
As one possible implementation, the log detection device may determine a standard deviation section of a normal distribution diagram of a plurality of degrees of difference, and determine a time window corresponding to a target degree of difference that is not within the standard deviation section as the abnormal time window. For example, the degree of difference may be mahalanobis distance, and the log detection apparatus may determine a standard deviation interval of the plurality of mahalanobis distance normal distribution maps based on the ralida criterion, and determine a time window corresponding to a target mahalanobis distance that is not within the standard deviation interval as the abnormal time window. For example, the log detection device may determine a standard deviation section of a normal distribution diagram of a plurality of chi-squared values, and determine a time window corresponding to a target chi-squared value that is not within the standard deviation section as the abnormal time window.
It should be noted that, for the case that the difference degree is the mahalanobis distance, reference may be made to the following description of the flowchart for determining the abnormal time window shown in fig. 4, and details are not repeated here. For the case that the difference is the chi-squared value, refer to the explanation in the method shown in fig. 4 when the difference is the mahalanobis distance, and the embodiments of the present application are not described again.
Based on the scheme, the matrix to be detected is determined according to the preset log templates and the logs to be detected, and the logs corresponding to each element in the preset matrix are normal logs, so that the abnormal time window including the abnormal logs in the matrix to be detected can be determined by determining the difference between the frequency vector of each time window in the matrix to be detected and the preset matrix including the normal logs.
The foregoing is a general description of the embodiments of the present application, which are further described below.
In one design, fig. 3 is a schematic flow chart of determining a matrix to be detected according to the present application, and as shown in fig. 3, S202 provided in the embodiment of the present application specifically includes:
s301, the log detection device determines the number of logs to be detected corresponding to each preset log template in each time window respectively to obtain an initial matrix to be detected.
As an example, an expression form of the initial matrix to be detected provided by the present application is as follows:
Figure BDA0003592299790000081
in this example, one element in the initial matrix to be detected represents the corresponding number of logs to be detected in a time window of a preset log template. For example, the element in the first row and the first column indicates that the number of the logs to be detected corresponding to the first preset log template in the first time window is a1, the element in the second row and the second column indicates that the number of the logs to be detected corresponding to the second preset log template in the second time window is e1, and so on.
It should be noted that each row in the initial matrix to be detected shown in this example may represent the number of logs to be detected corresponding to one preset log template in a plurality of time windows, respectively, and in this case, each row in the initial matrix to be detected represents the number of logs to be detected corresponding to a plurality of preset log templates in one time window, respectively. Each row in the initial matrix to be detected shown in this example may also represent the number of logs to be detected corresponding to each of the plurality of preset log templates in one time window, and in this case, each row in the initial matrix to be detected represents the number of logs to be detected corresponding to each of the plurality of preset log templates in the plurality of time windows.
And S302, multiplying the target elements in the initial matrix to be detected by a preset coefficient by the log detection device to obtain the matrix to be detected.
Wherein the target element corresponds to an abnormal log template of a plurality of preset log templates.
It should be noted that the preset coefficient may be any real number greater than or equal to 1, for example, the preset coefficient may be 2, or the preset coefficient may be 3. Of course, the predetermined coefficient may be other values, and is not limited thereto. It can be understood that, in the embodiment of the present application, the log detection apparatus may not perform S302, but directly determine the initial matrix to be detected as the matrix to be detected.
As an example, taking the preset coefficient as 2, the initial matrix to be detected as the initial matrix to be detected in S301, each row in the initial matrix to be detected may represent the number of logs to be detected corresponding to one preset log template in a plurality of time windows, respectively, defining the element in the last row of the initial matrix to be detected as a target element, and multiplying the element in the last row of the initial matrix to be detected by 2 by the log detection device, so as to obtain the matrix to be detected as follows:
Figure BDA0003592299790000091
it should be noted that, when the preset log template includes the identifier of the preset log template, the representation of the abnormal log template in the multiple preset log templates is different from the identifier of the non-abnormal log template, for example, the identifier of the non-abnormal log template is T, and the identifier of the abnormal log template may be E. Of course, the identifier of the abnormal log template may have other representation forms, and the application is not limited to this.
Based on the scheme, the target elements corresponding to the abnormal log template in the initial matrix to be detected are multiplied by the preset coefficient, so that the difference between the abnormal time window comprising the abnormal logs and the preset matrix can be increased, and the abnormal time window can be conveniently determined from the multiple time windows.
In one design, in order to determine an abnormal time window including an abnormal log from a plurality of time windows when the degree of difference is mahalanobis distance, as shown in fig. 4a, fig. 4a is a schematic flowchart of a process for determining an abnormal time window provided by the present application, where S204 provided by an embodiment of the present application specifically includes:
s401, the log detection device determines a plurality of normal distribution graphs of the Mahalanobis distances.
As an example, fig. 4b is an example of a normal distribution graph of a plurality of mahalanobis distances provided in the present application, and as shown in fig. 4b, the plurality of mahalanobis distances conform to the normal distribution graph.
S402, the log detection device determines a standard deviation interval of the normal distribution diagram based on the Lauda criterion.
As one possible implementation, the log detection device determines a mean μ of the plurality of mahalanobis distances and a standard deviation σ of the plurality of mahalanobis distances, and then determines a standard deviation interval of [ μ -3 σ, μ +3 σ ] based on the ralida criterion. It is to be understood that, in addition to directly determining the interval determined based on the ralda criterion as the standard deviation interval, after determining an interval based on the ralda criterion, the interval may be adjusted, and the adjusted interval may be determined as the standard deviation interval, which is not limited.
As an example, taking the normal distribution diagram shown in S401 as an example, fig. 4c is an exemplary diagram of a standard deviation interval in the normal distribution diagram provided by the present application, and as shown in fig. 4c, the standard deviation interval is [ μ -3 σ, μ +3 σ ].
And S403, the log detection device determines the time window corresponding to the target Mahalanobis distance which is not in the standard deviation interval as including an abnormal time window.
The log detection apparatus may determine, when determining that the standard deviation section is [ μ -3 σ, μ +3 σ ], a time window corresponding to a target mahalanobis distance that is not in the standard deviation section as including an abnormal time window.
Based on the scheme, when the degree of difference is the mahalanobis distance, the standard deviation section of the normal distribution diagram of the mahalanobis distances is determined, the target mahalanobis distance which is not in the standard deviation section is determined from the mahalanobis distances, the time window corresponding to the target mahalanobis distance can be determined to include the abnormal time window, and the mahalanobis distance can eliminate the mutual interference between elements, so that the accuracy of log detection can be improved.
In one design, in order to determine the preset matrix, fig. 5 is a flowchart illustrating a process for determining the preset matrix provided by the present application, and as shown in fig. 5, the method provided by the present application further includes the following steps:
s501, the log detection device obtains a plurality of normal logs in a preset time period.
The time length of the preset time period in S501 is the same as the time length of the preset time period in S201, for example, if the preset time period in S201 is one day, the preset time period in S501 is also one day.
However, the start time and the end time of the preset time period in S201 may be different from the preset time period in S501, and for example, the start time of the preset time period in S201 may be 2021 year 1 month 1 day 00:00, and the end time may be 2021 year 1 month 1 day 24: 00, the starting time of the preset time period in S501 may be 2021 year 1 month 2 day 00:00, and the ending time is 2021 year 1 month 2 day 24: 00.
as a possible implementation manner, the log detection means may acquire a plurality of normal logs within a preset time period from the log transmission means as shown in fig. 1.
S502, the log detection device respectively determines the number of the corresponding normal logs of each preset log template in each time window based on a plurality of preset log templates and a plurality of normal logs to obtain a preset matrix.
It should be noted that the plurality of preset log templates include a normal log template and an abnormal log template. The normal log template is a log template obtained according to the normal log, and the abnormal log template is a log template obtained according to the abnormal log.
It can be understood that, under the condition that the plurality of preset log templates include a normal log template and an abnormal log template, because one element represents the number of normal logs corresponding to the preset log template in the time window, and the number of normal logs corresponding to the abnormal log template in the preset matrix in the time window is 0, when there are abnormal logs in the logs to be detected, that is, the number of normal logs corresponding to the abnormal log template in the matrix to be detected in the time window is not 0, the difference between the frequency vector of the time window including the abnormal log template in the matrix to be detected and the preset matrix can be increased.
As a possible implementation manner, the log detection apparatus determines a normal log quantity a1 corresponding to a first preset log template in a first time window, uses a1 as an element in a first row and a first column of a preset matrix, and so on, to obtain the preset matrix.
As an example, an expression form of the preset matrix provided by the present application is as follows:
Figure BDA0003592299790000101
in this example, one element in the preset matrix represents a corresponding normal log number of one preset log template in one time window. For example, the first row and the first column of the element indicate that the first preset log template has a normal log number of a2 in the first time window, the second row and the second column of the element indicate that the second preset log template has a normal log number of e2 in the second time window, and so on.
It should be noted that each row in the preset matrix shown in this example may represent the normal log number of one preset log template corresponding to each of the multiple time windows, in which case, each row in the preset matrix represents the normal log number of the multiple preset log templates corresponding to each of the multiple time windows. Each row in the preset matrix shown in this example may also represent the respective corresponding normal log quantities of the multiple preset log templates in one time window, and in this case, each row in the preset matrix represents the respective corresponding normal log quantities of one preset log template in the multiple time windows.
Based on the scheme, the number of the corresponding normal logs of each preset log template in each time window is determined, so that the preset matrix can be determined.
The above-mentioned scheme provided by the embodiment of the present application is introduced mainly from the perspective of executing the log detection method by the log detection apparatus. In order to realize the functions, the log detection device comprises a hardware structure and/or a software module which are corresponding to the execution of each function. Those of skill in the art will readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed in hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, the log detection apparatus may be divided into function modules according to the method example, for example, each function module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. Optionally, the division of the modules in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation. Further, a "module" herein may refer to a specific application-specific integrated circuit (ASIC), a circuit, a processor and memory that execute one or more software or firmware programs, an integrated logic circuit, and/or other devices that may provide the described functionality.
In the case of functional module division, fig. 6 shows a schematic structural diagram of a log detection apparatus. As shown in fig. 6, the log detection apparatus 60 includes an obtaining module 601 and a processing module 602.
In some embodiments, the log detection apparatus 60 may also include a storage module (not shown in FIG. 6) for storing program instructions and data.
The acquisition module 601 is configured to acquire a plurality of logs to be detected within a preset time period; the preset time period comprises a plurality of time windows; the processing module 602 is configured to determine a matrix to be detected based on a plurality of preset log templates and a plurality of logs to be detected; one element in the matrix to be detected represents the corresponding number of logs to be detected in a time window of a preset log template; the processing module 602 is further configured to determine a difference between the frequency vector of each time window in the matrix to be detected and a preset matrix, respectively, to obtain a plurality of differences; one frequency vector is used for representing the number of logs to be detected corresponding to a plurality of preset log templates in one time window, and one element in the preset matrix represents the number of normal logs corresponding to one preset log template in one time window; the processing module 602 is further configured to determine an exception time window including an exception log from the plurality of time windows according to the plurality of disparity degrees.
Optionally, as shown in fig. 6, a processing module 602 provided in this embodiment of the application is configured to determine a matrix to be detected based on a plurality of preset log templates and a plurality of logs to be detected, where the determining includes: respectively determining the number of logs to be detected corresponding to each preset log template in each time window to obtain an initial matrix to be detected; and multiplying target elements in the initial matrix to be detected by a preset coefficient to obtain the matrix to be detected, wherein the target elements correspond to abnormal log templates in the plurality of preset log templates.
Optionally, as shown in fig. 6, the processing module 602 provided in this embodiment of the present application is further configured to: acquiring a plurality of normal logs within a preset time period; and respectively determining the number of the normal logs corresponding to each preset log template in each time window based on a plurality of preset log templates and a plurality of normal logs to obtain a preset matrix.
Optionally, the difference degree referred in this embodiment of the present application is a mahalanobis distance, in this case, as shown in fig. 6, a processing module 602 provided in this embodiment of the present application is further configured to determine an abnormal time window including an abnormal log from a plurality of time windows according to the plurality of difference degrees, where the determining includes: determining a normal distribution graph of a plurality of mahalanobis distances; determining a standard deviation interval of the normal distribution diagram; and determining the time window corresponding to the target mahalanobis distance which is not in the standard deviation interval as comprising the abnormal time window.
All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
In the case of implementing the functions of the functional modules in the form of hardware, fig. 7 shows a schematic structural diagram of a log detection apparatus. As shown in fig. 7, the log detection apparatus 70 includes a processor 701, a memory 702, and a bus 703. The processor 701 and the memory 702 may be connected by a bus 703.
The processor 701 is a control center of the log detection apparatus 70, and may be a single processor or a collective name of a plurality of processing elements. For example, the processor 701 may be a Central Processing Unit (CPU), other general-purpose processors, or the like. Wherein a general purpose processor may be a microprocessor or any conventional processor or the like.
For one embodiment, processor 701 may include one or more CPUs, such as CPU 0 and CPU 1 shown in FIG. 7.
The memory 702 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
As a possible implementation, the memory 702 may be present separately from the processor 701, and the memory 702 may be connected to the processor 701 via the bus 703 for storing instructions or program code. The one-time id using method provided by the embodiment of the present application can be implemented when the processor 701 calls and executes the instructions or program codes stored in the memory 702.
In another possible implementation, the memory 702 may also be integrated with the processor 701.
The bus 703 may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.
It should be noted that the structure shown in fig. 7 does not constitute a limitation to the log detection device 70. In addition to the components shown in FIG. 7, the log detection device 70 may include more or fewer components than shown, or some components may be combined, or a different arrangement of components.
As an example, in conjunction with fig. 6, the functions implemented by the acquisition module 601 and the processing module 602 in the log detection apparatus 60 are the same as those of the processor 701 in fig. 7.
Optionally, as shown in fig. 7, the log detection apparatus 70 provided in the embodiment of the present application may further include a communication interface 704.
A communication interface 704 for connecting with other devices through a communication network. The communication network may be an ethernet network, a radio access network, a Wireless Local Area Network (WLAN), etc. The communication interface 704 may include a receiving unit for receiving data, and a transmitting unit for transmitting data.
In a possible implementation manner, in the log detection apparatus 70 provided in this embodiment of the present application, the communication interface 704 may also be integrated in the processor 701, which is not specifically limited in this embodiment of the present application.
As one possible product form, the log detection apparatus according to the embodiment of the present application may be implemented using: one or more Field Programmable Gate Arrays (FPGAs), Programmable Logic Devices (PLDs), controllers, state machines, gate logic, discrete hardware components, any other suitable circuitry, or any combination of circuitry capable of performing the various functions described throughout this application.
Through the above description of the embodiments, it is clear for a person skilled in the art that, for convenience and simplicity of description, only the division of the above functional units is illustrated. In practical applications, the above function allocation can be performed by different functional units according to needs, that is, the internal structure of the device is divided into different functional units to perform all or part of the above described functions. For the specific working processes of the system, the apparatus and the unit described above, reference may be made to the corresponding processes in the foregoing method embodiments, and details are not described here again.
The present invention also provides a computer-readable storage medium, on which a computer program or instructions are stored, wherein the computer program or instructions, when executed, cause a computer to perform the steps in the method flow shown in the above method embodiment.
Embodiments of the present application provide a computer program product comprising instructions which, when executed on a computer, cause the computer to perform the steps of the method flows shown in the above-described method embodiments.
An embodiment of the present application provides a chip system, including: a processor and an interface circuit; an interface circuit for receiving a computer program or instructions and transmitting the same to a processor; the processor is adapted to execute the computer program or instructions to cause the system-on-chip to perform the method according to the first aspect.
The computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, and a hard disk. Random Access Memory (RAM), Read-Only Memory (ROM), Erasable Programmable Read-Only Memory (EPROM), registers, a hard disk, an optical fiber, a portable Compact disk Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any other form of computer-readable storage medium, in any suitable combination, or as appropriate in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an application specific ASIC. In embodiments of the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Since the log detection apparatus, the computer-readable storage medium, and the computer program product provided in this embodiment can be applied to the log detection method provided in this embodiment, the technical effect obtained by the log detection apparatus, the computer-readable storage medium, and the computer program product can also refer to the method embodiment described above, and the embodiments of this application are not described herein again.
While the present application has been described in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a review of the drawings, the disclosure, and the appended claims. In the claims, the word "comprising" does not exclude other elements or steps, and the word "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
Although the present application has been described in conjunction with specific features and embodiments thereof, it will be evident that various modifications and combinations can be made thereto without departing from the spirit and scope of the application. Accordingly, the specification and figures are merely exemplary of the present application as defined in the appended claims and are intended to cover any and all modifications, variations, combinations, or equivalents within the scope of the present application. It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A method of log detection, the method comprising:
acquiring a plurality of logs to be detected within a preset time period; the preset time period comprises a plurality of time windows;
determining a matrix to be detected based on a plurality of preset log templates and the plurality of logs to be detected; one element in the matrix to be detected represents the corresponding number of logs to be detected in a time window of a preset log template;
determining the difference between the frequency vector of each time window in the matrix to be detected and a preset matrix respectively to obtain a plurality of differences; one frequency vector is used for representing the number of logs to be detected corresponding to the plurality of preset log templates in one time window, and one element in the preset matrix represents the number of normal logs corresponding to the preset log template in the time window;
determining an exception time window including an exception log from the plurality of time windows according to the plurality of degrees of dissimilarity.
2. The method according to claim 1, wherein the determining a matrix to be detected based on a plurality of preset log templates and the plurality of logs to be detected comprises:
respectively determining the number of logs to be detected corresponding to each preset log template in each time window to obtain an initial matrix to be detected;
and multiplying target elements in the initial matrix to be detected by a preset coefficient to obtain the matrix to be detected, wherein the target elements correspond to abnormal log templates in the plurality of preset log templates.
3. The method of claim 1, further comprising:
acquiring a plurality of normal logs within a preset time period;
and respectively determining the number of the normal logs corresponding to each preset log template in each time window based on the plurality of preset log templates and the plurality of normal logs to obtain the preset matrix.
4. The method according to any one of claims 1-3, wherein the degree of difference is a mahalanobis distance, and wherein determining an abnormal time window including an abnormal log from the plurality of time windows based on the plurality of degrees of difference comprises:
determining a normal distribution graph of a plurality of mahalanobis distances;
determining a standard deviation interval of the normal distribution graph;
and determining a time window corresponding to the target Mahalanobis distance which is not in the standard deviation interval as the time window comprising the abnormality.
5. An apparatus for log detection, the apparatus comprising: the device comprises an acquisition module and a processing module;
the acquisition module is used for acquiring a plurality of logs to be detected within a preset time period; the preset time period comprises a plurality of time windows;
the processing module is used for determining a matrix to be detected based on a plurality of preset log templates and the plurality of logs to be detected; one element in the matrix to be detected represents the corresponding number of logs to be detected in a time window of a preset log template;
the processing module is further configured to determine a difference between the frequency vector of each time window in the matrix to be detected and a preset matrix respectively, so as to obtain a plurality of differences; one frequency vector is used for representing the number of logs to be detected corresponding to the plurality of preset log templates in one time window, and one element in the preset matrix represents the number of normal logs corresponding to the preset log template in the time window;
the processing module is further configured to determine an exception time window including an exception log from the plurality of time windows according to the plurality of degrees of difference.
6. The apparatus according to claim 5, wherein the processing module is configured to determine the matrix to be detected based on a plurality of preset log templates and the plurality of logs to be detected, and includes:
respectively determining the number of logs to be detected corresponding to each preset log template in each time window to obtain an initial matrix to be detected;
and multiplying target elements in the initial matrix to be detected by a preset coefficient to obtain the matrix to be detected, wherein the target elements correspond to abnormal log templates in the plurality of preset log templates.
7. The apparatus of claim 5, wherein the processing module is further configured to:
acquiring a plurality of normal logs in the preset time period;
and respectively determining the number of the normal logs corresponding to each preset log template in each time window based on the plurality of preset log templates and the plurality of normal logs to obtain the preset matrix.
8. The apparatus according to any of claims 5-7, wherein the degree of difference is a mahalanobis distance, and wherein the processing module is further configured to determine an abnormal time window including an abnormal log from the plurality of time windows according to the plurality of degrees of difference, comprising:
determining a normal distribution graph of a plurality of mahalanobis distances;
determining a standard deviation interval of the normal distribution graph;
and determining a time window corresponding to the target Mahalanobis distance which is not in the standard deviation interval as the time window comprising the abnormality.
9. A log detection apparatus, characterized in that the log detection apparatus comprises: a processor coupled with a memory, the memory to store a program or instructions that, when executed by the processor, cause the apparatus to perform the method of any of claims 1 to 4.
10. A computer-readable storage medium having stored thereon a computer program or instructions, which when executed cause a computer to perform the method of any one of claims 1 to 4.
CN202210379818.3A 2022-04-12 2022-04-12 Log detection method and device and computer readable storage medium Pending CN114817189A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210379818.3A CN114817189A (en) 2022-04-12 2022-04-12 Log detection method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210379818.3A CN114817189A (en) 2022-04-12 2022-04-12 Log detection method and device and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN114817189A true CN114817189A (en) 2022-07-29

Family

ID=82534281

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210379818.3A Pending CN114817189A (en) 2022-04-12 2022-04-12 Log detection method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN114817189A (en)

Similar Documents

Publication Publication Date Title
Gonzalez et al. Testing parameters in structural equation modeling: every" one" matters.
Su et al. Partial envelopes for efficient estimation in multivariate linear regression
US20180225320A1 (en) Anomaly Detection at Coarser Granularity of Data
CN113092981B (en) Wafer data detection method and system, storage medium and test parameter adjustment method
CN113157524B (en) Big data based exception problem solving method, system, equipment and storage medium
Elsener et al. Sparse spectral estimation with missing and corrupted measurements
US9547768B2 (en) Privacy measurement and quantification
DE102019214759A1 (en) Provision of compensation parameters for integrated sensor circuits
CN115359846A (en) Batch correction method and device for group data, storage medium and electronic equipment
CN112306814A (en) Network card temperature measuring method and device, computer equipment and storage medium
Zhou et al. Automatic feature selection for unsupervised clustering of cycle-based signals in manufacturing processes
CN114817189A (en) Log detection method and device and computer readable storage medium
CN117150249B (en) Method, device, equipment and storage medium for evaluating efficacy of cosmetics
CN117031294A (en) Battery multi-fault detection method, device and storage medium
Maronna et al. Data reconciliation and gross error diagnosis based on regression
CN112667754B (en) Big data processing method and device, computer equipment and storage medium
CN112202771B (en) Network flow detection method, system, electronic device and storage medium
CN111340349B (en) Product reliability evaluation method, device, computer equipment and storage medium
CN114401205A (en) Non-annotation multi-source network flow data drift detection method and device
CN115668150A (en) Interface performance testing method and device, server and computer readable storage medium
CN116577451B (en) Large chromatograph data management system and method
CN111932142A (en) Method, device, equipment and storage medium for scheme grouping and data grouping
Blatt et al. On tests for global maximum of the log-likelihood function
Frydman et al. Maximum likelihood estimation of hidden Markov processes
CN112257754B (en) Method and device for analyzing running state of spacecraft

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination