GR20220100245A - Method for detecting and treating errors in log files with use of deep learning neural networks - Google Patents

Abstract

A method that detects abnormal entries (potential errors) in program log data in information systems infrastructures that act as servers to provide online services and applications is disclosed. Given a log file, the data are transformed and processed appropriately to train a deep machine learning neural network. The goal of training is to reconstruct the input data with the least possible errorwhile, at the same time, the reconstruction of the training data is limited by the dimensions and structure of the neural network. As a consequence, the neural network succeeds in modeling the most important features of the training data. New input data that have similar characteristics to those of the training data are reconstructed with little error. Conversely, data that do not possess similarfeatures are reconstructed with a larger error and, consequently, are categorized as abnormal based on a threshold value. This indication is generated in real time and is used to notify server administrators of possible failures, and perform self-healing actions.

Description

DESCRIPTION

A method for detecting and dealing with anomalies in information system infrastructure log data using a deep learning neural network.

The present invention refers to a method that aims to detect abnormal records in data recording infrastructures of information systems that act as servers and to take self-repair actions. These servers concern infrastructures for hosting web pages and providing online services and applications. Anomaly detection is performed using a fully connected deep machine learning neural network.

The infrastructure of information systems that are servers intended to host websites and provide related online services and applications. As servers consist of computers, a multitude of errors and problems can occur during their operation. An expert, hereinafter referred to as a system administrator, is called upon to deal with the resulting errors while, furthermore, the detection of known errors can be automated by him or specialist programmers by writing appropriate software. However, servers are complex systems. As a consequence of this, it is possible to have errors that become unknown, which will not be detected by the automated detection of known errors, while they may be unknown even to an expert, and also, the system administrator may not be readily available to to deal with the situation.

The object of the present invention is to provide an innovative method as a solution to the automatic detection of errors in log files of programs and the realization of self-repair actions, which manages to recognize errors that have not appeared in the past, exclusively modeling the normal behavior of the system. This method can be applied to any system log of a server program that provides web services (for example, logs of a specific and critical software such as Apache Web Server and MySQL Database). In this way, through the indications produced by the neural network of deep machine learning, the system administrator is informed when the system that constitutes the server does not behave as usual and at the same time an automated action is carried out on the respective structural element of the server that produces the log data , which is about restarting the program. As a result, server downtime is reduced, as errors are handled automatically, while still informing the system administrator in a shorter period of time.

Every server has system logs, which are an important means of monitoring the behavior of the components that produce them, as well as the overall behavior of a system. The present invention relates to log files related to parts of the software. The method is applied separately for each log file of a software program that is critical to the operation of the server (for example, the program responsible for the operation of the database). For a log file to which the method is applied, by providing the appropriate paths (paths) leading to the file, the data is collected, which consists of text files, where each row represents a separate system log.

Then the preprocessing of the data begins. The log data is converted into a two-dimensional array, with each line of the array containing an entire system log, dividing the words of the log into separate cells, where the blank character appears. The number of rows of the table is equal to the number of records, while the number of columns is equal to the maximum number of total words displayed by the largest record in the system. For records with a number of elements less than the maximum, zero (0) is filled in the missing cells. Blank characters between closed parentheses or square brackets are not taken into account in the column separation, since the parts of records between parentheses or square brackets are a single piece of information.

In the case where the server, until the installation of the method, has not presented problematic behavior, then the collected data is stored intact for the subsequent training of the deep machine learning neural network model. Otherwise, the user can set a maximum date, up to which no problem or error has occurred, and only records prior to this date are used. The goal is for the machine learning model to be trained only with normal mode data, which normal mode is desired to be modeled, and for non-normal (abnormal) records to be as few as possible or completely eliminated from the data. The column describing the date is defined as the first column, unless otherwise specified by the user of the method. In any case, the column describing the date is deleted from the table, as it is not useful data for anomaly detection.

For each column in the table describing system log data, it is detected whether it contains only numeric values. If this is true, then the column values are normalized to the range [0, 1] based on the column's maximum and minimum value. Otherwise, if the columns also include alphabetic characters and/or symbols, then the entire column's data is treated as categorical, and one-hot encoding is used to represent it.

The array is partitioned by its rows into two parts, hereafter denoted as training set and validation set, or training data and validation data. The training set corresponds to eighty percent (80%) of the total rows of the original table. The validation set corresponds to the remaining twenty percent (20%) of the total rows of the original table. In order for both the training set and the validation set to contain data from all time periods in which the log data have been produced, rather than the first set containing the former in time order and the latter the latter in time order, the dividing the original table into the two sets above is not possible with the original chronological order of its lines. In contrast, with a pseudorandom number generator, the rows of the original table are shuffled in a random fashion, and then the first 80% are stored as the training set, and the rest as the validation set. There is no overlap in these two sets.

The deep machine learning neural network, hereafter also referred to as the model, consists of four (4) fully connected layers. The first layer consists of fourteen (14) neurons, the second layer consists of seven (7) neurons, the third layer consists of fourteen (14) neurons, and the fourth layer consists of as many neurons as the size of the original dimension of the input data , that is, the number of columns of the training and validation data. In the first three levels, the Rectified Linear Unit (ReLU) function is used as the activation function. In the fourth and last level, which is the output of the neural network, no activation function is used.

The model is trained through the following process. For more efficient training, the total input consists of sixty-four (64) records from the log data processed in parallel by the model, that is, the batch size is set to sixty-four (64). It is desirable that the output of the model is essentially a reconstruction of the input. The mean squared error between the input and the output is calculated and, through the Adam optimizer, the model is trained with the criterion of minimizing the mean squared error, which will be referred to hereafter as the reconstruction error. The process is repeated for the entire training data set fifty (50) times, i.e. the number of epochs is set to fifty (50). The learning rate is defined as ten minus four ().

After the training process the model will achieve a good reconstruction of the data given as input, as long as it is of a similar format to the training data. However, due to the reduction of the dimensions of the information as it flows inside the model, as the dimension of the input data is expected to be much larger than the number of neurons of each layer, the reconstruction will not be perfect, but will contain a low error. Therefore, the above model training will result in modeling the most important and representative features of the input data, rather than perfectly replicating the input. As a consequence of all the above, if the model is given as input data that do not have the same characteristics as the training data, i.e. abnormal data, the model will not achieve a good reconstruction of the data and a large reconstruction error will result. The invention exploits this feature of the model's inability to reconstruct abnormal data. In essence, the neural network being trained is an autoencoder architecture.

To detect anomalous data, a threshold will be calculated for the size of the reconstruction error, which if exceeded will categorize the data that produced it, i.e. the records, as anomalous. Using the validation set, after each epoch as defined above, the mean reconstruction error for the entire validation set will be calculated. According to this error, the model resulting from the epoch showing its lowest value is selected, and the threshold for detecting anomalies in new data is set as the value that is five percent (5%) greater than the average error reconstruction presented by the validation data at that particular epoch. The reason for using the validation data to select the optimal epoch and set the threshold value, rather than the training data, is to avoid overfitting, as the reconstruction error will be smaller for the training data , while the reconstruction error for the validation data, with which the model has not been trained, will give a more representative value for the error that the log data will show during the practical application of the method.

The new data generated by the respective software, which are also syslog records, during the application of the method and in real time, the same pre-processing is applied to the training and validation data, with the difference that if a record exceeds in number of columns the maximum observed in the original data, then it is directly categorized as anomalous, as this is an unusual phenomenon and needs to be addressed (note that the training data set, being large enough, will include all normal normal records). The reconstruction error for the input is then calculated, and it is checked whether the anomaly detection threshold is exceeded, and whether the error exceeds the threshold. If the latter is true, and the error is five percent (5%) greater than the threshold, then the method displays a notification to the system user (by sending an email message, and if the error is large enough, specifically more than ten one hundred (10%) perform an automatic action, namely restarting the program that produces the log files (for example, restarting the e-mail server program in case the latter is the component whose system logs are examined by the method) .

The architecture of the neural network is shown in Figure 1. The input to the neural network is referred to as the input layer. The input enters the first fully connected layer, and then the flow of information continues to the next fully connected layers. In the figure, the fully connected layers are labeled as PSE1, PSE2, PSE3, and PSE4. For each fully connected layer, the number of neurons inside it is listed. The fourth and last fully connected layer (PSE4) restores the information to the original dimensions it had in the input layer. The steps of the overall method, as described above, are shown in Figure 2.

Claims (10)

1. A method for detecting and dealing with anomalies in log files related to a server program, comprising the following phases: 1. Collection of existing system log data for a specific program, which is critical to the operation of the server. 2. Preprocessing of the data. 3. Split the data into training data and validation data. 4. Deep machine learning neural network training. 5. Definition of anomaly detection threshold. 6. Detect anomalies in new real-time system log data and take action. characterized by the fact that on a server (sever), which functions as an infrastructure for hosting web pages and providing internet services, simultaneously with the operation of the server, a deep machine learning neural network, hereinafter referred to as a model, is trained, which model becomes capable to detect anomalies in new system records concerning the critical program by calculating a reconstruction error and checking whether this error exceeds a certain threshold. 2. Method according to claim 1, characterized by the fact that the collection of the data concerns the system log data found in specific paths (paths) on the server, given by the user of the method, while the method can concern more than a system log file. In this case, the method is applied directly to each individual system log file, which file relates to a separate server component. 3. Method according to claim 1, characterized in that the pre-processing of the data includes the following phases: 1. Convert the log data into a two-dimensional array, where each row of the array contains an entire record, separating the words of the log where the blank character occurs. The number of lines will be equal to the number of records in the file, and the number of columns will be equal to the number of total words of the longest record appearing in the file. For records with fewer than the maximum number of items, zero (0) is filled in the remaining cells. Blank characters between closed parentheses or square brackets are not taken into account when separating columns, since the parts of the records between parentheses or square brackets are a single piece of information. 2. If a maximum date is set by the user, records after this are ignored. If not defined by the user, as the cells containing the date of the recording, those of the first column are considered. In any case, after this phase, the column relating to the date of the records is deleted from the table, as it is not useful information for the detection of anomalies. 3. Detect for each column if it contains only numeric values. If this is true, the column values are normalized to the range [0, 1] based on the column's maximum and minimum values. If the column also contains alphabetic characters or symbols, then the data of the entire column is considered as categorical data, and the one-hot encoding method is applied. 4. Randomize the data, using a pseudorandom number generator (the algorithm of the generator is meaningless), into training data and validation data. The training data is eighty percent (80%) of the data set and the validation data is the remaining twenty hundred (20%) of the data set. 4. Method according to claim 1, characterized by the fact that the deep neural network consists of four (4) fully connected layers. The first level consists of fourteen (14) neurons and as an activation function uses the Rectified Linear Unit (ReLU) function, which will be referred to as ReLU. The second layer consists of seven (7) neurons and uses the ReLU activation function. The third layer consists of fourteen (14) neurons and as an activation function uses the ReLU activation function. The fourth layer consists of as many neurons as the dimensions of the input, i.e. as many columns of the training set, and does not use any activation function. 5. Method according to claim 1, characterized by the fact that, during the training of the model, the hyperparameters are defined as: sixty-four (64) for the batch size, fifty (50) for the number of epochs, ten minus four () for the learning rate 6. Method according to claim 1, characterized in that in the training of the neural network the mean squared error (mean squared error) between the input and the output for the set of records of each data set is minimized, using the Adam optimizer ) to minimize the mean squared error, hereafter referred to as the reconstruction error. 7. Method according to claim 1 or 6, characterized by the fact that the training of the neural network leads to the realization of a reconstruction of the input by learning the most important and representative features of the input by gradually reducing the dimensions of the information inside the neural network . The neural network will not achieve a perfect reconstruction of the input, but this reconstruction will contain a small error for the training data. Method according to claim 1 or 7, characterized in that the reconstruction error will be larger than normal for input data which is of a different distribution from the training data, i.e. the reconstruction error will be larger for abnormal data. Method according to claim 1, characterized in that the validation data is given as input to the neural network and the average reconstruction error is calculated for the entire set of validation data for each training epoch, and the model resulting from the epoch where the lower value of the reconstruction error for the validation data. 10. A method according to claim 1 or 9, characterized in that the mean reconstruction error for the validation data, for the selected epoch, is used to set a threshold value defining the categorization of a value as normal or abnormal and obtaining or not of a real-time action. Specifically, for a new system recording that is given as input to the neural network and its reconstruction error is calculated, i.e. the mean squared error between the input and the output of the neural network. For this error, values exceeding it by five percent (5%) are categorized as problematic and the system displays a warning by sending an email message to the administrator, while values exceeding ten percent (10%) the threshold value are categorized as critical exceedances, and the system displays a critical warning, sending a message similar to above, and automatically restarts the program that generated the junk logs. Otherwise, the quoted values take no action. are defined as normal and not