CN116010187A - Log detection method and related device - Google Patents
Log detection method and related device Download PDFInfo
- Publication number
- CN116010187A CN116010187A CN202111220744.0A CN202111220744A CN116010187A CN 116010187 A CN116010187 A CN 116010187A CN 202111220744 A CN202111220744 A CN 202111220744A CN 116010187 A CN116010187 A CN 116010187A
- Authority
- CN
- China
- Prior art keywords
- log
- template
- logs
- sequence
- tree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The application provides a log detection method, which comprises the following steps: the method comprises the steps of obtaining a log data set generated by system operation, constructing a log template tree according to word frequencies of words in a plurality of logs of the log data set, determining a template matched with the log according to similarity of the words in the log and the words in at least one template of the log template tree for each log, and then performing anomaly detection on the log data set based on a template sequence formed by the templates matched with each log in the plurality of logs. The method not only reserves word frequency characteristics, but also avoids being sensitive to word frequency, improves the accuracy of template extraction, and further improves the accuracy of abnormality detection based on the extracted template.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a log detection method and apparatus, a computer cluster, a computer readable storage medium, and a computer program product.
Background
With the continued development of computer technology, systems of various functions have been produced. The system includes an operating system and various application systems running on top of the operating system. The application system can be, for example, a production management system, a material management system, an attendance management system, a salary management system, etc. The system can generate massive logs when running. A log, i.e., log file, refers to a text data consisting of a time stamp and a text message. Since the log may reflect the operational state of the system, the log may be used for system operation and maintenance.
A log is unstructured text data, typically including templates and parameters. Wherein, the template generally refers to a character string which is unchanged in the log, and the parameter generally refers to a variable value in the log. Taking the log '2019-11-09 20:55:54Received block blk_321of size 67108864from/10.251.198.04' as an example, 2019-11-09-20:55:54, blk_321, 67108864, 10.251.198.04 and the like are taken as parameters in the log, and the parameters in the log are replaced by wild cards to obtain templates of the log.
To implement log-based intelligent operations (Artificial Intelligence for IT Operations, AIOps), templates may typically be extracted from the log to convert unstructured text data to structured text data, and then anomaly detection is implemented by analyzing the structured text data. The related art generally determines word frequencies of words in the logs, then reorders the words in each log according to word frequency, and constructs a frequency template tree based on the reordered words in the logs. Each path in the frequency template tree represents a template.
However, if a log is repeatedly printed in a real business scene, the occurrence frequency of parameters in the log is greatly increased, so that the parameters in the log can be mistakenly identified as templates, the accuracy of template extraction is reduced, and the accuracy of anomaly detection is further affected.
Disclosure of Invention
The method combines word frequency of words in the log and similarity of the words to perform template extraction, so that word frequency characteristics are reserved, word frequency sensitivity is avoided, template extraction accuracy is improved, and abnormality detection accuracy based on the extracted templates is improved. The application also provides a device, a computer cluster, a computer readable storage medium and a computer program product corresponding to the method.
In a first aspect, the present application provides a log detection method. The method may be performed by a log detection device. In some embodiments, the log detection device may be a software device. The software means may be deployed in a computer cluster executing the log detection method by running the program code of the software means. In other embodiments, the log detection device may also be a hardware device for log detection. The embodiment of the application uses the log detection device as a software device for illustration.
Specifically, when an operating system or an application system running on the operating system runs, massive logs can be generated, a log data set generated by running the system can be obtained by the log detection device, the log data set comprises a plurality of logs, then the log detection device constructs a log template tree according to word frequencies of words in the plurality of logs, the log template tree comprises at least one template, for each log in the plurality of logs, the log detection device determines a template matched with the log according to the similarity of the words in the log and the words in the at least one template, and abnormality detection is carried out on the log data set based on a template sequence formed by the templates matched with each log in the plurality of logs.
The method creates the log template tree based on the word frequency of the words included in the log data set, and combines the similarity of the words in the log and the words in the log template tree to perform template matching, so that the problem that the template extraction accuracy is reduced due to the fact that the template extraction method based on the frequency template tree is sensitive to the word frequency is solved, and the long tail effect is effectively solved. In addition, by keeping features such as word frequency and the like, the method solves the problem that the real situation cannot be restored due to the fact that the influence of the word frequency is ignored in the online log analysis method based on the depth tree, and improves the accuracy of template extraction.
In some possible implementations, the log detection device may obtain the similarity between the log and the target template according to the similarity between the word in the log and the word in the target template. Wherein the target template is a template in the log template tree. The log detection device can calculate the arithmetic average value of the similarity between the words in the log and the words in the target template, and obtain the similarity between the log and the target template. When the similarity between the log and the target template is greater than a preset threshold, the log detection device can determine the target template as a template matched with the log. When the similarity between the log and the target template is not greater than a preset threshold, for example, when the similarity between the log and each template of the log template tree is not greater than a preset threshold, the log detection device may update the log template tree and determine a newly added template in the log template tree as a template matched with the log.
According to the method, on the basis of constructing a log template tree based on word frequency, template matching is performed by combining the similarity of words, so that the condition that word frequency is sensitive is avoided, parameters are mistakenly identified as templates, the accuracy of template extraction is improved, and the accuracy of abnormality detection based on the templates is further improved.
In some possible implementations, the template sequence includes n templates, the n being greater than 1. The log detection device can input a subsequence formed by the first n-1 templates in the template sequence into a behavior anomaly detection model to predict the conditional probability of the nth template. And when the conditional probability is smaller than a preset value, determining that the system is abnormal in behavior.
Wherein, the abnormal behavior means that the system behavior is not in accordance with the specification. For example, some of the template-corresponding events typically occur in pairs, and the system only performs one of the events. For another example, the system repeatedly executes events corresponding to some templates for a set number of times over a period of time.
Because the template sequence extracted by the method has higher accuracy, the abnormal behavior detection model learns the pattern of the template sequence from the template sequence with higher accuracy, and compares the pattern with the pattern of the normal operation of the system, thereby determining whether the system behavior is abnormal. Thereby improving the accuracy of behavioral anomaly detection.
In some possible implementations, there may be multiple possibilities for the nth template, and the system still behaves normally. For example, when one component communicates with another component, the nth template may be "Waiting for to response" or "connected to" when the system is functioning properly. Based on this, the log detection device may predict the conditional probabilities corresponding to the various values of the nth template, and then sort the various values of the nth template according to the conditional probabilities. When the true value of the nth template is in the value set which is ranked at the front, for example, top m (m is a positive integer greater than 1), the system is determined to be normal, otherwise, the system is determined to be abnormal.
Therefore, when the nth template has multiple possibilities, the probability that the system is mistakenly identified as the abnormal behavior is reduced, and the accuracy of abnormal behavior detection is improved.
In some possible implementations, the log detection device may further obtain a time difference sequence according to the log data set, where the time difference sequence includes time differences of adjacent logs in the plurality of logs, and then input the time difference sequence into a state anomaly detection model, where the state anomaly detection model is a time sequence analysis model based on attention. The confidence interval of the nth time difference can be predicted by the state anomaly detection model. The log detection means may determine that the system state is abnormal when the true value of the nth time difference exceeds the confidence interval. The abnormal state means that the running state of the system is not consistent with the set state. For example, the status exception may be that the system is in a state of stopping providing services, or the like.
According to the method, on the basis of extracting the template sequence to perform system behavior anomaly detection, the time difference sequence is also extracted to perform system state anomaly detection, so that more anomaly scenes can be covered, the anomaly detection rate, particularly the state anomaly detection rate, is improved, and the normal operation of the service is ensured.
In some possible implementations, the behavioral anomaly detection model and/or the state anomaly detection model may be obtained through training. Taking the model training by the log detection device as an example for explanation. Specifically, the log detection device may obtain a sample sequence, where the sample sequence is a template sequence obtained by performing template matching on a sample log, then the log detection device may perform window sliding on the sample sequence according to a preset window length and a preset step length to obtain frequency features and time difference features of templates in each window, then the log detection device may construct a first training sample according to the frequency features, construct a second training sample according to the time difference features, obtain the behavioral abnormality detection model through training of the first training sample, and obtain the state abnormality detection model through training of the second training sample.
The log detection device can input the first training samples into the long-period memory model in batches, determine a loss value according to the output of the long-period memory model and the label value of the first training samples, and then update the weight of the long-period memory model according to the loss value. When the loss value tends to converge or the loss value is smaller than a preset value, the log detection device can stop updating the weight of the long-period memory model, and the trained long-period memory model is used as a behavior abnormality detection model to detect the behavior abnormality of the system.
Similarly, the log detection means inputs the second training sample into a attention-based time series analysis model, for example, a cyclic neural network model, then determines a loss value from the output of the above-described time series analysis model and the label of the second training sample, and updates the parameter of the time series analysis model based on the loss value. When the loss value of the time-series analysis model satisfies a condition, for example, the loss value converges or the loss value is smaller than a preset value, the log detection device may stop training and determine the trained model as the state anomaly detection model.
In the method, the log detection device trains the behavior abnormality detection model or the state abnormality detection model based on a training sample, and learns the rule of the template sequence or the rule of the time difference sequence in the log through the behavior abnormality detection model or the state abnormality detection model, thereby realizing the behavior abnormality detection or the state abnormality detection. In addition, the behavior abnormality detection model and the state abnormality detection model support incremental learning, and relearning is not needed, so that the efficiency and the degree of freedom of model updating are improved.
In some possible implementations, the behavioral anomaly detection model or the state anomaly detection model may also be interactive unsupervised models. Specifically, the log detection device can receive feedback of the prediction result of the model from the user, and rapidly adjust model parameters by using algorithms such as active learning, continuous learning and the like to output a more accurate detection result. The model can also support a lightweight deployment mode, such as deployment in lightweight devices such as wearable devices, thereby meeting the requirements of different services.
In some possible implementations, the log detection device may construct a log template tree according to the length of each log in the plurality of logs and the logs obtained by sorting each log in the plurality of logs in the word frequency descending order. For example, the log detection means may create a root node, then create child nodes of the log template tree according to the length of each log, and construct child nodes of the log template tree, for example leaf nodes, based on the logs obtained by sorting each log of the plurality of logs in the word frequency descending order, respectively, thereby obtaining the log template tree.
According to the method, by adding the child nodes representing the length of the log, the log with the same length can be compared with the template, so that unnecessary matching operation is reduced, the calculated amount is reduced, and the template matching efficiency is improved. In addition, the method adopts a tree structure to construct a log template tree, so that the model learning and matching efficiency is higher, and the real-time online abnormality detection of the log can be realized. Moreover, the user can also adjust the depth of the log template tree so as to control the granularity of template extraction, and thus the effect expected by the user can be achieved.
In some possible implementations, the log detection device may further send an abnormality prompt to the user when detecting the system abnormality. For example, a text message or a voice message is sent to a user to perform abnormal prompt, or the buzzer vibrates and the light with a specific color performs abnormal prompt. Therefore, the user can perform corresponding processing according to the abnormal prompt, and the influence range is prevented from being enlarged.
In a second aspect, an embodiment of the present application provides a log detection apparatus. The device comprises:
the communication module is used for acquiring a log data set generated by system operation, wherein the log data set comprises a plurality of logs;
the construction module is used for constructing a log template tree according to word frequencies of words in the logs, wherein the log template tree comprises at least one template;
the matching module is used for determining a template matched with each log in the plurality of logs according to the similarity of the words in the log and the words in the at least one template;
and the detection module is used for detecting the abnormality of the log data set based on a template sequence formed by templates matched with each log in the plurality of logs.
In some possible implementations, the matching module is specifically configured to:
obtaining the similarity of the log and the target template according to the similarity of the word in the log and the word in the target template, wherein the target template is the template in the log template tree;
when the similarity between the log and the target template is greater than a preset threshold, determining the target template as a template matched with the log;
and when the similarity between the log and the target template is not greater than a preset threshold, updating the log template tree, and determining a newly added template in the log template tree as a template matched with the log.
In some possible implementations, the template sequence includes n templates, where n is greater than 1, and the detection module is specifically configured to:
inputting a subsequence formed by the first n-1 templates in the template sequence into a behavior anomaly detection model, and predicting the conditional probability of the nth template;
and when the conditional probability is smaller than a preset value, determining that the system is abnormal in behavior.
In some possible implementations, the detection module is further configured to:
acquiring a time difference sequence according to the log data set, wherein the time difference sequence comprises the time differences of adjacent logs in the plurality of logs;
Inputting the time difference sequence into a state anomaly detection model, and predicting a confidence interval of an nth time difference, wherein the state anomaly detection model is a time sequence analysis model based on attention;
and determining that the system state is abnormal when the true value of the nth time difference exceeds the confidence interval.
In some possible implementations, the communication module is further configured to:
obtaining a sample sequence, wherein the sample sequence is a template sequence obtained by performing template matching on a sample log;
the apparatus further comprises:
the sample generation module is used for carrying out window sliding on the sample sequence according to a preset window length and a preset step length, obtaining frequency characteristics and time difference characteristics of templates in each window, constructing a first training sample according to the frequency characteristics, and constructing a second training sample according to the time difference characteristics;
the training module is used for obtaining the behavior abnormality detection model through training of the first training sample and obtaining the state abnormality detection model through training of the second training sample.
In some possible implementations, the building module is specifically configured to:
and constructing a log template tree according to the length of each log in the plurality of logs and the logs obtained by sequencing each log in the plurality of logs according to the word frequency descending order.
In some possible implementations, the communication module is further configured to:
and when the system abnormality is detected, an abnormality prompt is sent to a user.
In a third aspect, the present application provides a computer cluster comprising at least one computer. The at least one computer includes at least one processor and at least one memory. The at least one processor and the at least one memory are in communication with each other. The at least one processor is configured to execute instructions stored in the at least one memory to cause the computer cluster to perform the log detection method as in the first aspect or any implementation of the first aspect.
In a fourth aspect, the present application provides a computer readable storage medium having stored therein instructions for instructing a computer cluster to execute the log detection method according to the first aspect or any implementation manner of the first aspect.
In a fifth aspect, the present application provides a computer program product comprising instructions which, when run on a computer cluster, cause the computer cluster to perform the log detection method of the first aspect or any implementation manner of the first aspect.
Further combinations of the present application may be made to provide further implementations based on the implementations provided in the above aspects.
Drawings
In order to more clearly illustrate the technical method of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below.
Fig. 1 is a system architecture diagram of a log detection method according to an embodiment of the present application;
fig. 2 is a flowchart of a log detection method provided in an embodiment of the present application;
fig. 3 is a schematic flow chart of constructing a log template tree and extracting a template sequence based on the log template tree according to an embodiment of the present application;
fig. 4 is a schematic flow chart of abnormality detection based on a template sequence according to an embodiment of the present application;
FIG. 5 is a schematic flow chart of model training according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a log detection device according to an embodiment of the present application
Fig. 7 is a schematic structural diagram of a computer cluster according to an embodiment of the present application.
Detailed Description
The terms "first", "second" in the embodiments of the present application are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature.
Some technical terms related to the embodiments of the present application will be first described.
The intelligent operation and maintenance (artificial intelligence for IT operations, AIOps) refers to applying artificial intelligence (artificial intelligence, AI) to the operation and maintenance field, and solves the problem that the traditional operation and maintenance is difficult to solve by adopting an AI mode based on the existing operation and maintenance data such as a log. For example, intelligent operation and maintenance can be through AI way log detection, thereby realizing positioning or predicting the fault or potential fault happened in the system.
Log detection refers to analyzing a log to detect if the system (operating system or application running on top of the operating system) that generated the log is abnormal. Considering that the log is unstructured text data, it is generally required to convert the log into structured text data, for example, to extract a template from the log, and then process the structured text data such as the template through AI techniques such as deep learning, so as to implement log detection.
The related art proposes a template extraction method based on a frequency template Tree (frequent template Tree, FT Tree) based on the assumption that the higher the occurrence frequency of a word in a log, the higher the probability that the word is a constituent part of the template of the log. Specifically, according to the log data set dm= (M 1 ,M 2 ,……M n ) Each log M of i (i is 1 to n, n is a positive integer), counting the word frequency of each word, and arranging each word according to the word frequency descending order to obtain a list. For each log M in the log data set i Adjusting the day according to the listZhi M i And (3) obtaining the adjusted log data set according to the sequence of the words in the log data set. Next, a frequency template tree is constructed based on the adjusted log data set, each path in the frequency template tree may represent a template. In this way, a template for extracting the log in the log dataset can be implemented. Log detection may be achieved based on templates of the extracted logs.
However, the above method is too sensitive to the word frequency of the word. For example, when an abnormality occurs in data transmission, the transmitting port does not receive a response from the receiving port, and data is repeatedly transmitted, which may result in repeated printing of a certain log. The frequency of occurrence of parameters in the log will be greatly increased. The parameters in the log are mistakenly identified as templates with higher probability, so that the accuracy of template extraction is reduced, and the accuracy of anomaly detection is further affected.
In view of this, the embodiment of the application provides a log detection method. The method may be performed by a log detection device. In some embodiments, the log detection device may be a software device. The software means may be deployed in a computer cluster executing the log detection method by running the program code of the software means. In other embodiments, the log detection device may also be a hardware device for log detection. The embodiment of the application uses the log detection device as a software device for illustration.
Specifically, when an operating system or an application system running on the operating system runs, massive logs can be generated, a log data set generated by running the system can be obtained by the log detection device, the log data set comprises a plurality of logs, then the log detection device constructs a log template tree according to word frequencies of words in the plurality of logs, the log template tree comprises at least one template, for each log in the plurality of logs, the log detection device determines a template matched with the log according to the similarity of the words in the log and the words in the at least one template, and abnormality detection is carried out on the log data set based on a template sequence formed by the templates matched with each log in the plurality of logs.
The method creates the log template Tree based on the word frequency of the words included in the log data set, and combines the similarity of the words in the log and the words in the log template Tree to perform template matching, so that the problem that the template extraction accuracy is reduced due to the fact that the word frequency is sensitive to the FT Tree-based template extraction method is solved, and the long tail effect is effectively solved. In addition, the method solves the problem that the real situation cannot be restored due to the fact that the influence of the word frequency is ignored by an online log analysis (depth tree based online log parsing, drain) method based on the depth tree by reserving features such as the word frequency, and improves the accuracy of template extraction.
The log detection method can be applied to various scenes. For example, the log detection method can be applied to cloud services, complex network systems and other operation and maintenance scenes. Taking the resource scheduling scenario in the cloud service scenario as an example, a test integration control center (test integrated control center, TICC) may also be referred to as a resource scheduling system, where the test integration control center relates to services of multiple modules such as a user relationship management (User Relationship Management, URM) module, a test execution (test execution) module, a task scheduling module (task scheduling), and an engine (engine). When a user submits a task, the user can trigger a plurality of business logics such as task issuing, use case partitioning, application files and execution machines, use case block issuing execution, structure reporting and the like. Due to the large number, frequent interactions, large concurrency, and long processing links, it is often difficult for business personnel to find performance bottlenecks and anomalies. According to the log detection method, the templates can be extracted based on word frequency and similarity of words, and abnormality detection is carried out based on a template sequence formed by the templates matched with each log, so that system abnormality is perceived in advance.
In order to make the technical solution of the present application clearer and easier to understand, the system architecture of the log detection method of the embodiments of the present application is described below with reference to the accompanying drawings.
Referring to the system architecture diagram of the log detection method shown in fig. 1, as shown in fig. 1, an application system (not shown in fig. 1) is distributed and deployed in an edge computing cluster, where the edge computing cluster includes at least one computer, such as the edge server 10 shown in fig. 1. The log detection means (not shown in fig. 1) are deployed in a central computing cluster comprising at least one computer, such as a central server 20 as shown in fig. 1. The edge servers 10 distributed in different areas are respectively connected to the center server 20. The central server 20 is also connected to a terminal 30. The terminal 30 includes, but is not limited to, a user device such as a desktop, notebook or smart phone. Fig. 1 illustrates a terminal 30 as a desktop computer.
Specifically, the central server 20 acquires a log data set generated by the operation of the application system from each edge server 10, the log data set includes a plurality of logs, then the central server 20 constructs a log template tree including at least one template according to word frequencies of words in the plurality of logs, then for each of the plurality of logs, the central server 20 determines a template matching the log according to similarity of the words in the log to the words in the at least one template, and performs abnormality detection on the log data set based on a template sequence formed by the templates matching each of the plurality of logs. Further, when the central server 20 detects an abnormality of the application system, an abnormality prompt may also be sent to the terminal 30 to prompt the user that the application system has an abnormality, for example, that the application system has failed or that there is a potential failure (will fail).
FIG. 1 is a schematic illustration of detection of logs generated by an application system, and in other possible implementations of embodiments of the present application, logs generated by an operating system may be detected to sense a failure or potential failure of the operating system.
It should be noted that the log detection device may be deployed in other environments, for example, in an edge computing cluster, or in a terminal. The log detection apparatus includes a plurality of modules, and in some embodiments, the plurality of modules of the log detection apparatus may be distributed and deployed in different devices in the same environment or in different environments.
Next, the log detection method provided in the embodiment of the present application will be described in detail from the perspective of the center server 20.
Referring to a flowchart of a log detection method shown in fig. 2, the method includes:
s202: the central server 20 obtains a log data set generated by the operation of the system.
A log dataset refers to a collection of logs, typically comprising a plurality of logs. The log is unstructured text data and typically includes a template of constant string formations and parameters of variable value formations. The template generally corresponds to an event (event), such as changing the port state to an on state or changing the port state to an off state.
The log is typically generated by the operating system or by the software system running on top of the operating system. Based on this, the central server 20 may obtain a log from at least one computer deploying an operating system or software system, such as at least one edge server 10, to obtain a log dataset.
S204: the central server 20 builds a log template tree from the word frequencies of the words in the plurality of logs.
The log template tree includes at least one template. In particular, the log template tree includes at least one path, each path being usable to represent one template. The central server 20 may construct a log template tree from the word frequencies of words (also called tokens) in the plurality of logs.
Specifically, referring to the flow diagram of constructing a log template tree and extracting a template sequence based on the log template tree shown in fig. 3, the central server 20 may perform a process of obtaining a log data set ld= { l 1 ,l 2 ,...l n Preprocessing logs in the log, such as setting a regular expression according to priori knowledge, and based on the regular expression, preprocessing the log l 1 ,l 2 ,...l n And the like, preprocessing to obtain a preprocessed log data set pd. The preprocessed log data set pd may be a conversion of values in the log into wild cards.
The central server 20 then determines from the preprocessed log data set pd that the log data set includes the word frequencies of the words in the log, for example, the word frequencies of the words may be obtained based on the ratio of the number of occurrences of the words to the total number of words, and then the words are arranged in descending order according to the word frequencies to obtain a list. The central server 20 builds a log template tree based on the list.
Wherein the central server 20 may create a root node of the log template tree T and mark the root node as a log type and then create child nodes of the template tree according to log length. For logs of the same length, it may not be necessary to additionally create new child nodes. The central server 20 then creates child nodes of the log template tree T based on the list, e.g. the central server 20 creates child nodes of the log template tree T in a preamble (top-ordered words in the log) based on the list, resulting in a log template tree T.
The above is an implementation manner in which the central server 20 constructs a log template tree according to the length of each log in the plurality of logs and the logs obtained by sorting each log in the plurality of logs according to the word frequency descending order, and in other possible implementations of the embodiment of the present application, the log template tree may not include a child node characterizing the log length, and the central server 20 may construct the log template tree directly according to the reordered logs.
S206: for each of the plurality of logs, the central server 20 determines a template matching the log based on the similarity of the words in the log to the words in the at least one template.
Specifically, the central server 20 may determine the similarity of the log to at least one template of the log template tree T according to the similarity of the word in the log to the word in at least one template of the log template tree T, and then determine the template matching the log according to the similarity. Based on templates matching each log in the log dataset, a sequence of templates may be obtained.
Wherein the central server 20 may sum the similarity of the words in the log and the words in the template and then determine the arithmetic mean of the similarity of the words as the similarity of the log and the template, see the following formula:
wherein simLog is used to represent similarity of log and template, equ (log 1 (i),log 2 (i) For identifying the i-th word log in the log 1 (i) And the ith word log in the template 2 (i) Is a similarity of (3). n is the number of words included in the log, and i can be any integer from 1 to n.
The central server 20 compares the similarity of the log to the template with a preset threshold. When the similarity of the log and the target template (the template in the log template tree) is greater than a preset threshold, the target template is determined as the template matching the log. And when the similarity between the log and the target template is not greater than a preset threshold, updating the log template tree, and determining the newly added template in the log template tree as the template matched with the log.
S208: the central server 20 performs anomaly detection on the log dataset based on a template sequence formed by templates matching each of the plurality of logs.
Wherein the template sequence comprises n templates. n is an integer greater than 1. Based on this, the template sequence can be expressed as id= { i 1 ,i 2 ,...i n }. Referring to the flowchart of abnormality detection based on the template sequence shown in fig. 4, the central server 20 may generate a subsequence id= { i by the first n-1 templates in the model sequence 1 ,i 2 ,...i n-1 Input behavior anomaly detection model, predict the conditional probability p (i) of the nth template n /i 1 ,i 2 ,...i n-1 ). When the conditional probability p (i n /i 1 ,i 2 ,...i n-1 ) Greater than or equal to a preset value, the central server 20 may determine that no behavioral abnormality has occurred in the system. When the conditional probability p (i n /i 1 ,i 2 ,...i n-1 ) Less than a preset valueWhen the central server 20 may determine that the system is behaving abnormally. Wherein, the abnormal behavior means that the system behavior is not in accordance with the specification. For example, some of the template-corresponding events typically occur in pairs, and the system only performs one of the events. For another example, the system repeatedly executes events corresponding to some templates for a set number of times over a period of time.
In some possible implementations, template i n There may be many possibilities and the system still behaves normally. For example, when one component communicates with another component, template i n When "Waiting for to response" or "connected to", the system is normal. Based on this, the central server can also predict i n Conditional probabilities corresponding to the various values of (a) and then will be i) n The values of (2) are ordered according to the conditional probability. When i n If the order is in the top m (m is a positive integer greater than 1), then determining that the system is normal, otherwise determining that the system is abnormal.
Further, as shown in fig. 4, the central server 20 may also obtain a time difference sequence according to a log data set, for example, a time stamp of each log in the log data set. The time difference sequence includes time differences of adjacent ones of the plurality of logs of the log dataset. The time difference sequence may be expressed as { t } 1 ,t 2 ,...t n-1 }. Wherein t is 1 Representing log l 1 、l 2 Time difference between t 2 Representing log l 2 、l 3 Time difference between t n-1 Representing log l n-1 、l n Time difference between them.
The central server 20 inputs the time difference sequence into a state anomaly detection model, predicts the nth time difference t n Is a confidence interval of (2). Wherein the state anomaly detection model is a time sequence analysis model based on attention (attention). When the nth time difference t n When the true value of (2) exceeds the confidence interval, the central server 20 determines that the system state is abnormal. When the nth time difference t n When the true value of (2) does not exceed the confidence interval, the central server 20 may determine thatThe system state is normal. The abnormal state refers to that the running state of the system is not consistent with the set state. For example, the status exception may be a performance bottleneck of the system, or the system is in a state of stopping providing the service, or the like.
In some possible implementations, the central server 20 may also send the detection result to the terminal 30. Specifically, when the central server 20 detects a system abnormality, for example, a system behavior abnormality or a system state abnormality, an abnormality prompt may also be sent to the terminal 30. The anomaly prompt is used to prompt the user for the type of anomaly. Further, the anomaly prompt may also be used to prompt the user for one or more of an anomaly location, an anomaly cause.
Based on the above description, the embodiment of the application provides a log detection method. In the method, a central server 20 takes a log data set generated by system operation, constructs a log template tree according to word frequencies of words in a plurality of logs, determines a template matched with the log according to the similarity of the words in the log and the words in at least one template of the log template tree for each log in the plurality of logs, and performs abnormality detection on the log data set based on a template sequence formed by the templates matched with each log in the plurality of logs.
Because the log template Tree is created based on the word frequency of the words included in the log, and template matching is carried out by combining the similarity of the words in the log and the words in the log template Tree, the problem that the template extraction accuracy is reduced due to the fact that the word frequency is sensitive to the FT Tree-based template extraction method is solved, and the long tail effect is effectively solved. In addition, by reserving features such as word frequency, the method solves the problem that the real situation cannot be restored due to the fact that the influence of the word frequency is ignored by an online log analysis (depth tree based online log parsing, drain) method based on a depth tree, improves the accuracy of template extraction, and further improves the accuracy of anomaly detection.
In the embodiment shown in fig. 2, anomaly detection of the log dataset by the central server 20 from the template sequence may be accomplished by an AI model. For example, the center server 20 may perform system behavior abnormality detection by a behavior abnormality detection model, and perform system state abnormality detection by a state abnormality detection model. The following describes a training process of the behavior abnormality detection model and the state abnormality detection model.
Referring to the flow diagram of model training shown in fig. 5, a training device, such as central server 20, may obtain a sample log, which may be, for example, a log generated by a system running over a historical period of time. The central server 20 may perform template matching on the sample logs using the template extraction method shown in fig. 3, thereby obtaining templates for each of the sample logs, and thus obtaining a template sequence. The central server 20 may then window-slide the sample sequence according to the preset window length h and the preset step s to obtain the frequency characteristic and the time difference characteristic of the template in each window. The central server 20 may construct a first training sample from the frequency characteristics and a second training sample from the time difference characteristics. The first training sample and the second training sample are also referred to as X 1r3in And Y tr3in 。
The central server 20 may be trained to obtain the behavioral anomaly detection model via the first training sample. For example, the center server 20 inputs the first training samples into a Long Short-Term Memory (LSTM) model in batches, determines a loss value according to an output of the LSTM model and a tag value of the first training samples, and then updates a weight of the LSTM model according to the loss value. When the loss value tends to converge, or when the loss value is less than a preset value, the central server 20 may stop updating the weight of the LSTM model and use the trained LSTM model as a behavioral anomaly detection model to detect a behavioral anomaly of the system.
The central server 20 may also train to obtain the state anomaly detection model through the second training sample. The state anomaly detection model is a time sequence analysis model based on the attention. When the model processes a large amount of input information, key information is selected from the large amount of input information to process by referring to the attention mechanism of the human brain, so that the efficiency of the state abnormality detection model can be improved. Specifically, the center server 20 may input the second training sample into a timing analysis model based on the attention, for example, a recurrent neural network (recurrent neural network, RNN) model, then determine a loss value according to the output of the above-described timing analysis model and the label of the second training sample, and update the parameters of the timing analysis model based on the loss value. When the loss value of the time-series analysis model satisfies a condition, for example, the loss value converges or the loss value is smaller than a preset value, the center server 20 may stop training and determine the trained model as the state anomaly detection model.
Referring to fig. 5, the central server 20 may load a trained model, such as a behavioral anomaly detection model and/or a state anomaly detection model, slide a window on a template sequence to be detected, and extract features of the template sequence in each window to obtain corresponding frequency features and time difference features. A plurality of first detection samples may be constructed based on the frequency signature and a plurality of second detection samples may be constructed based on the time difference signature. The first detection sample is input into the behavior abnormality detection model to determine whether the system is abnormal in behavior, and the second detection sample is input into the state abnormality detection model to determine whether the system is abnormal in state. The central server 20 may also present the anomaly to the user or actively trigger an alarm so that the user can timely perceive the anomaly and locate the anomaly log.
The embodiment of the application also designs a verification experiment to determine the effect of the log detection method of the embodiment of the application. See in particular table 1:
table 1: log detection method and detection result of traditional log detection method based on embodiment of application
As can be seen from the above table, the log detection method according to the embodiment of the present application not only extracts the model sequence based on word frequency and similarity of words to perform system behavior anomaly detection, but also extracts the time difference sequence to perform system state anomaly detection, so as to cover more anomaly scenes. For example, in 12 abnormal scenes shown in table 1, the log detection method in the embodiment of the present application successfully detects all abnormal scenes, but the conventional log detection method has 3 abnormal scenes, so that the detection rate in the embodiment of the present application is improved by more than 30%, and the accuracy of the abnormal detection is improved.
The log detection method provided in the embodiments of the present application is described in detail above with reference to fig. 1 to 5, and the device provided in the embodiments of the present application will be described below with reference to the accompanying drawings.
Referring to the schematic structure of the log detection device shown in fig. 6, the device 600 includes:
a communication module 602, configured to obtain a log data set generated by system operation, where the log data set includes a plurality of logs;
a construction module 604, configured to construct a log template tree according to word frequencies of words in the plurality of logs, where the log template tree includes at least one template;
a matching module 606, configured to determine, for each log of the plurality of logs, a template matching the log according to a similarity between a word in the log and a word in the at least one template;
and a detection module 608, configured to perform anomaly detection on the log dataset based on a template sequence formed by templates matched with each log in the plurality of logs.
In some possible implementations, the matching module 606 is specifically configured to:
obtaining the similarity of the log and the target template according to the similarity of the word in the log and the word in the target template, wherein the target template is the template in the log template tree;
When the similarity between the log and the target template is greater than a preset threshold, determining the target template as a template matched with the log;
and when the similarity between the log and the target template is not greater than a preset threshold, updating the log template tree, and determining a newly added template in the log template tree as a template matched with the log.
In some possible implementations, the template sequence includes n templates, where n is greater than 1, and the detection module 608 is specifically configured to:
inputting a subsequence formed by the first n-1 templates in the template sequence into a behavior anomaly detection model, and predicting the conditional probability of the nth template;
and when the conditional probability is smaller than a preset value, determining that the system is abnormal in behavior.
In some possible implementations, the detection module 608 is further configured to:
acquiring a time difference sequence according to the log data set, wherein the time difference sequence comprises the time differences of adjacent logs in the plurality of logs;
inputting the time difference sequence into a state anomaly detection model, and predicting a confidence interval of an nth time difference, wherein the state anomaly detection model is a time sequence analysis model based on attention;
And determining that the system state is abnormal when the true value of the nth time difference exceeds the confidence interval.
In some possible implementations, the communication module 602 is further configured to:
obtaining a sample sequence, wherein the sample sequence is a template sequence obtained by performing template matching on a sample log;
the apparatus 600 further comprises:
the sample generation module is used for carrying out window sliding on the sample sequence according to a preset window length and a preset step length, obtaining frequency characteristics and time difference characteristics of templates in each window, constructing a first training sample according to the frequency characteristics, and constructing a second training sample according to the time difference characteristics;
the training module is used for obtaining the behavior abnormality detection model through training of the first training sample and obtaining the state abnormality detection model through training of the second training sample.
In some possible implementations, the building module 604 is specifically configured to:
and constructing a log template tree according to the length of each log in the plurality of logs and the logs obtained by sequencing each log in the plurality of logs according to the word frequency descending order.
In some possible implementations, the communication module 602 is further configured to:
And when the system abnormality is detected, an abnormality prompt is sent to a user.
The log detection device 600 according to the embodiment of the present application may correspond to performing the method described in the embodiment of the present application, and the above and other operations and/or functions of each module/unit of the log detection device 600 are respectively for implementing the corresponding flow of each method in the embodiment shown in fig. 2, which is not described herein for brevity.
The embodiment of the application also provides a computer cluster. The computer cluster comprises at least one computer, and the computer can be, for example, a notebook computer, a desktop computer and other end-side devices, and can also be a central server in a cloud environment or an edge server in an edge environment. The computer cluster is specifically configured to implement the function of the log detection device 600 in the embodiment shown in fig. 6.
Fig. 7 provides a schematic diagram of a computer cluster, and as shown in fig. 7, the computer cluster 70 includes at least one computer 700. The computer 700 includes a bus 701, a processor 702, a communication interface 703, and a memory 704. Communication between processor 702, memory 704 and communication interface 703 is via bus 701.
Bus 701 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 7, but not only one bus or one type of bus.
The processor 702 may be any one or more of a central processing unit (central processing unit, CPU), a graphics processor (graphics processing unit, GPU), a Microprocessor (MP), or a digital signal processor (digital signal processor, DSP).
The communication interface 703 is used for communication with the outside. The communication interface 703 may implement the functions of the communication module 602. For example, the communication interface 703 is used to acquire a log data set generated by the operation of the system, or when an abnormality of the system is detected, send an abnormality prompt or the like to the user.
The memory 704 may include volatile memory (RAM), such as random access memory (random access memory). The memory 704 may also include a non-volatile memory (non-volatile memory), such as read-only memory (ROM), flash memory, hard Disk Drive (HDD), or solid state drive (solid state drive, SSD).
The memory 704 has stored therein computer readable instructions that are executed by the processor 702 to cause the computer cluster 70 to perform the aforementioned log detection method (or to implement the functionality of the aforementioned log detection device 600).
In particular, in the case where the embodiment of the system shown in fig. 6 is implemented, and the functions of the modules of the log detection apparatus 600 described in fig. 6, such as the construction module 604, the matching module 606, and the detection module 608, are implemented by software, software or program code required to perform the functions of the modules in fig. 6 may be stored in at least one memory 704 in the computer cluster 70. The at least one processor 702 executes program code stored in the memory 704 to cause the computer cluster 70 to perform the log detection method described previously.
Embodiments of the present application also provide a computer-readable storage medium. The computer readable storage medium may be any available medium that can be stored by a computer cluster or a data storage device such as a data center containing one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk), etc. The computer-readable storage medium includes instructions that instruct a computer cluster to perform the log detection method described above.
Embodiments of the present application also provide a computer program product. The computer program product includes one or more computer instructions. When the computer instructions are loaded and executed on a computer cluster, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer cluster, or data center to another website, computer cluster, or data center by wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer program product may be a software installation package that can be downloaded and executed on a computer cluster in the event that any of the aforementioned log detection methods is desired.
The descriptions of the processes or structures corresponding to the drawings have emphasis, and the descriptions of other processes or structures may be referred to for the parts of a certain process or structure that are not described in detail.
Claims (17)
1. A log detection method, the method comprising:
acquiring a log data set generated by system operation, wherein the log data set comprises a plurality of logs;
constructing a log template tree according to word frequencies of words in the logs, wherein the log template tree comprises at least one template;
determining a template matched with each log in the plurality of logs according to the similarity of the words in the log and the words in the at least one template;
and performing anomaly detection on the log data set based on a template sequence formed by templates matched with each log in the plurality of logs.
2. The method of claim 1, wherein said determining a template matching said log based on the similarity of words in said log to words in said at least one template comprises:
obtaining the similarity of the log and the target template according to the similarity of the word in the log and the word in the target template, wherein the target template is the template in the log template tree;
When the similarity between the log and the target template is greater than a preset threshold, determining the target template as a template matched with the log;
and when the similarity between the log and the target template is not greater than a preset threshold, updating the log template tree, and determining a newly added template in the log template tree as a template matched with the log.
3. The method of claim 1 or 2, wherein the sequence of templates comprises n templates, the n being greater than 1, the anomaly detection of the log dataset based on a sequence of templates formed from templates matching each log of the plurality of logs comprising:
inputting a subsequence formed by the first n-1 templates in the template sequence into a behavior anomaly detection model, and predicting the conditional probability of the nth template;
and when the conditional probability is smaller than a preset value, determining that the system is abnormal in behavior.
4. A method according to claim 3, characterized in that the method further comprises:
acquiring a time difference sequence according to the log data set, wherein the time difference sequence comprises the time differences of adjacent logs in the plurality of logs;
inputting the time difference sequence into a state anomaly detection model, and predicting a confidence interval of an nth time difference, wherein the state anomaly detection model is a time sequence analysis model based on attention;
And determining that the system state is abnormal when the true value of the nth time difference exceeds the confidence interval.
5. The method according to claim 4, wherein the method further comprises:
obtaining a sample sequence, wherein the sample sequence is a template sequence obtained by performing template matching on a sample log;
window sliding is carried out on the sample sequence according to the preset window length and the preset step length, and frequency characteristics and time difference characteristics of templates in each window are obtained;
constructing a first training sample according to the frequency characteristics, and constructing a second training sample according to the time difference characteristics;
and training through the first training sample to obtain the behavior abnormality detection model, and training through the second training sample to obtain the state abnormality detection model.
6. The method of any one of claims 1 to 5, wherein constructing a log template tree from word frequencies of words in the plurality of logs comprises:
and constructing a log template tree according to the length of each log in the plurality of logs and the logs obtained by sequencing each log in the plurality of logs according to the word frequency descending order.
7. The method according to any one of claims 1 to 6, further comprising:
And when the system abnormality is detected, an abnormality prompt is sent to a user.
8. A log detection device, the device comprising:
the communication module is used for acquiring a log data set generated by system operation, wherein the log data set comprises a plurality of logs;
the construction module is used for constructing a log template tree according to word frequencies of words in the logs, wherein the log template tree comprises at least one template;
the matching module is used for determining a template matched with each log in the plurality of logs according to the similarity of the words in the log and the words in the at least one template;
and the detection module is used for detecting the abnormality of the log data set based on a template sequence formed by templates matched with each log in the plurality of logs.
9. The apparatus of claim 8, wherein the matching module is specifically configured to:
obtaining the similarity of the log and the target template according to the similarity of the word in the log and the word in the target template, wherein the target template is the template in the log template tree;
when the similarity between the log and the target template is greater than a preset threshold, determining the target template as a template matched with the log;
And when the similarity between the log and the target template is not greater than a preset threshold, updating the log template tree, and determining a newly added template in the log template tree as a template matched with the log.
10. The apparatus according to claim 8 or 9, wherein the template sequence comprises n templates, n being greater than 1, the detection module being specifically configured to:
inputting a subsequence formed by the first n-1 templates in the template sequence into a behavior anomaly detection model, and predicting the conditional probability of the nth template;
and when the conditional probability is smaller than a preset value, determining that the system is abnormal in behavior.
11. The apparatus of claim 10, wherein the detection module is further configured to:
acquiring a time difference sequence according to the log data set, wherein the time difference sequence comprises the time differences of adjacent logs in the plurality of logs;
inputting the time difference sequence into a state anomaly detection model, and predicting a confidence interval of an nth time difference, wherein the state anomaly detection model is a time sequence analysis model based on attention;
and determining that the system state is abnormal when the true value of the nth time difference exceeds the confidence interval.
12. The apparatus of claim 11, wherein the communication module is further configured to:
obtaining a sample sequence, wherein the sample sequence is a template sequence obtained by performing template matching on a sample log;
the apparatus further comprises:
the sample generation module is used for carrying out window sliding on the sample sequence according to a preset window length and a preset step length, obtaining frequency characteristics and time difference characteristics of templates in each window, constructing a first training sample according to the frequency characteristics, and constructing a second training sample according to the time difference characteristics;
the training module is used for obtaining the behavior abnormality detection model through training of the first training sample and obtaining the state abnormality detection model through training of the second training sample.
13. The apparatus according to any one of claims 8 to 12, wherein the construction module is specifically configured to:
and constructing a log template tree according to the length of each log in the plurality of logs and the logs obtained by sequencing each log in the plurality of logs according to the word frequency descending order.
14. The apparatus of any one of claims 8 to 13, wherein the communication module is further configured to:
And when the system abnormality is detected, an abnormality prompt is sent to a user.
15. A computer cluster comprising at least one computer, the at least one computer comprising at least one processor and at least one memory, the at least one memory having stored therein computer-readable instructions that are executable by the at least one processor to cause the computer cluster to perform the method of any of claims 1-7.
16. A computer readable storage medium comprising computer readable instructions which, when run on a computer cluster, cause the computer cluster to perform the method of any of claims 1 to 7.
17. A computer program product comprising computer readable instructions which, when run on a computer cluster, cause the computer cluster to perform the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111220744.0A CN116010187A (en) | 2021-10-20 | 2021-10-20 | Log detection method and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111220744.0A CN116010187A (en) | 2021-10-20 | 2021-10-20 | Log detection method and related device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116010187A true CN116010187A (en) | 2023-04-25 |
Family
ID=86023490
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111220744.0A Pending CN116010187A (en) | 2021-10-20 | 2021-10-20 | Log detection method and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116010187A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117632773A (en) * | 2024-01-26 | 2024-03-01 | 深圳市吉方工控有限公司 | Data interaction anomaly detection method and detection port based on computer terminal |
-
2021
- 2021-10-20 CN CN202111220744.0A patent/CN116010187A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117632773A (en) * | 2024-01-26 | 2024-03-01 | 深圳市吉方工控有限公司 | Data interaction anomaly detection method and detection port based on computer terminal |
| CN117632773B (en) * | 2024-01-26 | 2024-03-26 | 深圳市吉方工控有限公司 | Data interaction anomaly detection method and detection port based on computer terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11237898B2 (en) | Automatic model-based computing environment performance monitoring | |
| CN111178456B (en) | Abnormal index detection method and device, computer equipment and storage medium | |
| CN110865929B (en) | Abnormality detection early warning method and system | |
| US10353685B2 (en) | Automated model management methods | |
| US11194691B2 (en) | Anomaly detection using deep learning models | |
| US11005872B2 (en) | Anomaly detection in cybersecurity and fraud applications | |
| JP6643211B2 (en) | Anomaly detection system and anomaly detection method | |
| US20170154280A1 (en) | Incremental Generation of Models with Dynamic Clustering | |
| US11294754B2 (en) | System and method for contextual event sequence analysis | |
| US20220255817A1 (en) | Machine learning-based vnf anomaly detection system and method for virtual network management | |
| CN112800116B (en) | Method and device for detecting abnormity of service data | |
| US20220366040A1 (en) | Deep learning based detection of malicious shell scripts | |
| CN112367303A (en) | Distributed self-learning abnormal flow cooperative detection method and system | |
| US20220382614A1 (en) | Hierarchical neural network-based root cause analysis for distributed computing systems | |
| Pal et al. | DLME: distributed log mining using ensemble learning for fault prediction | |
| US10291483B2 (en) | Entity embedding-based anomaly detection for heterogeneous categorical events | |
| Jin et al. | Toward predictive fault tolerance in a core-router system: Anomaly detection using correlation-based time-series analysis | |
| CN116010187A (en) | Log detection method and related device | |
| US20200210439A1 (en) | Autonomous suggestion of related issues in an issue tracking system | |
| WO2022047470A1 (en) | A method and system for testing machine learning models | |
| CN111352820A (en) | Method, equipment and device for predicting and monitoring running state of high-performance application | |
| CN114610613A (en) | Online real-time micro-service call chain abnormity detection method | |
| CN111475380B (en) | Log analysis method and device | |
| Chow et al. | FLARE: Detection and Mitigation of Concept Drift for Federated Learning based IoT Deployments | |
| US9331916B1 (en) | Data-driven detection of servers and clients |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |