CN115604003A - System anomaly detection method based on program log data - Google Patents
System anomaly detection method based on program log data Download PDFInfo
- Publication number
- CN115604003A CN115604003A CN202211257729.8A CN202211257729A CN115604003A CN 115604003 A CN115604003 A CN 115604003A CN 202211257729 A CN202211257729 A CN 202211257729A CN 115604003 A CN115604003 A CN 115604003A
- Authority
- CN
- China
- Prior art keywords
- log
- template
- value
- message
- parameters
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 41
- 238000000034 method Methods 0.000 claims abstract description 30
- 230000005856 abnormality Effects 0.000 claims abstract description 21
- 238000012549 training Methods 0.000 claims abstract description 12
- 230000002159 abnormal effect Effects 0.000 claims abstract description 10
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 15
- 238000012423 maintenance Methods 0.000 abstract description 2
- 239000013598 vector Substances 0.000 description 6
- 238000013135 deep learning Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- TVZRAEYQIKYCPH-UHFFFAOYSA-N 3-(trimethylsilyl)propane-1-sulfonic acid Chemical compound C[Si](C)(C)CCCS(O)(=O)=O TVZRAEYQIKYCPH-UHFFFAOYSA-N 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000013138 pruning Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
- G06N3/088—Non-supervised learning, e.g. competitive learning
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Signal Processing (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a system abnormity detection method based on program log data, which comprises the following steps: extracting a log template from a large amount of log messages; converting the log message sequence into a log template number sequence, training a log template number prediction model according to the log message sequence acquired in the normal operation process of the system, and then realizing anomaly detection according to the comparison between a prediction result and a real-time written result; and extracting all log parameters and value ranges thereof from a log message set collected in the normal operation process of the system. And then, realizing abnormal detection according to the difference between the real-time value and the normal value range of the log parameters. The invention has the advantages that: the model automatically reads mass program logs and finds out the abnormality, so that the workload of manual operation and maintenance is greatly reduced; the model is trained in an unsupervised mode, and an abnormal training sample with labels does not need to be provided, so that the implementation cost of the model is greatly reduced.
Description
Technical Field
The invention relates to the technical field of network security and deep learning, in particular to a system abnormity detection method based on program log data.
Background
Program logs record system states and important events at various critical times to help debug system performance problems and failures and to perform root cause analysis. Such log data is commonly available in almost all computer systems and is a valuable resource for knowing the state of the system. Furthermore, since program logs record notable events that occur in actively running processes, they are a good source of information for online real-time monitoring and anomaly detection.
Anomaly detection is the identification of data that differs from normal data, and is the identification of data that differs significantly from most data, causing suspicion, or that differs significantly from expected behavior. In the field of network security, anomaly detection is an important task for establishing a safe and reliable computer system. But as systems and applications become more complex, anomaly detection becomes more challenging, and many conventional rule-based anomaly detection methods are no longer effective. They are also subject to more bugs and holes that an attacker may exploit to launch an attack.
Meanwhile, recent research shows that deep learning has been widely applied to various industries, such as image classification, target detection, semantic segmentation, and the like. However, deep learning is applied to the field of log anomaly detection of network security, and due to the complexity and rarity of an anomaly log, the cost for collecting and labeling anomaly samples enough for model training is too high.
In view of the above problems, how to implement unsupervised system anomaly detection based on program logs is a problem to be solved urgently.
Disclosure of Invention
The invention provides a system abnormity detection method based on program log data, which is characterized in that log parameters are stripped from a log based on a log template, and then abnormity detection is carried out on the log template and the log parameters at the same time, so that the missing report caused by the fact that only the log template is detected and the log parameter abnormity is ignored is reduced, and the abnormity detection accuracy is improved.
A system abnormity detection method based on program log data comprises the following steps:
(1) Extracting a Log Template (Log Template): extracting a log template from a log message of a system;
(2) Log template anomaly detection:
(2-1) obtaining a log message sequence from the log message according to the extracted log template, converting the log message sequence into a log template number sequence, and training a log template number prediction model (preferably an LSTM model) according to the log message acquired in the normal operation process of the system;
(2-2) predicting a log template corresponding to the next log message by adopting the trained log template number prediction model, and comparing a prediction result with the actual log template corresponding to the next log message to realize abnormal detection;
(3) Log Parameter (Parameter) anomaly detection:
(3-1) extracting all log parameters and value ranges thereof from a log message set collected in the normal operation process of the system;
and (3-2) carrying out anomaly detection according to the difference between the real-time value and the normal value range of the log parameters.
In the invention, a log template is extracted from log data by a prefix tree-based method, a log sequence is converted into a log template sequence vector and input into an LSTM model for training to detect the abnormality of the log template, all parameters of all log templates are learned to detect the abnormality of the log parameters, and the abnormality detection is simultaneously carried out on the log from two angles, so that the missing report caused by only detecting the log template and neglecting the abnormality of the log parameters is reduced, and the accuracy of the log abnormality detection is improved.
In the step (3-1), all log parameters and value ranges thereof are extracted from a log message set collected in the normal operation process of the system, and the method specifically comprises the following steps:
(3-1-1) given a Log templateP i And one of the corresponding log messagesM j ,P i AndM j the unmatchable words are the log parameters, wherein the number of unmatchable words corresponds to the number of unmatchable wordsP i The number of log parameters, the value of unmatchable words corresponds toP i In the log parameters ofM j Taking the value of (1);
(3-1-2) for Log templateP i In the collection of log messagesDS = {M 1 , M 2 , …, M N Find all templates related to the journalP i Corresponding log message setDPS i = {M i1 , M i2 , …, M im Therein ofM 1 , M 2 , …, M N For collection of log messagesDSNumber of each log in the log, N being the log message setDSThe number of all of the logs in (a),M i1 , M i2 , …, M im for collection of log messagesDPS i The number of each of the logs in the log,imaggregating for the log messageDPS i The method of step (3-1-1) is adopted to obtain the log templateP i All log parameters of, andP i each log parameter of (1) inDPS i The value range of (1).
In the step (3-2), the anomaly detection is performed according to the difference between the real-time value and the normal value range of the log parameters, and the method specifically comprises the following steps:
(3-2-1) given a log messageM k Finding the Log messageM k Corresponding log templateP k ;
(3-2-2) obtaining a Log templateP k All log parameters ofM k Taking the value of (1);
(3-2-3) if the value of a certain log parameter in the step (3-2-2) exceeds the value of the log parameter calculated in the step (3-1-2)P i If the value range is 20%, judging that the log parameter abnormality occurs currently.
Most of the current methods for detecting program log data abnormality adopt a rule-based method or a Supervised learning (Supervised learning) method for abnormality detection, and mainly detect template abnormality of the program log. The invention designs a detection method for Unsupervised Learning (Unsupervised Learning) by adopting a prediction model, which strips log parameters from a log based on a log template in an algorithm, and simultaneously detects the abnormality of the log template and the log parameters, thereby reducing the missing report caused by only detecting the log template but neglecting the abnormality of the log parameters and increasing the accuracy of the abnormality detection.
Compared with the prior art, the invention has the advantages that: (1) The model automatically reads mass program logs and finds out the abnormality, so that the workload of manual operation and maintenance is greatly reduced; (2) The model is trained in an unsupervised mode, and labeled abnormal training samples do not need to be provided, so that the implementation cost of the model is greatly reduced.
Drawings
FIG. 1 is a flowchart of a method for detecting system anomalies based on program log data.
Fig. 2 is an example of a log message.
FIG. 3 is a specific embodiment of log template extraction.
Detailed Description
The invention will be further described with reference to the accompanying drawings.
As shown in fig. 1, a method for detecting system exception based on program log data includes the following steps: (1) extracting a log template: a log template is extracted from a large number of log messages.
The three concepts of log messages, log templates and log parameters are explained here as follows: the invention concerns logs written by applications about the running state of the application system. For example, FIG. 2 shows an example of a Tomcat program log. One log message per action. Each log message is written out to the log file by a line of code of the application, including a fixed portion and a variable portion. The fixed part represents the program event described by the log message, e.g. line 6 in FIG. 2Log message ofM 1 The information of "=" information: initialization processing in 391 ms "is invariable in any case (representing an Initialization load event), and this is called a log template. And thenM 1 391 is variable in different cases (representing the load time of this time), which is called a log parameter.
(2) Detecting the abnormity of the log template: the log messages written in the normal operation process of the application system have a certain rule, and if the current log messages written out do not conform to the rule, the application system is likely to be abnormal. Therefore, firstly, the log message sequence is converted into a log template number sequence, and a log template number prediction model is trained according to the log message sequence collected in the normal operation process of the system. And then, realizing abnormity detection according to the comparison between the prediction result and the real-time written result.
(3) Log parameter anomaly detection: when the real-time value of the log parameter greatly deviates from the normal value range, the application system is likely to be abnormal. Therefore, all log parameters and value ranges thereof are extracted from the log message set collected in the normal operation process of the system. And then, realizing abnormal detection according to the difference between the real-time value and the normal value range of the log parameters.
In step (1), a set of log messages is givenDS = {M 1 , M 2 , …, M N The detailed steps of extracting the log template are as follows: (1-1) log word stock construction: first, scanningDSBecause the log message is written in English, each log message is written based on space and special symbolM k Segmenting into words; then, counting the frequency of occurrence of each word, and organizing the words into a log word bank according to the arrangement of the frequency of occurrence of the words from large to smallWS。
(1-2) constructing a prefix tree: rescanningDSConstructing a prefix tree formed by log words, which comprises the following specific steps:
(1-2-1) initializing Prefix TreePT;
(1-2-2) pairsDSInEach log messageM k Will beM k Is divided into words and is based on these wordsWSThe occurrence frequency of the log words is arranged from large to small to obtain a log word listL k ;
(1-2-3) willL k Organizing a linked list (each node in the linked list represents a log word);
(1-2-4) ifL k Any prefix of the linked list ofPTIf no matching branch can be found in the tree, then the tree will beL k As a new branchPTThe preparation method comprises the following steps of (1) performing;
(1-2-5) ifL k A certain prefix of the linked list ofPTA matching branch can be found, the corresponding suffix is inserted after the leaf node of this branch.
(1-3) template set construction: pruning the prefix tree to obtain a template set, and specifically comprising the following steps:
(1-3-1) setting an appearance frequency thresholdδTo, forPTScanning all leaf nodes, if the log word corresponding to the current leaf node is inWSLess thanδThen delete the leaf node and iterate untilPTAll leaf nodes of (1) are inWSAll of which are not less thanδ ;
(1-3-2) for pruned Prefix TreePTTaking out each branch and restoring the contained logbook to its placeDSReplacing the journal word corresponding to the deleted leaf node with a "+", and obtaining a templateP k . Record the set of all templates asTS。
To illustrate the concept of steps (1-2) and (1-3), FIG. 3 shows a specific example. This example is from a collection of log messagesDS = {M 1 , M 2 , …, M 6 Extracting to obtain 5 log templatesTS = {P 1 , P 2 , …, P 5 }. Wherein,P 1 = “Interface * changed state to Started”、 P 2 = “Interface * changed state to Paused”、P 3 = “Instance * VM Started”、P 4 = “Instance * VM Paused”、P 5 = “Receiving block * src: * dest: *”。
(1-4) log message conversion: to pairDS = {M 1 , M 2 , …, M N Every log message inM k Finding out the corresponding log template by using a log word matching method, and matching the log template with the corresponding log templateM k Expressed as a number of the log templateI k Then, thenDSCan be expressed as a sequence of log template numbersDSS =
,WhereinI 1 ,I 2 …I N For log messagesM 1 , M 2 , …, M N The corresponding log template number is set as the log template number,Nis the template sequenceDSSNumber of templates in (1).
In the step (2), the detailed steps of the log template abnormity detection are as follows:
(2-1) constructing a log template prediction model: numbering sequences according to log templatesDSS = 
Training a log template prediction model, which comprises the following specific steps:
(2-1-1) adopting word2vec model pairDSSPre-training to obtain the number of each log templateI k Corresponding vector characterization e k The DSS may then be converted to a sequence of log template number token vectorsEDSS =
Wherein e is 1 ,e 2 …e N Numbering sequences for log templatesDSSThe representative vector converted from the log template corresponding to the middle log template number is NEDSSOf a characterising vectorThe number of the particles;
(2-1-2) the size iswStep size 1 sliding window willEDSSDivision into a plurality of small sequencess i = 
In which e is i1 ,e i2 …e iw The representation vector converted by the log template corresponding to the log template number in the small sequence,iwis composed ofEDSSThe number of the characteristic vectors in the sequence is used for constructing a training sample for each small sequencex i = (s i , l i ) Whereinl i Is composed ofx i Taken heres i The log template number of the next time, i.e.l i = I i w(+1) . Record the set of all training samples obtained asXS;
(2-1-3) Using LSTM model PairXSAnd training to obtain a prediction model. The input of the model is a small section of observed log template number sequence, and the output is the predicted log template number at the next moment.
(2-2) real-time log template abnormity detection: the abnormal log template is detected based on the log template prediction model, and the method comprises the following specific steps:
(2-2-1) assume that the current time iskFirst, the current time is obtainedwTime-of-day log template sequences k-1 = 
WhereinI k-w ,I k-w+1 …I k-1 Before the current timewThe log template number corresponding to the log message of each moment is to bes k-1 Inputting the prediction model trained in the step (2-1) to obtain the predicted timekOf log template numberspl k ;
(2-2-2) setting probability thresholdValue ofθIf, ifpl k Highest probability of being greater thanθAll the log templates of (1) are not time of daykTrue log templateI k And judging that the log template abnormity occurs currently.
In the step (3), the detailed steps of log parameter anomaly detection are as follows: (3-1) log parameter extraction: from a collection of log messagesDS = {M 1 , M 2 , …, M N Extracting the log parameters in each log message, which comprises the following steps:
(3-1-1) given a Log templateP i And a log message corresponding theretoM j ,P i AndM j the words that cannot be matched are the log parameters. Wherein the number of unmatchable words corresponds toP i The number of log parameters of (1), the values of unmatchable wordsP i In the log parameters ofM j Taking the value of (1);
(3-1-2) for Log templateP i In aDSFind all the corresponding log message setsDPS i = {M i1 , M i2 , …, M im Is obtained by adopting the method of the step (3-1-1)P i All log parameters of, andP i each log parameter of (1) inDPS i The value range of (1);
and (3-1-3) processing all the log templates according to the step (3-1-2) to obtain all log parameters and corresponding value ranges of each log template.
To illustrate the concept of step (3-1), a specific example is given: taking FIG. 3 as an example, one of the extracted log templates isP 2 = look to seconds to deallocate network ", wherein a corresponding log message isM 2 = look 0.61 seconds to default network ", the word" 0.61 "which cannot be matched is a log parameter. By looking up in the entire log message collectionFind all ofP 2 And obtaining the value range of the log parameter by the corresponding log message and the value of the corresponding log parameter.
(3-2) detecting the abnormity of the real-time log parameters: given a real-time log messageM k The log parameter abnormality detection method comprises the following specific steps:
(3-2-1) foundM k Corresponding log templateP k ;
(3-2-2) to obtainP k All log parameters ofM k Taking the value of (1);
(3-2-3) if the value of one log parameter exceeds the value of the log parameter calculated in the step (3-1)P i If the value range in the log parameter is within a certain degree (20%), the log parameter abnormity is judged to happen currently.
Claims (7)
1. A system abnormity detection method based on program log data is characterized by comprising the following steps:
(1) Extracting a log template: extracting a log template from a log message of a system;
(2) The log template abnormality detection specifically comprises:
(2-1) obtaining a log message sequence from the log message according to the extracted log template, converting the log message sequence into a log template number sequence, and training a log template number prediction model according to the log message acquired in the normal operation process of the system;
(2-2) predicting a log template corresponding to the next log message by adopting the trained log template number prediction model, and comparing a prediction result with the actual log template corresponding to the next log message to realize abnormal detection;
(3) Detecting the log parameter abnormity specifically comprises the following steps:
(3-1) extracting all log parameters and value ranges thereof from a log message set collected in the normal operation process of the system;
and (3-2) carrying out anomaly detection according to the difference between the real-time value and the normal value range of the log parameters.
2. The method for detecting system abnormality based on program log data according to claim 1, wherein in the step (2-1), the log template number prediction model is an LSTM model.
3. The method for detecting system abnormality based on program log data according to claim 1, wherein in step (3-1), extracting all log parameters and value ranges thereof from a log message set collected in a normal operation process of a system specifically includes:
(3-1-1) given a Log templateP i And one of the corresponding log messagesM j ,P i AndM j the unmatchable words are the log parameters, wherein the number of the unmatchable words corresponds to that of the unmatchable wordsP i The number of log parameters, the value of unmatchable words corresponds toP i In the log parameters ofM j Taking the value of (1);
(3-1-2) for Log templateP i In the collection of log messagesDS = {M 1 , M 2 , …, M N Find all templates related to the journalP i Corresponding log message setDPS i = {M i1 , M i2 , …, M im Obtaining a log template by adopting the method in the step (3-1-1)P i All log parameters of, andP i each log parameter of (1) inDPS i The value range of (1).
4. The program log data-based system abnormality detection method according to claim 3, wherein, in the step (3-1-2),M 1 , M 2 , …, M N for collection of log messagesDSNumber of each log in, N is the log eliminationInformation collectionDSThe number of all logs in.
5. The program log data-based system abnormality detecting method according to claim 3, wherein in the step (3-1-2),M i1 , M i2 , …, M im for collection of log messagesDPS i The number of each of the logs in the log,imaggregating for the log messageDPS i The number of all logs in (a).
6. The method according to claim 3, wherein in step (3-2), the anomaly detection is performed according to the difference between the real-time value and the normal value range of the log parameter, and specifically includes:
(3-2-1) given a log messageM k Finding the Log messageM k Corresponding log templateP k ;
(3-2-2) obtaining a Log templateP k All log parameters ofM k Taking the value of (1);
(3-2-3) if the value of a certain log parameter in the step (3-2-2) exceeds the value of the log parameter calculated in the step (3-1-2)P i And if the log parameter is in the middle value range, judging that the log parameter is abnormal currently.
7. The method according to claim 6, wherein in step (3-2-3), if the value of a log parameter in step (3-2-2) exceeds the value calculated in step (3-1-2)P i If the value range is 20%, judging that the log parameter abnormality occurs currently.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211257729.8A CN115604003B (en) | 2022-10-14 | 2022-10-14 | System abnormality detection method based on program log data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211257729.8A CN115604003B (en) | 2022-10-14 | 2022-10-14 | System abnormality detection method based on program log data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115604003A true CN115604003A (en) | 2023-01-13 |
| CN115604003B CN115604003B (en) | 2024-04-05 |
Family
ID=84847662
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211257729.8A Active CN115604003B (en) | 2022-10-14 | 2022-10-14 | System abnormality detection method based on program log data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115604003B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107391353A (en) * | 2017-07-07 | 2017-11-24 | 西安电子科技大学 | Complicated software system anomaly detection method based on daily record |
| US20190130249A1 (en) * | 2017-10-27 | 2019-05-02 | Salesforce.Com, Inc. | Sequence-to-sequence prediction using a neural network model |
| US20200076840A1 (en) * | 2018-09-05 | 2020-03-05 | Oracle International Corporation | Malicious activity detection by cross-trace analysis and deep learning |
| CN111209168A (en) * | 2020-01-14 | 2020-05-29 | 中国人民解放军陆军炮兵防空兵学院郑州校区 | Log sequence anomaly detection framework based on nLSTM-self attention |
| CN111930592A (en) * | 2020-07-20 | 2020-11-13 | 国网浙江省电力有限公司嘉兴供电公司 | Method and system for detecting log sequence abnormity in real time |
| CN111949480A (en) * | 2020-08-10 | 2020-11-17 | 重庆大学 | Log anomaly detection method based on component perception |
| CN112948215A (en) * | 2021-03-04 | 2021-06-11 | 浪潮云信息技术股份公司 | Real-time anomaly detection method and system based on distributed database log data |
| CN113704201A (en) * | 2021-09-02 | 2021-11-26 | 国家电网有限公司信息通信分公司 | Log anomaly detection method and device and server |
| CN113839852A (en) * | 2020-06-23 | 2021-12-24 | 中国科学院计算机网络信息中心 | Mail account abnormity detection method, device and storage medium |
| WO2022047658A1 (en) * | 2020-09-02 | 2022-03-10 | 大连大学 | Log anomaly detection system |
| CN114912500A (en) * | 2021-11-29 | 2022-08-16 | 长沙理工大学 | Unsupervised log anomaly detection method based on pre-training model |
-
2022
- 2022-10-14 CN CN202211257729.8A patent/CN115604003B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107391353A (en) * | 2017-07-07 | 2017-11-24 | 西安电子科技大学 | Complicated software system anomaly detection method based on daily record |
| US20190130249A1 (en) * | 2017-10-27 | 2019-05-02 | Salesforce.Com, Inc. | Sequence-to-sequence prediction using a neural network model |
| US20200076840A1 (en) * | 2018-09-05 | 2020-03-05 | Oracle International Corporation | Malicious activity detection by cross-trace analysis and deep learning |
| CN111209168A (en) * | 2020-01-14 | 2020-05-29 | 中国人民解放军陆军炮兵防空兵学院郑州校区 | Log sequence anomaly detection framework based on nLSTM-self attention |
| CN113839852A (en) * | 2020-06-23 | 2021-12-24 | 中国科学院计算机网络信息中心 | Mail account abnormity detection method, device and storage medium |
| CN111930592A (en) * | 2020-07-20 | 2020-11-13 | 国网浙江省电力有限公司嘉兴供电公司 | Method and system for detecting log sequence abnormity in real time |
| CN111949480A (en) * | 2020-08-10 | 2020-11-17 | 重庆大学 | Log anomaly detection method based on component perception |
| WO2022047658A1 (en) * | 2020-09-02 | 2022-03-10 | 大连大学 | Log anomaly detection system |
| CN112948215A (en) * | 2021-03-04 | 2021-06-11 | 浪潮云信息技术股份公司 | Real-time anomaly detection method and system based on distributed database log data |
| CN113704201A (en) * | 2021-09-02 | 2021-11-26 | 国家电网有限公司信息通信分公司 | Log anomaly detection method and device and server |
| CN114912500A (en) * | 2021-11-29 | 2022-08-16 | 长沙理工大学 | Unsupervised log anomaly detection method based on pre-training model |
Non-Patent Citations (3)
| Title |
|---|
| 崔元;张琢;: "基于大规模网络日志的模板提取研究", 计算机科学, no. 2, 15 November 2017 (2017-11-15) * |
| 杨瑞朋;屈丹;朱少卫;黄浩;: "日志异常检测技术研究", 信息工程大学学报, no. 05, 15 October 2019 (2019-10-15) * |
| 王智远;任崇广;陈榕;秦莉;: "基于日志模板的异常检测技术", 智能计算机与应用, no. 05, 26 July 2018 (2018-07-26) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115604003B (en) | 2024-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhang et al. | Machinery fault diagnosis with imbalanced data using deep generative adversarial networks | |
| US11301759B2 (en) | Detective method and system for activity-or-behavior model construction and automatic detection of the abnormal activities or behaviors of a subject system without requiring prior domain knowledge | |
| CN110414367B (en) | Time sequence behavior detection method based on GAN and SSN | |
| CN113452672B (en) | Method for analyzing abnormal flow of terminal of Internet of things of electric power based on reverse protocol analysis | |
| CN111314329A (en) | Traffic intrusion detection system and method | |
| EP3360077A1 (en) | Method and system for classifying objects from a stream of images | |
| CN113360912A (en) | Malicious software detection method, device, equipment and storage medium | |
| CN108280021A (en) | A kind of logging level analysis method based on machine learning | |
| CN114090406A (en) | Electric power Internet of things equipment behavior safety detection method, system, equipment and storage medium | |
| CN116842520A (en) | Anomaly perception method, device, equipment and medium based on detection model | |
| US8699796B1 (en) | Identifying sensitive expressions in images for languages with large alphabets | |
| CN117829209A (en) | Abnormal operation detection method, computing device and computer program for process equipment | |
| CN116910752A (en) | Malicious code detection method based on big data | |
| CN117992953A (en) | Abnormal user behavior identification method based on operation behavior tracking | |
| KR20210011822A (en) | Method of detecting abnormal log based on artificial intelligence and system implementing thereof | |
| CN117857088A (en) | Network traffic abnormality detection method, system, equipment and medium | |
| CN115604003B (en) | System abnormality detection method based on program log data | |
| CN112990357A (en) | Black box video countermeasure sample generation method based on sparse disturbance | |
| CN111797997A (en) | Network intrusion detection method, model construction method, device and electronic equipment | |
| CN116366303A (en) | Network anomaly detection method, device, equipment and medium based on deep learning | |
| CN115577351A (en) | System anomaly detection method based on program log data | |
| CN114301719A (en) | Malicious update detection method and model based on variational self-encoder | |
| CN113705624A (en) | Intrusion detection method and system for industrial control system | |
| CN112418055A (en) | Scheduling method based on video analysis and personnel trajectory tracking method | |
| CN111125699B (en) | Malicious program visual detection method based on deep learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |