CN115604003B - System abnormality detection method based on program log data - Google Patents

System abnormality detection method based on program log data Download PDF

Info

Publication number
CN115604003B
CN115604003B CN202211257729.8A CN202211257729A CN115604003B CN 115604003 B CN115604003 B CN 115604003B CN 202211257729 A CN202211257729 A CN 202211257729A CN 115604003 B CN115604003 B CN 115604003B
Authority
CN
China
Prior art keywords
log
template
value
message
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211257729.8A
Other languages
Chinese (zh)
Other versions
CN115604003A (en
Inventor
吕明琪
吴羽中
朱添田
陈铁明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University of Technology ZJUT
Original Assignee
Zhejiang University of Technology ZJUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University of Technology ZJUT filed Critical Zhejiang University of Technology ZJUT
Priority to CN202211257729.8A priority Critical patent/CN115604003B/en
Publication of CN115604003A publication Critical patent/CN115604003A/en
Application granted granted Critical
Publication of CN115604003B publication Critical patent/CN115604003B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/088Non-supervised learning, e.g. competitive learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a system abnormality detection method based on program log data, which comprises the following steps: extracting a log template from a large number of log messages; converting the log message sequence into a log template number sequence, training a log template number prediction model according to the log message sequence acquired in the normal operation process of the system, and then realizing abnormality detection according to the prediction result and the comparison written in real time; extracting all log parameters and the value range from the log message set acquired in the normal operation process of the system. And then, according to the difference between the real-time value of the log parameter and the normal value range, the abnormality detection is realized. The invention has the advantages that: the model automatically reads a large number of program logs and discovers abnormality from the program logs, so that the workload of manual operation and maintenance is greatly reduced; the model is trained in an unsupervised mode, an abnormal training sample with labels is not required to be provided, and the implementation cost of the model is greatly reduced.

Description

System abnormality detection method based on program log data
Technical Field
The invention relates to the technical field of network security and deep learning, in particular to a system anomaly detection method based on program log data.
Background
The program log records system status and critical events at various critical moments to aid in debugging system performance problems and faults and to conduct root cause analysis. Such log data is commonly available in almost all computer systems and is a valuable resource for knowing the state of the system. Furthermore, since program logs record notable events that occur during actively running processes, they are a good source of information for online real-time monitoring and anomaly detection.
The abnormality detection is to identify data different from normal data, and is to identify data which is significantly different from most data and causes suspicion or large difference from expected behavior. In the field of network security, anomaly detection is an important task in establishing a secure and reliable computer system. However, as systems and applications become more complex, anomaly detection becomes more challenging, and many conventional rule-based anomaly detection methods are no longer effective. They are also subject to more bugs and vulnerabilities that an attacker may use to launch an attack.
Meanwhile, recent studies have shown that deep learning has been widely applied to various industries such as image classification, object detection, semantic segmentation, and the like. However, when deep learning is applied to the field of log anomaly detection of network security, due to complexity and rarity of anomaly logs, the cost of collecting and labeling anomaly samples enough for model training is too high.
In view of the above, how to implement an unsupervised system anomaly detection based on a program log is a problem to be solved.
Disclosure of Invention
The invention provides a system anomaly detection method based on program log data, which is characterized in that log parameters are stripped from a log based on a log template, and anomaly detection is carried out on the log template and the log parameters at the same time, so that missing report caused by log parameter anomaly is omitted due to detection on the log template only, and the anomaly detection accuracy is improved.
A system abnormality detection method based on program log data includes the following steps:
(1) Log Template (Log Template) extraction: extracting a log template from log information of the system;
(2) Log template anomaly detection:
(2-1) obtaining a log message sequence from the log message according to the extracted log template, converting the log message sequence into a log template number sequence, and training a log template number prediction model (preferably an LSTM model) according to the log message collected in the normal operation process of the system;
(2-2) predicting a log template corresponding to the next log message by adopting a trained log template number prediction model, and comparing a prediction result with an actual log template corresponding to the next log message to realize abnormality detection;
(3) Log Parameter (Parameter) anomaly detection:
(3-1) extracting all log parameters and the value range from a log message set acquired in the normal operation process of the system;
and (3-2) performing anomaly detection according to the difference between the real-time value of the log parameter and the normal value range.
In the invention, a prefix tree-based method is used for extracting the log template from the log data, the log sequence is converted into the log template sequence vector and is input into the LSTM model for training to detect the abnormality of the log template, all parameters of all the log templates are simultaneously learned to detect the parameter abnormality of the log, and the abnormality detection is carried out on the log from two angles at the same time, so that the missing report caused by the fact that only the log template is detected but the abnormality of the log parameter is ignored is reduced, and the accuracy of the abnormality detection of the log is increased.
In the step (3-1), all log parameters and the value ranges thereof are extracted from a log message set collected in the normal operation process of the system, and the method specifically comprises the following steps:
(3-1-1) given a Log templateP i And one of the log messages corresponding theretoM j P i And (3) withM j The unmatched words are log parameters, wherein the number of the unmatched words corresponds toP i The number of log parameters of (a) and the value of the unmatched word corresponds toP i Is in the log parameters ofM j The value of (3);
(3-1-2) for Log templatesP i In the log message setDS = {M 1 , M 2 , …, M N Find all and log templates in }P i Corresponding log message setDPS i = {M i1 , M i2 , …, M im }, whereinM 1 , M 2 , …, M N For collection of log messagesDSThe number of each log in the log message set is NDSThe number of all of the logs in the database,M i1 , M i2 , …, M im for collection of log messagesDPS i The number of each log in the database,imfor the set of log messagesDPS i The number of all logs in the system is adopted to obtain a log template by adopting the method of the step (3-1-1)P i Is to be used for all log parameters of (a)P i Is at each log parameter of (1)DPS i Is a range of values.
In the step (3-2), abnormality detection is performed according to the difference between the real-time value of the log parameter and the normal value range, and specifically includes:
(3-2-1) given a Log messageM k Find log messageM k Corresponding log templateP k
(3-2-2) obtaining a Log templateP k Is in all log parameters ofM k The value of (3);
(3-2-3) if the value of a certain log parameter in the step (3-2-2) exceeds the value calculated in the step (3-1-2)P i And the value range of the log parameter is 20%, and the current occurrence of the log parameter abnormality is judged.
Most of the current methods for detecting program log data anomalies adopt a rule-based method or a supervised learning (Supervised learning) method to detect anomalies, and mainly detect template anomalies of program logs. The invention designs a detection method for performing unsupervised learning (Unsupervised Learning) by adopting a prediction model, wherein log parameters are stripped from a log based on a log template in an algorithm, and then anomaly detection is performed on the log template and the log parameters, so that missing report caused by anomaly of the log parameters is reduced by detecting only the log template, and the accuracy of anomaly detection is increased.
Compared with the prior art, the invention has the advantages that: (1) The model automatically reads a large number of program logs and discovers abnormality from the program logs, so that the workload of manual operation and maintenance is greatly reduced; (2) The model is trained in an unsupervised mode, an abnormal training sample with labels is not required to be provided, and the implementation cost of the model is greatly reduced.
Drawings
FIG. 1 is a flow chart of a system anomaly detection method based on program log data.
Fig. 2 is an example log message.
FIG. 3 is a specific embodiment of log template extraction.
Detailed Description
The invention will be further described with reference to the accompanying drawings.
As shown in fig. 1, a system abnormality detection method based on program log data includes the steps of: (1) log template extraction: the log template is extracted from a large number of log messages.
Three concepts of log messages, log templates, and log parameters are explained here as follows: the present invention concerns logs written by applications about the running state of an application. For example, FIG. 2 gives an example of a Tomcat program log. One log message per action. Each log message is written into the log file by a line of code of the application program, including a fixed portion and a variable portion. The fixed portion represents a program event described by the present log message, e.g. log message at line 6 in FIG. 2M 1 The "information Initialization processed in ×ms" in = "information Initialization processed in 391 ms" is unchanged in any case (representing an initialization load event), this is referred to as a log template. WhileM 1 391 are variable in different situations (representing the current load time), this is called a log parameter.
(2) Log template anomaly detection: the log information written in the normal operation process of the application system has a certain rule, and if the current written log information does not accord with the rule, the abnormal situation of the application system is likely to happen. Therefore, firstly, the log message sequence is converted into a log template number sequence, and a log template number prediction model is trained according to the log message sequence collected in the normal operation process of the system. And then, according to the prediction result and the comparison written in real time, the anomaly detection is realized.
(3) Log parameter anomaly detection: when the real-time value of the log parameter deviates from the normal value range, the application system is very likely to be abnormal. Therefore, all log parameters and the value range thereof are extracted from the log message set collected in the normal operation process of the system. And then, according to the difference between the real-time value of the log parameter and the normal value range, the abnormality detection is realized.
In step (1), a set of log messages is givenDS = {M 1 , M 2 , …, M N The detailed steps of log template extraction are as follows: (1-1) construction of a log word stock: first, scanDSBecause the log messages are written in English, each log message is written based on space and special symbolM k Dividing into words; then, the occurrence frequency of each word is counted and organized into a log word stock according to the arrangement of the occurrence frequency of the words from big to smallWS
(1-2) prefix tree construction: rescanningDSConstructing a prefix tree formed by log words, which comprises the following specific steps:
(1-2-1) initializing a Prefix TreePT
(1-2-2) pairDSEach log message in (a)M k Will beM k Dividing into words and generating words according to the wordsWSThe occurrence frequency of the log words is arranged from big to small to obtain a log word listL k
(1-2-3) willL k Organizing into a linked list (each node in the linked list represents a log word);
(1-2-4) ifL k Any prefix of the linked list inPTNo matching branch is found, thenL k The linked list is inserted as a new branchPTIn (a) and (b);
(1-2-5) ifL k A prefix of a linked list of (a) is inPTIf a matching branch can be found, then the corresponding suffix is inserted after the leaf node of this branch.
(1-3) template set construction: and trimming the prefix tree to obtain a template set, wherein the method comprises the following specific steps of:
(1-3-1) setting the frequency of occurrence thresholdδFor a pair ofPTScanning all leaf nodes of the tree, if the journal word corresponding to the current leaf node is inWSIs less thanδThen delete the leaf node, iterate untilPTCorresponding log words of all leaf nodes of (1)WSThe occurrence frequency of (a) is not less thanδ
(1-3-2) for pruned prefix treesPTFetch each branch and restore the contained journal word to its inDSAnd replacing the log word corresponding to the deleted leaf node with 'x', thereby obtaining a templateP k . The set of all templates is recorded asTS
To illustrate the concepts of steps (1-2) and (1-3), FIG. 3 shows a specific embodiment. The example is from a collection of log messagesDS = {M 1 , M 2 , …, M 6 Extracting to obtain 5 log templatesTS = {P 1 , P 2 , …, P 5 }. Wherein,P 1 = “Interface * changed state to Started”、 P 2 = “Interface * changed state to Paused”、P 3 = “Instance * VM Started”、P 4 = “Instance * VM Paused”、P 5 = “Receiving block * src: * dest: *”。
(1-4) log message conversion: for a pair ofDS = {M 1 , M 2 , …, M N Each log message in }M k Finding out the corresponding log template by adopting a log word matching method, and carrying out matching on the log templateM k Expressed as the number of the log templateI k ThenDSSequence representable as a log template numberDSS = Wherein the method comprises the steps ofI 1 ,I 2I N For log messagesM 1 , M 2 , …, M N The corresponding log template number is used for identifying the log template,Nfor the template sequenceDSSThe number of templates in the template pattern.
In the step (2), the detailed steps of log template abnormality detection are as follows:
(2-1) building a log template prediction model: numbering sequences according to log templatesDSS = Training a log template prediction model, which comprises the following specific steps:
(2-1-1) Using word2vec model pairsDSSPretraining to obtain the serial number of each log templateI k Corresponding vector representation e k The DSS may be converted into a sequence of log template number characterization vectorsEDSS =Wherein e is 1 ,e 2 …e N Numbering sequences for log templatesDSSThe log template corresponding to the log template number is converted into a characterization vector, and N isEDSSThe number of the sign vectors;
(2-1-2) Using a size ofwSliding window with step length of 1EDSSDividing into a plurality of small sequencess i = Wherein e is i1 ,e i2 …e iw The log template corresponding to the log template number in the small sequence is converted into a characterization vector,iwis thatEDSSThe number of the representation vectors in the sequence is used for constructing a training sample for each small sequencex i = (s i , l i ) Whereinl i Is thatx i Is taken heres i The log template number of the next moment of time, i.el i = I i w(+1) . The obtained set of all training samples is recorded asXS
(2-1-3) Using LSTM model pairsXSTraining is carried out to obtain a prediction model. The input of the model is a small-section observed log template number sequence, and the output is the predicted log template number at the next moment.
(2-2) real-time log template anomaly detection: detecting an abnormal log template based on a log template prediction model, wherein the method comprises the following specific steps of:
(2-2-1) assuming that the current time iskFirst, get the current timewLog template sequence at each moments k-1 = WhereinI k-w ,I k-w+1I k-1 Before the current timewLog template number corresponding to log information at each moments k-1 Inputting the trained prediction model in the step (2-1) to obtain the predicted momentkProbability distribution of log template numbering of (c)pl k
(2-2-2) setting probability thresholdθIf (3)pl k The highest probability of being greater thanθNot all log templates of (a) are momentskIs a true log template of (a)I k And judging that the log template abnormality occurs currently.
In the step (3), the detailed steps of log parameter anomaly detection are as follows: (3-1) Log parametersExtracting the number: from a collection of log messagesDS = {M 1 , M 2 , …, M N Extracting log parameters in each log message, wherein the specific steps are as follows:
(3-1-1) given a Log templateP i And a log message corresponding theretoM j P i And (3) withM j The words that cannot be matched are log parameters. Wherein the number of words which cannot be matched corresponds toP i The number of log parameters of (a) and the value of the unmatched word corresponds toP i Is in the log parameters ofM j The value of (3);
(3-1-2) for Log templatesP i In the followingDSFind all the log message sets corresponding to itDPS i = {M i1 , M i2 , …, M im The method of step (3-1-1) was used to obtainP i Is to be used for all log parameters of (a)P i Is at each log parameter of (1)DPS i The value range of (a) is the value range of (b);
and (3-1-3) processing all log templates according to the step (3-1-2) to obtain all log parameters and corresponding value ranges of each log template.
To illustrate the idea of step (3-1), a specific example is given: taking fig. 3 as an example, one of the extracted log templates isP 2 = "look seconds to deallocate network", wherein one corresponding log message isM 2 = "book 0.61 seconds to deallocate network", then the word "0.61" where no match can be made is a log parameter. By looking up all and in the whole collection of log messagesP 2 The corresponding log information and the corresponding log parameter can obtain the value range of the log parameter.
(3-2) real-time log parameter anomaly detection: given a real-time log messageM k The specific steps of the log parameter anomaly detection are as follows:
(3-2-1) findM k Corresponding log templateP k
(3-2-2) to giveP k Is in all log parameters ofM k The value of (3);
(3-2-3) if the value of one of the log parameters exceeds the value calculated in the step (3-1)P i If the value range is 20%, judging that the abnormal log parameters occurs currently.

Claims (3)

1. The system abnormality detection method based on the program log data is characterized by comprising the following steps:
(1) Extracting a log template: extracting a log template from log information of the system;
(2) The log template abnormality detection specifically comprises:
(2-1) obtaining a log message sequence from the log message according to the extracted log template, converting the log message sequence into a log template number sequence, and training a log template number prediction model according to the log message collected in the normal operation process of the system;
building a log template prediction model: numbering sequences according to log templatesTraining a log template predictive model, whereinI 1 ,I 2I N For log messagesM 1 , M 2 , …, M N The corresponding log template number is used for identifying the log template,Nfor template sequencesDSSThe specific steps are as follows:
(2-1-1) Using word2vec model pairsDSSPretraining to obtain the serial number of each log templateI k Corresponding vector representation e k The DSS is converted into a sequence of log template number characterization vectorsEDSS =Wherein e is 1 ,e 2 …e N Numbering sequences for log templatesDSSThe log template corresponding to the log template number is converted into a characterization vector, and N isEDSSThe number of the sign vectors;
(2-1-2) Using a size ofwSliding window with step length of 1EDSSDividing into a plurality of small sequencesWherein e is i1 ,e i2 …e iw The log template corresponding to the log template number in the small sequence is converted into a characterization vector,iwis thatEDSSThe number of the representation vectors in the sequence is used for constructing a training sample for each small sequencex i = (s i , l i ) Whereinl i Is thatx i Is taken from the labeling part of (1)s i The log template number of the next moment of time, i.el i = I i w(+1) The obtained set of all training samples is recorded asXS
(2-1-3) Using LSTM model pairsXSTraining to obtain a log template prediction model, wherein the input of the model is an observed log template number sequence, and the model is output as the predicted log template number at the next moment;
(2-2) predicting a log template corresponding to the next log message by adopting a trained log template number prediction model, and comparing a prediction result with an actual log template corresponding to the next log message to realize abnormality detection;
(3) The log parameter anomaly detection specifically comprises the following steps:
(3-1) extracting all log parameters and the value ranges thereof from a log message set acquired in the normal operation process of the system, wherein the method specifically comprises the following steps:
(3-1-1) given a Log templateP i And one of the log messages corresponding theretoM j P i And (3) withM j The unmatched words are log parameters, wherein the number of the unmatched words corresponds toP i The number of log parameters of (a) and the value of the unmatched word corresponds toP i Is in the log parameters ofM j The value of (3);
(3-1-2) for Log templatesP i In the log message setDS = {M 1 , M 2 , …, M N Find all and log templates in }P i Corresponding log message setDPS i = {M i1 , M i2 , …, M im }, whereinM 1 , M 2 , …, M N For collection of log messagesDSThe number of each log in the log message set is NDSThe number of all of the logs in the database,M i1 , M i2 , …, M im for collection of log messagesDPS i The number of each log in the database,imfor collection of log messagesDPS i The number of all logs in the system is adopted to obtain a log template by adopting the method of the step (3-1-1)P i Is to be used for all log parameters of (a)P i Is at each log parameter of (1)DPS i The value range of (a) is the value range of (b);
(3-2) performing anomaly detection according to the difference between the real-time value of the log parameter and the normal value range, specifically comprising:
(3-2-1) given a Log messageM k Find log messageM k Corresponding log templateP k
(3-2-2) obtaining a Log templateP k Is in all log parameters ofM k The value of (3);
(3-2-3) if the value of a certain log parameter in the step (3-2-2) exceeds the value calculated in the step (3-1-2)P i In the range of the value, then judgeIt is determined that a log parameter anomaly has occurred.
2. The method for detecting system anomalies based on program log data according to claim 1, wherein in step (2-1), the log template number prediction model is an LSTM model.
3. The program log data based system abnormality detection method according to claim 1, wherein in step (3-2-3), if the value of a certain log parameter in step (3-2-2) exceeds the value calculated in step (3-1-2)P i And the value range of the log parameter is 20%, and the current occurrence of the log parameter abnormality is judged.
CN202211257729.8A 2022-10-14 2022-10-14 System abnormality detection method based on program log data Active CN115604003B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211257729.8A CN115604003B (en) 2022-10-14 2022-10-14 System abnormality detection method based on program log data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211257729.8A CN115604003B (en) 2022-10-14 2022-10-14 System abnormality detection method based on program log data

Publications (2)

Publication Number Publication Date
CN115604003A CN115604003A (en) 2023-01-13
CN115604003B true CN115604003B (en) 2024-04-05

Family

ID=84847662

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211257729.8A Active CN115604003B (en) 2022-10-14 2022-10-14 System abnormality detection method based on program log data

Country Status (1)

Country Link
CN (1) CN115604003B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107391353A (en) * 2017-07-07 2017-11-24 西安电子科技大学 Complicated software system anomaly detection method based on daily record
CN111209168A (en) * 2020-01-14 2020-05-29 中国人民解放军陆军炮兵防空兵学院郑州校区 Log sequence anomaly detection framework based on nLSTM-self attention
CN111930592A (en) * 2020-07-20 2020-11-13 国网浙江省电力有限公司嘉兴供电公司 Method and system for detecting log sequence abnormity in real time
CN111949480A (en) * 2020-08-10 2020-11-17 重庆大学 Log anomaly detection method based on component perception
CN112948215A (en) * 2021-03-04 2021-06-11 浪潮云信息技术股份公司 Real-time anomaly detection method and system based on distributed database log data
CN113704201A (en) * 2021-09-02 2021-11-26 国家电网有限公司信息通信分公司 Log anomaly detection method and device and server
CN113839852A (en) * 2020-06-23 2021-12-24 中国科学院计算机网络信息中心 Mail account abnormity detection method, device and storage medium
WO2022047658A1 (en) * 2020-09-02 2022-03-10 大连大学 Log anomaly detection system
CN114912500A (en) * 2021-11-29 2022-08-16 长沙理工大学 Unsupervised log anomaly detection method based on pre-training model

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11604956B2 (en) * 2017-10-27 2023-03-14 Salesforce.Com, Inc. Sequence-to-sequence prediction using a neural network model
US11082438B2 (en) * 2018-09-05 2021-08-03 Oracle International Corporation Malicious activity detection by cross-trace analysis and deep learning

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107391353A (en) * 2017-07-07 2017-11-24 西安电子科技大学 Complicated software system anomaly detection method based on daily record
CN111209168A (en) * 2020-01-14 2020-05-29 中国人民解放军陆军炮兵防空兵学院郑州校区 Log sequence anomaly detection framework based on nLSTM-self attention
CN113839852A (en) * 2020-06-23 2021-12-24 中国科学院计算机网络信息中心 Mail account abnormity detection method, device and storage medium
CN111930592A (en) * 2020-07-20 2020-11-13 国网浙江省电力有限公司嘉兴供电公司 Method and system for detecting log sequence abnormity in real time
CN111949480A (en) * 2020-08-10 2020-11-17 重庆大学 Log anomaly detection method based on component perception
WO2022047658A1 (en) * 2020-09-02 2022-03-10 大连大学 Log anomaly detection system
CN112948215A (en) * 2021-03-04 2021-06-11 浪潮云信息技术股份公司 Real-time anomaly detection method and system based on distributed database log data
CN113704201A (en) * 2021-09-02 2021-11-26 国家电网有限公司信息通信分公司 Log anomaly detection method and device and server
CN114912500A (en) * 2021-11-29 2022-08-16 长沙理工大学 Unsupervised log anomaly detection method based on pre-training model

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
基于大规模网络日志的模板提取研究;崔元;张琢;;计算机科学;20171115(S2);全文 *
基于日志模板的异常检测技术;王智远;任崇广;陈榕;秦莉;;智能计算机与应用;20180726(05);全文 *
日志异常检测技术研究;杨瑞朋;屈丹;朱少卫;黄浩;;信息工程大学学报;20191015(05);全文 *

Also Published As

Publication number Publication date
CN115604003A (en) 2023-01-13

Similar Documents

Publication Publication Date Title
US11301759B2 (en) Detective method and system for activity-or-behavior model construction and automatic detection of the abnormal activities or behaviors of a subject system without requiring prior domain knowledge
CN113452672B (en) Method for analyzing abnormal flow of terminal of Internet of things of electric power based on reverse protocol analysis
CN114816909A (en) Real-time log detection early warning method and system based on machine learning
CN112990357B (en) Black box video countermeasure sample generation method based on sparse disturbance
CN117992953A (en) Abnormal user behavior identification method based on operation behavior tracking
CN116842520A (en) Anomaly perception method, device, equipment and medium based on detection model
CN116910752A (en) Malicious code detection method based on big data
CN116909788A (en) Multi-mode fault diagnosis method and system with unchanged task direction and visual angle
Huang et al. A simple framework to generalized zero-shot learning for fault diagnosis of industrial processes
KR20210011822A (en) Method of detecting abnormal log based on artificial intelligence and system implementing thereof
CN115604003B (en) System abnormality detection method based on program log data
CN117857088A (en) Network traffic abnormality detection method, system, equipment and medium
CN116366303A (en) Network anomaly detection method, device, equipment and medium based on deep learning
CN114707151B (en) Zombie software detection method based on API call and network behavior
CN113705624B (en) Intrusion detection method and system for industrial control system
CN116910657A (en) Fault diagnosis method and equipment based on unsupervised learning
CN109522196A (en) A kind of method and device of fault log processing
CN114969761A (en) Log anomaly detection method based on LDA theme characteristics
CN115577351A (en) System anomaly detection method based on program log data
CN113127640A (en) Malicious spam comment attack identification method based on natural language processing
CN112418055A (en) Scheduling method based on video analysis and personnel trajectory tracking method
CN111125699B (en) Malicious program visual detection method based on deep learning
CN114494804B (en) Unsupervised field adaptive image classification method based on domain specific information acquisition
CN114707154B (en) Intelligent contract reentry vulnerability detection method and system based on sequence model
CN115277177B (en) Police cloud security data fusion method, system, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant