JP7182586B2 - LEARNING APPARATUS, ESTIMATION APPARATUS, SEQUENCE ESTIMATION SYSTEM AND METHOD, AND PROGRAM - Google Patents

Description

The present invention relates to a learning device, an estimating device, a sequence estimating system and method, and a program.

2. Description of the Related Art Conventionally, there has been known a technique for monitoring logs output from various systems and detecting system anomalies. For example, a maintenance management device described in Patent Literature 1 is known. This maintenance management device includes a collection unit that collects log information, a storage unit that associates and stores a log identifier that identifies log information and time information of the log information, and a plurality of log identifiers that are collected based on the time information. an analysis unit that creates a log sequence, calculates the sequence time from the difference between the start time and the end time of the log sequence, and groups the log sequence and the sequence time into a sequence group that associates the log sequence, the analysis unit If the sequence group does not match the pre-registered normal sequence group and abnormal sequence group, the estimated time until the incident occurs based on the sequence group and the sequence group with the highest matching rate among the pre-registered incident sign groups Calculate This enables the maintenance management device to predict the occurrence of incidents.

Japanese Patent No. 6512646

However, the maintenance management device described above pre-registers information such as a normal sequence group, an abnormal sequence group, and an incident sign group, and monitors log information. Furthermore, there are cases where the system outputs logs that are designed so that, for example, logs with a high log level can be easily monitored by setting log levels such as ERROR and WARN in advance.

However, depending on the system, pre-registered information such as log level, specifications, interpretation of specifications, etc., vary. For this reason, there is a demand in the field of maintenance and operation (operation) to perform efficient failure handling starting from the log, but it has not been realized. In other words, even if the logs are currently monitored, an abnormality in the system will occur, and the log caused by the abnormality will be registered in the system, only the registered log will be monitored, and logs other than the registered log will be ignored. are operating. As a result, a relatively efficient failure response is realized for registered known anomalies. However, it is difficult to deal with unknown anomalies or complex anomalies involving multiple systems. In addition, in order to identify the cause of these abnormalities, processing such as log tracing is required, and there is a problem that it takes time to identify the cause.

The present invention has been made in view of the above problems, and provides a learning device, an estimating device, a sequence estimating system, a method, and a program that can detect unknown or complex anomalies in a monitored system. It is intended to

(1) One aspect of the present invention is a model that is trained using a collection unit that collects log messages from a monitored system and a portion of the log messages collected by the collection unit as first learning data. a first model that outputs a result of estimating a sequence including a plurality of log messages; A learning device comprising: a second model that is a learned model and outputs a result of estimating the sequence; and a model generation unit that generates the second model.

(2) An aspect of the present invention is the learning device described above, wherein the first learning data is a set of log data with a small number of occurrences per sequence but a high occurrence probability per sequence. you can

(3) An aspect of the present invention is the learning device described above, and may include a registration unit that processes and registers an index by deleting a predetermined parameter from the log messages collected by the collection unit.

(4) An aspect of the present invention is the above-described learning device, comprising: a message classification unit that classifies log messages registered as indexes by the registration unit into types; and the log messages classified by the message classification unit. and a message set estimating unit that estimates a set of log messages including the type of the first model is learned with a part of the set of log messages estimated by the message set estimating unit, and the The second model may be trained on a set of log messages other than a part of them estimated by the message set estimation unit.

(5) An aspect of the present invention is the learning device described above, wherein the message classification unit divides the index registered by the registration unit into a plurality of elements, and an element closer to the beginning of the index has a higher The indices may be vectorized by assigning weights, and the vectorized indices may be classified into one of a plurality of log message types.

(6) An aspect of the present invention is the above learning device, wherein the message set estimating unit includes a log message group belonging to each log message type specified among the log message types classified by the message classifying unit. to generate a plurality of pseudo message groups, and based on a plurality of time-series correlation coefficients calculated for the plurality of pseudo message groups, log messages belonging to the specified log message type are the same log message can be assumed to be a set of

(7) An aspect of the present invention is the above-described learning device, wherein the message set estimating unit selects a log message group belonging to each log message type among all log message types classified by the message classifying unit. to generate a plurality of pseudo message groups, and based on a plurality of time-series correlation coefficients calculated for the plurality of pseudo message groups, log messages belonging to the log message type are the same set of log messages By estimating that, the log messages of the log message types that have an inclusion relationship or a co-occurrence relationship among the estimated set of log messages may be integrated.

(8) An aspect of the present invention is the learning device described above, wherein the model generation unit clusters time differences between log messages included in the first model, and clusters log messages included in the second model. Time differences between messages may be clustered.

(9) An aspect of the present invention is the learning device described above, wherein the clustering of the time differences between log messages is performed by considering the magnitude and variation of the time differences between a plurality of log messages. The division may be repeated until a predetermined condition is satisfied.

(10) An aspect of the present invention is the learning device described above, wherein the clustering of the time differences between the log messages is performed by clustering the time differences between the log messages in units of a predetermined period, and then clustering the time differences between the log messages in units of a predetermined period. An abnormal value may be eliminated from the time difference between the clustered log messages based on the results of correcting the number of data included in the clusters to the same number and combining the numbers of data in the clusters in predetermined time units.

(11) An aspect of the present invention is the above-described learning device, wherein the model generation unit performs higher-order estimation of the first model based on log messages two or more previous log messages. , the second model need not be upgraded.

(12) One aspect of the present invention is a collection unit that collects log messages from a monitored system; a first estimating unit for inputting some of the plurality of log messages collected by the unit and estimating a sequence including the plurality of log messages based on the output of the first model; Log messages other than some of the plurality of log messages collected by the collecting unit are added to a second model trained using log messages other than the first learning data among the data as second learning data. a second estimator receiving a message and estimating a sequence comprising a plurality of log messages based on the output of the second model.

(13) An aspect of the present invention is the above estimation device, wherein the first learning data is a set of log data with a small number of occurrences per sequence but a high occurrence probability per sequence. you can

(14) An aspect of the present invention is the above-described estimation device, wherein common data temporally common to second learning data of the second model among the first learning data of the first model exists, the model creation unit may be provided for creating the first model from learning data obtained by excluding the common data from the first learning data.

(15) An aspect of the present invention is the above estimation device, wherein log messages estimated to belong to a plurality of sequences as a result of estimation by the first estimation unit and the second estimation unit are If there is, compare the time difference between log messages included in the log message with the time difference between log messages included in the first model or the second model, and determine the sequence corresponding to the closest model. A sequence determination unit may be provided.

(16) An aspect of the present invention is the above estimating device, wherein the log messages collected by the collecting unit belong to a sequence as a result of the estimation by the first estimating unit and the second estimating unit. If the log message cannot be estimated, an anomaly determination unit that determines an anomaly of the log message may be provided.

(17) An aspect of the present invention is the estimation device described above, wherein the abnormality determination unit estimates that the log messages collected by the collection unit belong to a sequence, but the log messages collected by the collection unit If the time difference between log messages does not match the time difference between log messages included in the first model or the second model, it may be determined that the log message is abnormal.

(18) An aspect of the present invention is a model trained by using a collection unit that collects log messages from a monitored system and a part of the log messages collected by the collection unit as first learning data. a first model that outputs a result of estimating a sequence including a plurality of log messages; a second model that is a learned model and outputs a result of estimating the sequence; a sequence including a plurality of log messages based on the output of the first model, wherein a part of the plurality of log messages collected by the collection unit is input, and based on the output of the first model and a second model trained using log messages other than the part of the log messages among the plurality of log messages as second learning data, the plurality of and a second estimating unit that inputs log messages other than some of the log messages of and estimates a sequence including a plurality of log messages based on the output of the second model. It is an estimation system.

(19) One aspect of the present invention is a step of collecting log messages from a monitored system, and a model trained using some of the collected log messages as first learning data, wherein a plurality of A first model that outputs a result of estimating a sequence including log messages, and a model trained using log messages other than the part of the collected log messages as second learning data, a second model that outputs a result of estimating a sequence; estimating a sequence including a plurality of log messages based on the output of the first model; Log messages other than some of the collected log messages are input to a second model trained using the log messages other than the log messages as the second learning data, and the second model estimating a sequence comprising a plurality of log messages based on the output of .

(20) One aspect of the present invention is a model trained by a computer using a step of collecting log messages from a monitored system and a part of the collected log messages as first learning data, , a first model that outputs a result of estimating a sequence including a plurality of log messages, and a model trained using log messages other than the part of the collected log messages as second learning data. and generating a second model that outputs a result of estimating the sequence.

(21) One aspect of the present invention provides a computer with a step of collecting log data from a system to be monitored; inputting some of the collected log messages and estimating a sequence including the log messages based on the output of the first model; and input log messages other than some of the plurality of collected log messages into a second model trained using log messages other than the part of the log messages as second learning data; estimating a sequence comprising a plurality of log messages based on the output of the second model.

According to one aspect of the present invention, it is possible to detect an unknown anomaly or a complicated anomaly in a monitored system.

FIG. 4 is a diagram showing an example of a log message; FIG. It is a block diagram showing an example of functional composition of sequence estimation system 1 of an embodiment. 4 is a flow chart showing the overall processing procedure of the sequence estimation system 1 in the embodiment; FIG. 10 is a sequence diagram showing an example of a processing procedure of message registration processing; FIG. 4 is a diagram showing an example of a log message; FIG. FIG. 11 is a sequence diagram showing an example of a processing procedure of message classification processing; FIG. 4 is an explanatory diagram showing an example of weighting processing; FIG. 11 is a flowchart showing an example of a processing procedure of message set estimation processing; FIG. FIG. 4 is a diagram for explaining an example of processing for calculating a correlation coefficient; FIG. FIG. 10 is a diagram for explaining automatic estimation processing in message set estimation processing; FIG. 4 is a diagram showing an example of a set of log messages having an inclusion relationship; FIG. FIG. 4 is a diagram showing an example of a set of log messages in a concurrent relationship; 4 is a flowchart showing the entire model creation process; 7 is a flowchart illustrating an example of a processing procedure of learning data collection processing; FIG. 10 is a flowchart showing an example of a processing procedure for creating a normal Markov model and a priority Markov model; FIG. FIG. 10 is a diagram illustrating an example of processing for creating a normal Markov model and a priority Markov model; FIG. 5 is a diagram showing an example of duration values; It is a figure which shows one learning data and several learning data. FIG. 11 is a flowchart showing an example of a processing procedure of processing for creating a priority model; FIG. 7 is a flowchart illustrating an example of a processing procedure of duration value calculation processing; FIG. 11 is a flowchart showing an example of a processing procedure for clustering processing of duration values; FIG. FIG. 7 is a diagram showing an example of clustering processing of duration values; FIG. 5 is a diagram for explaining clustering of duration values in consideration of abnormal values; FIG. 10 is a diagram for explaining processing for increasing the order of a prioritized Markov model; FIG. 10 is a sequence diagram showing an example of sequence estimation processing; FIG. 11 is a sequence diagram showing an example of a processing procedure of sequence estimation processing; FIG. 11 is a flowchart illustrating an example of a processing procedure for creating a conflict-adjusted Markov model; FIG. FIG. 10 is a diagram for explaining an example of processing for creating a conflict-adjusted prioritized Markov model; FIG. 11 is a flowchart illustrating an example of a sequence estimation process procedure for log messages; FIG. FIG. 4 is a diagram for explaining sequence estimation processing using a priority Markov model and a normal Markov model; 9 is a flowchart showing another example of sequence estimation processing; FIG. 10 is a diagram for explaining processing for determining a sequence; FIG. 7 is a flowchart illustrating an example of a processing procedure of abnormality determination processing; 6 is a flowchart showing an example of processing contents of an abnormality determination process;

A learning device and method, an estimation method and method, and a program to which the present invention is applied will be described below with reference to the drawings.

<Overview of Embodiment>
A sequence estimation system of an embodiment is a system that collects log messages from a monitored system and extracts a sequence composed of a plurality of log messages. A sequence estimation system extracts a set of highly related log messages from a large number of log messages output from one or more monitored systems, and uses the extraction results to detect anomalies, identify anomalous locations, etc. Make it available for operations. The sequence estimation system also exposes permutation errors between log messages in the set and makes them available for operation. As a result, the sequence estimation system can improve the accuracy of identifying abnormal locations and reduce the log tracing time required to identify abnormal locations when unknown abnormalities or complex abnormalities that span multiple monitored systems occur. can be shortened.

FIG. 1 is a diagram showing an example of a log message. For example, it is assumed that there are log message group 1, log message group 2, and log message group 3 collected over several days from an arbitrary monitored system or components within the system. It is assumed that the estimation model implemented in the sequence estimation system has learned a "normal sequence" with high relevance among log message groups 1 to 3 from December 21st to 28th. In this normal sequence, the log message "aaaa" included in log message group 1, the log message "bbbbb" included in log message group 2, and the log message "ccccc" included in log message group 3 are chronologically It is a sequence that occurs in permutation. For example, on December 29, the log message "aaaaa" included in log message group 1, the log message "xxxx" included in log message group 2, and the log message "cccccc" included in log message group 3 are displayed chronologically. permutations, the sequence estimation system can detect that the sequence is an "erroneous sequence" that is not normal. Thus, the sequence estimation system can detect unknown abnormal sequences, for example, by learning "normal sequences".
Such a sequence estimation system will be described below.

<First embodiment>
<Configuration of sequence estimation system 1>
FIG. 2 is a block diagram showing an example of the functional configuration of the sequence estimation system 1 of the embodiment. The sequence estimation system 1 includes, for example, one or more monitored systems 100, a data processing device 200, an anomaly detection device 300, and a user terminal device 400. The monitored system 100, the data processing device 200, the anomaly detection device 300, and the user terminal device 400 are connected to, for example, a communication network. Each device connected to the communication network has a communication interface such as a NIC (Network Interface Card) or a wireless communication module (not shown in FIG. 2). Communication networks include, for example, the Internet, WANs (Wide Area Networks), LANs (Local Area Networks), cellular networks, and the like.

The monitored system 100 is an information processing system in which log messages are monitored by a data processing device 200 and an anomaly detection device 300 . The monitored system 100 is, for example, a service server device that provides various services, a network management device that manages the operating states of many network nodes included in the network, and the like. Network nodes are, for example, OS (Operation System), VM (Virtual Machine), HW (Hardware), DC (Data Center), and the like. The monitored system 100 provides log messages to the data processing device 200 according to predetermined triggers. The monitored system 100 may be a server device that operates independently, or may be a group of server devices that operate in cooperation with other server devices.

The data processing device 200 is, for example, a computer implementing OSS (open source software) for log operation. OSS is composed of elements called Elasticsearch, Logstash, and Kibana, for example. The data processing device 200 includes, for example, a format conversion unit 202 configured by Logstash, a data processing unit 204 configured by Elasticsearch, a log data storage unit 206, a detection result storage unit 208, and a visualization unit configured by Kibana. and a section 210 .

Functional units such as the format conversion unit 202, the data processing unit 204, and the visualization unit 210 are implemented by a processor such as a CPU (Central Processing Unit) executing a program stored in a program memory. Some or all of these functional units may be realized by hardware such as LSI (Large Scale Integration), ASIC (Application Specific Integrated Circuit), or FPGA (Field-Programmable Gate Array), It may be realized by cooperation of software and hardware. The program may be stored in advance in a storage device (a storage device having a non-transitory storage medium) such as the HDD or flash memory of the data processing device 200, or may be stored in a removable storage such as a DVD or CD-ROM. It is stored in a medium, and may be installed in the HDD or flash memory of the data processing device 200 by loading the storage medium (non-transitory storage medium) into the drive device. The log data accumulation unit 206 and the detection result accumulation unit 208 are, for example, HDD (Hard Disc Drive), flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), ROM (Read Only Memory), RAM (Random Access Memory), etc. It is implemented by a storage device. The graph database storage device 200 and relational database storage device 300 may be realized by, for example, SAN (Storage Area Network) or NAS (Network Attached Storage).

The format conversion unit 202 converts the format of log messages collected from the monitored system 100 into a predetermined format. The data processing unit 204 stores the log message format-converted by the format conversion unit 202 in the log data accumulation unit 206 . The data processing unit 204 retrieves a desired log message from the log data storage unit 206 in response to a request from the anomaly detection device 300 and provides the retrieved log message to the anomaly detection device 300 . The data processing unit 204 stores the sequence estimation result and the abnormality determination result provided from the abnormality detection device 300 in the detection result accumulation unit 208 . The visualization unit 210 converts the sequence estimation result and the abnormality determination result into visualization data that can be browsed by the user, and provides the user terminal device 400 with the visualization data.

The user terminal device 400 is, for example, a terminal device such as a personal computer, a smart phone, or a tablet terminal. The user terminal device 400 receives, for example, an operation by an administrator of the monitored system 100, acquires information about the state and abnormality of the monitored system 100 from the data processing device 200, and performs display processing and the like.

The anomaly detection device 300 is an information processing device that analyzes log messages acquired from the data processing device 200 and provides the data processing device 200 with information based on the analysis results. The anomaly detection device 300 includes, for example, a message registration unit 310 , a learning unit 320 and an estimation unit 330 . Functional units such as the message registering unit 310, the learning unit 320, and the estimating unit 330 are implemented by a processor such as a CPU executing a program stored in a program memory. In this embodiment, an example in which the message registration unit 310 is installed in the anomaly detection device 300 will be described, but the function of the message registration unit 310 may be installed in the data processing device 200 instead of the anomaly detection device 300 .

The message registration unit 310 registers log messages accumulated in the log data accumulation unit 206 as information used for learning processing and estimation processing. The learning unit 320 includes, for example, a message classification unit 322, a message set estimation unit 324, and a model generation unit 326. The message classification unit 322 identifies the type of log message and classifies the log message. The message set estimator 324 estimates a set of log messages. A model creation unit 326 creates a model for estimating a sequence. The estimator 330 includes, for example, a sequence estimator 332 and an abnormality determiner 334 . Sequence estimator 332 estimates a sequence that includes a series of log messages. A series of log messages is, for example, a plurality of chronologically related log messages. The abnormality determination section 334 determines abnormality based on the result estimated by the sequence estimation section 332 . The abnormality detection device 300 provides the data processing device 200 with the sequence estimation result and the abnormality determination result as information based on the analysis result of the abnormality detection device 300 .

<Overall processing of sequence estimation system 1>
FIG. 3 is a flow chart showing the overall processing procedure of the sequence estimation system 1 in the embodiment. The sequence estimation system 1 first registers log messages collected from the monitored system 100 (step S100). At this time, the sequence estimation system 1 adds a time stamp to the log message and registers it. A time stamp is information indicating the time of occurrence of a log message. Next, the sequence estimation system 1 classifies the registered log messages by type (step S200). Next, the sequence estimation system 1 estimates a set of log messages (step S300). Next, the sequence estimation system 1 creates an estimation model (step S400). The processing from step S200 to step S400 corresponds to the learning phase.

Next, the sequence estimation system 1 estimates a sequence (step S500). The sequence estimation process may be started when a predetermined condition such as regular timing or timing when a predetermined amount of log messages is accumulated is met. Next, the sequence estimation system 1 determines abnormality (step S600). Steps S500 and S600 belong to the estimation/detection phase. Note that the sequence estimation system 1 may provide only the sequence extraction result to the data processing device 200 without judging the abnormality of the sequence. Also, the sequence estimation system 1 may change the sequence estimation timing, the abnormality determination timing, the abnormality level, and the like according to the monitored system 100 . Also, the sequence estimation system 1 may execute the learning phase and the estimation/detection phase in parallel using log messages supplied from the monitored system 100 as needed.
Each process from step S100 to step S600 will be described in detail below.

[Message registration process]
FIG. 4 is a sequence diagram illustrating an example of a processing procedure for message registration processing. The anomaly detection device 300 collects log messages from the monitored system 100 . The anomaly detection device 300 may transmit a request to the monitored system 100 and collect log messages in response to the request. First, the anomaly detection device 300 deletes a predetermined parameter from the collected log messages using a regular expression (step S102). Next, the anomaly detection device 300 registers the index part of the log message from which the standard parameters are deleted (step S104). Predetermined parameters are, for example, fixed parameters such as variable parts of log messages, such as word parts containing numbers. By removing the boilerplate parameters from the log messages, we can keep the commonalities between the log messages. This can eliminate duplication between log messages.

FIG. 5 is a diagram showing an example of a log message. As shown in FIG. 5(a), the log message includes numbers representing addresses such as "fa:16:...". , delete the number as a fixed parameter. As a result, the anomaly detection device 300 can redundantly register indexes of two log messages as shown in FIGS. 5(a) and 5(b).

Thereby, the sequence estimation system 1 can reduce the amount of calculation of the clustering method (DBSCAN (Density-Based Spatial Clustering of Applications with Noise)) which is unsupervised learning in message classification processing. That is, the sequence estimation system 1 only needs to process some log messages instead of all log messages, and can shorten the time from the generation of a log message to sequence estimation and abnormality determination. Furthermore, the sequence estimation system 1 may register log messages in the data processing device 200 as middleware. Analytical processing using can be performed quickly.

[Message classification process]
FIG. 6 is a sequence diagram illustrating an example of a processing procedure for message classification processing. First, the anomaly detection device 300 acquires an index list (log message) from the data processing device 200 (step S200). Next, the anomaly detection device 300 converts the index list into a numerical vector by performing weighted processing (step S202). Next, the anomaly detection device 300 clusters the numerical vectors by performing DBSCAN (step S204).

FIG. 7 is an explanatory diagram showing an example of weighting processing. The weighting process is a process of dividing the index into elements of a predetermined length and assigning higher weights to elements closer to the beginning of the index. In other words, the weights differ inversely from the beginning of the index to the end. This weighting process is, for example, a process called n-shingles. Using n-shingles eliminates the need for index morphological analysis and dictionaries, and enables digitization even when different languages are mixed. The reason why the weights are changed in inverse proportion is that the leading portion of the index elements is often important, and the less important elements are often present at the end of the index.

For example, when there is an index "today is fine day" and the window width (element length) is 3, the anomaly detection device 300 detects element 1 "today is" and "day is ” and element 3 “is f”, assigning a weight of “1.0” to element 1, assigning a weight of “0.5” to element 2, and assigning a weight of “0.5” to element 3 A weight of "0.3" is given. As a result, the anomaly detection device 300 converts the index "today is fine day" into a numerical vector (1.0, 0.5, 0, 3). Then, the anomaly detection device 300 can create a matrix of digitized log messages in which numerical values are stored in the corresponding locations of the indexes and the elements. The anomaly detection device 300 classifies a large number of indexes (log messages) into a plurality of types (clusters) by applying DBSCAN using a matrix of numerical vectors.

[Message set estimation process]
The message set estimation process is a process of identifying a set of log messages included in a log message type. Since many log message types appear at the same opportunity, such as a series of actions or anomalies, it is assumed that log messages that appear at the same opportunity form a set. In addition, in the embodiment, "a set of log messages" may be read as "a sequence of log messages". The message set estimation process includes at least one of a type designation process of designating a log message type as a key of a log message set and an automatic estimation process of not designating a key.

FIG. 8 is a flowchart illustrating an example of a processing procedure of message set estimation processing. First, the anomaly detection device 300 determines a target log message X (step S302). When performing the type designation process, the anomaly detection device 300 determines log messages X belonging to two pre-designated log message types as objects to be processed. When performing automatic estimation processing, the anomaly detection device 300 determines log messages X of all log message types as processing targets. The anomaly detection device 300 repeats the processes from step S304 to step S320 by the number of log messages X determined.

First, the anomaly detection device 300 acquires a list of determined occurrence times of log messages X from the data processing device 200 (step S304). Next, the abnormality detection device 300 repeats the bootstrap method from step S306 to step S316 a specified number of times. The specified number of times corresponds to the number of pseudo data created by the bootstrap method. FIG. 9 is a diagram for explaining an example of processing for calculating a correlation coefficient. The anomaly detection device 300 uses the log message X as original data to generate a pseudo data set including, for example, three pseudo data (1) to (3). In this example, the specified number of times is "3", and the correlation coefficient is calculated for each pseudo data.

The anomaly detection device 300 acquires a predetermined number of occurrence times T from the occurrence time list (step S306), and creates a matrix M for calculating correlation coefficients (step S308). Next, the anomaly detection device 300 repeats the processing from step S310 to step S314 for all acquired occurrence times T. FIG. The anomaly detection device 300 acquires the log message Y that appears within a predetermined period from the occurrence time T (step S310), and adds 1 to the corresponding position of the row of the occurrence time T in the matrix M and each column of the log message Y'. 0 is marked (step S312), and 0 is marked in the row corresponding to the occurrence time T in the matrix M and each column other than the log message Y (step S314).

Next, the anomaly detection device 300 uses the matrix M to calculate a correlation coefficient C representing the degree of time-series correlation between the log messages X and Y (step S316). Anomaly detection device 300 calculates correlation coefficients C(1) to C(3) for each of pseudo data (1) to (3) using the following equations. In the following formula, x and y are two log messages X and Y within a predetermined period in pseudo data, n is the number of data, x bar is the arithmetic mean of x, and y bar is the arithmetic mean of y and the correlation coefficient is calculated by dividing the sample covariance by the sample standard deviation.

Next, the anomaly detection device 300 calculates the average value C' of the correlation coefficients C (step S318), and extracts the log message types Z for which the average value C' of the correlation coefficients C is equal to or greater than a predetermined value (step S320). As a result, for each log message X, the anomaly detection device 300 acquires the log message type Z that has a high time-series correlation with the log message X. FIG.

Next, the abnormality detection device 300 determines whether or not the automatic estimation process is being executed from step S302 (step S322). If the anomaly detection device 300 does not execute the automatic estimation process (step S322: NO), the process ends. If the anomaly detection device 300 is executing the automatic estimation process (step S322: YES), the anomaly detection apparatus 300 executes the process of integrating other log message types having an inclusion relationship with the log message type Z for all the log message types Z. (step S324). Next, the anomaly detection device 300 executes processing for integrating other log message types that occur simultaneously with the log message type Z for all log message types Z (step S326).

FIG. 10 is a diagram for explaining automatic estimation processing in message set estimation processing. The anomaly detection device 300 uses the log message included in the log message type to create a pseudo data set using the bootstrap method, and performs correlation coefficient calculation processing using the ensemble method. As a result, the anomaly detection device 300 creates a matrix of correlation coefficients in which the number of rows is the number of log message types and the number of columns is the number of log message types.

The anomaly detection apparatus 300 performs correction because even a set of log messages with a high time-series correlation coefficient includes a set of log messages that substantially overlap. The anomaly detection device 300 corrects sets of log messages having an inclusive relationship to the same log message type. FIG. 11 is a diagram showing an example of a set of log messages having an inclusion relationship. For example, message no. 406 log messages and message numbers. Log message numbers (405, 404, 407) have an inclusion relationship with the set of 418 log messages. A containment relationship is a relationship in which one set of log messages contains another set of log messages. The anomaly detection device 300 corrects (integrates) groups of log messages having an inclusive relationship into the same log message type.

The anomaly detection device 300 corrects sets of log messages that occur simultaneously to have the same log message type. FIG. 12 is a diagram showing an example of a set of log messages having a concurrent relationship. For example, message no. 406 log messages and message numbers. A set of 418 log messages occurred at the same time. A co-occurrence relationship is a relationship between log message sets that occur at the same timing. The anomaly detection device 300 corrects (integrates) groups of log messages that occur simultaneously as the same log message type.

[Model creation process]
FIG. 13 is a flow chart showing the entire model creation process, FIG. 14 is a flow chart showing an example of the processing procedure of the learning data collection process, and FIG. 4 is a flow chart showing an example of a processing procedure;

As shown in FIG. 13, the anomaly detection device 300 first collects learning data (step S400) and creates a model using the learning data (step S402).

As shown in FIG. 14, the anomaly detection device 300 repeats the processing from step S410 to step S416 for the number of message sets in collecting learning data.
The anomaly detection device 300 first calculates a set Y of messages having the same log message type as the target log message set X (step S410). Next, the abnormality detection device 300 acquires the occurrence time of the log message set X and the occurrence time of the log message set Y from the data processing device 200 (step S412). Next, the anomaly detection device 300 extracts an occurrence time T having a predetermined interval before and after the occurrence time acquired in step S412 (step S414). Next, the anomaly detection device 300 uses the log message type belonging to the message set X as an index to extract log messages L within a predetermined time period from the occurrence time T extracted in step S414 (step S416). Thereby, the anomaly detection device 300 collects learning data (L) for each set of messages.

As shown in FIG. 15, the anomaly detection device 300 repeats the processes from step S420 to step S424 for the number of message sets in the model creation process. FIG. 16 is a diagram illustrating an example of processing for creating a normal Markov model and a priority Markov model.
The anomaly detection device 300 first creates a normal Markov model M using a set of log messages L as learning data (step S420). The normal Markov model M includes, for example, log messages forming a sequence and information representing transition probabilities between the log messages. The anomaly detection device 300 inputs the learning data to a Markov model machine learning algorithm and adjusts the parameters of the machine learning algorithm so as to minimize the output error of the machine learning algorithm. Next, the anomaly detection device 300 calculates the duration value of each log message included in the created normal Markov model M (step S422). A duration value is information representing a time difference between log messages. FIG. 17 is a diagram showing an example of duration values. Next, the anomaly detection device 300 creates a priority model using priority messages among the log messages L as learning data (step S424).

FIG. 18 is a diagram showing one learning data and a plurality of learning data. A priority message is a set of log messages with a low number of occurrences per sequence but a high probability of occurrence per sequence. “Log messages with a small number of occurrences per sequence” are log messages that do not occur repeatedly in one set of learning data. A priority message is, for example, a log message with a lower number of occurrences than any of the log messages. A “log message with a high occurrence probability per sequence” is a log message that appears in any learning data (L1, L2, . . . Ln).

As shown in FIG. 16, the anomaly detection device 300 creates a normal Markov model M using a log message L including message groups A, B, C, . . . Create a prioritized Markov model using the prioritized message containing Further, the anomaly detection apparatus 300 repeats the processes from step S420 to step S424 for the number of message sets, thereby creating normal Markov models and priority Markov models for the number of message sets.

(Creation of preferred model)
FIG. 19 is a flowchart of an example of a processing procedure for creating a priority model;
Anomaly detection device 300 repeats the bootstrap method from step S430 to step S434 a predetermined number of times. First, the anomaly detection device 300 extracts a predetermined number of learning data L′ from the learning data L of the target message set X (step S430), Message L'' is extracted (step S432). The anomaly detection device 300 may extract, for example, the message L'' of the log message type with the smallest number of appearances from the learning data L'. Thereby, the anomaly detection device 300 creates a pseudo data set including a plurality of pseudo data by creating pseudo data including the message L'' for each set of a predetermined number of learning data L' (bootstrap method). . Next, the anomaly detection device 300 calculates the appearance probability C of each log message type per one learning data of the learning data L'' (step S434). Thereby, the anomaly detection device 300 acquires the appearance probability C for each pseudo data.

Next, the anomaly detection device 300 calculates the average value C′ of the appearance probability C (step S436), extracts the log message types Z for which the average appearance probability value C′ is equal to or greater than a predetermined value (step S437), and extracts the target log message The message L''' of the log message type Z is extracted from the learning data L of the set X of (step S440). Next, the anomaly detection device 300 calculates AIC from the learning data L''' and creates an n-order Markov model M' from the learning data L''' (step S444). Next, the anomaly detection device 300 calculates the duration value of each log message included in the created Markov model M' (step S446).

(Calculation of duration value)
FIG. 20 is a flowchart illustrating an example of a processing procedure of duration value calculation processing. The anomaly detection device 300 repeats the duration value calculation process from step S450 to step S462 by the number of state transitions of the Markov model M'.

First, the anomaly detection device 300 repeats the processes of steps S450 to S458 a predetermined number of times by the bootstrap method and the ensemble method. The anomaly detection device 300 repeats steps S450 to S454 for the number of days of the learning period as a process of totalizing duration values on a daily basis. First, the anomaly detection device 300 extracts the duration value of the target day in the target state transition from the learning data (step S450), and clusters the duration values (step S452). Next, the anomaly detection device 300 extracts a predetermined number of duration values C from each cluster of duration values (step S454). Next, the anomaly detection device 300 clusters the set of duration values C (step S456). Next, the anomaly detection device 300 discards the clusters whose duration value is equal to or less than a predetermined number among the clusters with the duration value C (step S458).

Next, the anomaly detection device 300 clusters the set of duration values C' (step S460), and calculates the average and deviation of the clusters of duration values C' (step S462).

(Clustering of duration values)
FIG. 21 is a flowchart illustrating an example of a procedure for clustering processing of duration values. First, the anomaly detection device 300 determines whether or not the stop condition is satisfied. , into two sets of duration values (D1 and D2) (step S472). Next, the anomaly detection device 300 recursively clusters the duration values of each of the divided sets of duration values (step S474). The anomaly detection device 300 repeatedly divides the set of duration values into two and recursively clusters each divided set of duration values until the stop condition is satisfied. Thereby, the anomaly detection device 300 can generate clusters of a plurality of duration values.

FIG. 22 is a diagram illustrating an example of duration value clustering processing. For example, it is assumed that there are a plurality of duration values from 1 to 1010 [μsec], and the stop conditions are CV<0.5 and Z<1. CV is the coefficient of variation, where the coefficient of variation is deviation σ/mean μ, and Z is the maximum divergence from the mean (max|x−μ|/σ). The anomaly detection device 300 divides the plurality of duration values into two duration value sets (D1, D2), further divides the duration value set D1 into two duration value sets (D11, D12), The duration value set D11 is further divided into two duration value sets (D111, D112), and the duration value set D12 is further divided into two duration value sets (D121, D122). As a result, the anomaly detection device 300 can be divided into clusters of five duration values. As a result, the anomaly detection device 300 can generate clusters that satisfy the stop condition even if the number of clusters is not set before processing.

It should be noted that the duration value clustering process may be any process other than the above-described clustering process using k-means as long as clustering can be performed based on a plurality of conditions such as duration value magnitude and variation. For example, duration values of 1000 msec and 1010 msec may be treated as the same cluster, and duration values of 1 msec and 10 msec may generate separate clusters.

(Elimination of abnormal duration values)
FIG. 23 is a diagram for explaining clustering of duration values in consideration of abnormal values. It is desirable that the anomaly detection device 300 perform processing for excluding anomalous duration values. After clustering the duration values aggregated on a daily basis as described above, the anomaly detection device 300 corrects the number of samples in each cluster in the entire learning period to a predetermined number by the bootstrap method. Next, when the anomaly detection device 300 combines the number of samples of each cluster on a daily basis, the duration values that occur frequently during the learning period are increased, and the duration values that occur less frequently during the learning period are accumulated less. The anomaly detection device 300 determines to truncate a duration value that accumulates less than a predetermined threshold among the combined duration values. As a result, the anomaly detection device 300 can eliminate the duration values to be rounded down from the daily duration values. As a result, the abnormality detection device 300 can create a cluster of duration values consisting of normal values by excluding duration values that occur less frequently over the learning period as abnormal values. In order to eliminate abnormal values from duration values with high accuracy, anomaly detection device 300 performs a process of correcting daily duration values to a predetermined number, a process of accumulating duration values during a learning period, and a predetermined It is desirable to perform a process of truncating duration values that are less than a threshold.

Abnormal duration values may occur in bursts, so it is desirable to determine whether or not the duration value is abnormal based on the number of occurrences per day rather than the total number of times during the learning period. However, since the duration value is a continuous value, even if an attempt is made to determine an abnormal value by setting a threshold value for the duration value, the abnormal value cannot be accurately eliminated. Therefore, as described above, by comparing the number of occurrences of duration values clustered on a daily basis during the learning period, it is possible to eliminate duration values with a small number of occurrences on a daily basis as abnormal values. Further, the abnormality detection device 300 can improve the accuracy of the duration value by repeating the above-described processing a plurality of times.

(Higher-order Markov model)
FIG. 24 is a diagram for explaining the process of increasing the order of the prioritized Markov model.
Although the known simple Markov model estimates the next log message considering the log message one before, the anomaly detection device 300 considers the log message two or more before in order to improve the estimation accuracy. A higher order Markov model may be created to estimate the log message. However, if a high-order Malcolm model is applied in place of the simple Markov model, the estimation accuracy may drop. In particular, when the length of the sequence estimated from the message set is considerably long, deterioration of estimation accuracy is likely to occur. Therefore, the anomaly detection device 300 limits the range of order enhancement and performs partial enhancement processing in which only the priority Markov model is enhanced.

The anomaly detection device 300 uses the priority message to perform higher-order Markov model creation processing. The anomaly detection device 300 selects the order k using the AIC (Akaike Information Criterion) of the following formula and creates a k-order Markov model. In the following formula, kηm is the likelihood ratio statistics expressed as "-2 × (LLk-LLm)", and LLk (log likelihood for k-order markov chain) is the k order Markov chain , LLm (log likelihood for m-order markov chain) is the log likelihood for m-order markov chain, and S ^m −S ^k (S−1) is the likelihood ratio test statistic ( likelihood ratio test statistics), and S is the original number of states. . As a result, the anomaly detection device 300 can stably obtain high estimation accuracy even if the length of the sequence is long.

[Sequence estimation process]
FIG. 25 is a sequence diagram illustrating an example of sequence estimation processing.
The monitored system 100 transmits a log message to the data processing device 200, and as described above, the data processing device 200 removes the part including the number from the log message using a regular expression (step S502), and extracts the index of the log message. is registered (step S504). The data processing device 200 transmits to the registered index anomaly detection device 300, the anomaly detection device 300 estimates the sequence using the index of the log message (step S506), and sends the sequence value indicating the sequence to the data processing device 200. Send. Thereby, the data processing device 200 can provide the user terminal device 400 with information representing the sequence value and information about the sequence.

FIG. 26 is a sequence diagram illustrating an example of a processing procedure of sequence estimation processing. The anomaly detection device 300 first retrieves the log message (step S510) and estimates the sequence. Sequence estimation is performed using Markov models in the order of either competitively adjusted prior Markov models or non-competitively adjusted prior Markov models, usually Markov models. The conflict-adjusted Markov model will be described later.

First, the anomaly detection device 300 creates either a conflict-adjusted prioritized Markov model or a conflict-unadjusted prioritized Markov model (step S512), and estimates a log message (step S513). The anomaly detection apparatus 300 repeats the creation of the conflict-adjusted prioritized Markov model and the estimation of the log messages for the number of log messages extracted in step S510. Note that when conflict-adjusted prioritized Markov models are not used, conflict-adjusted prioritized Markov models need not be created. The anomaly detection device 300 repeats the sequence for several minutes of the log messages using either the conflict-adjusted prioritized Markov model or the non-conflict-adjusted prioritized Markov model, and estimates the sequence using the normal Markov model. is repeated for several minutes to estimate the sequence.

FIG. 27 is a flowchart illustrating an example of a processing procedure for creating a conflict-adjusted Markov model. First, the anomaly detection device 300 determines whether or not there is a common message, which is a log message close in time, between the learning data of the normal Markov model and the learning data of the priority Markov model (step S520). If there is no common message (step S520: NO), the abnormality detection device 300 ends the process of this flowchart, and if there is a common message (step S520: YES), it performs the process of step S522. In step S522, the anomaly detection device 300 removes common messages from the learning data. Next, the anomaly detection device 300 creates a priority Markov model using the learning data excluding the common data (step S524).

FIG. 28 is a diagram for explaining an example of processing for creating a conflict-adjusted prioritized Markov model. For example, it is assumed that the priority Markov model is trained with the priority messages contained in the set X of log messages, and the normal Markov model is trained with the set Y of log messages. As described above, the anomaly detection device 300 estimates the sequence by the normal Markov model after estimating the sequence by the priority Markov model.

However, when log message set X and log message set Y overlap in time as shown in FIG. There is a log message M that is not included in the priority message Y' of . In this case, the log messages M are biased towards the set X of log messages. Therefore, the anomaly detection device 300 creates a priority Markov model by excluding the common message M from the priority messages for the set X of log messages and the set Y of log messages. That is, the anomaly detection device 300 creates a conflict-adjusted prioritized Markov model using the common messages M′ obtained by excluding the common messages M from the prioritized messages X′ included in the message set X. The common message M' is obtained by removing the common log message M included in the difference between the log message set Y and the priority message Y' included in the log message set Y from the priority message X' included in the log message set X. is the log message. As described above, according to the anomaly detection device 300, it is possible to prevent log messages that are close in time from being biased toward priority messages of one set of log messages.

It is preferable to create a conflict-adjusted prioritized Markov model when estimating a sequence without creating a conflict-adjusted prioritized Markov model when creating a Markov model. This is because when the Markov model is created, the process of determining whether or not sets of log messages occur at timings close to each other is not performed. This is because, if it is determined at the time of creating a Markov model that the log message used to create another Markov model is close in time, priority messages will decrease and the sequence estimation accuracy of the priority Markov model will decrease. .

FIG. 29 is a flowchart illustrating an example of a sequence estimation process procedure for log messages. First, the anomaly detection device 300 determines whether or not the sequence of the target log message has been estimated (step S530), and if the sequence of the target log message has been estimated, the processing of this flowchart ends. (Step S530: YES). If the sequence of the log message has not been estimated (step S530: NO), the anomaly detection device 300 detects the state transition of the Markov model for the target log message x before the log message x in chronological order. is extracted (step S532). Next, in step S532, the anomaly detection device 300 determines whether or not there is a candidate for the log message y (step S534). If there is a candidate for log message y (step S534: YES), anomaly detection device 300 gives log message x the same sequence value as log message y (step S536). If there is no candidate for log message y (step S534: NO), anomaly detection device 300 extracts the log message that is temporally closest to log message x, and assigns the same sequence value as the extracted log message to log message x. is given (step S538).

FIG. 30 is a diagram for explaining sequence estimation processing using a priority Markov model and a normal Markov model.
The anomaly detection device 300 divides the extracted set of log messages into priority messages and log messages other than priority messages. The anomaly detection device 300 inputs the priority message only to the priority Markov model and estimates the sequence included in the priority message. Next, the anomaly detection device 300 inputs the log messages other than the priority messages into the normal Markov model, and estimates the sequences included in the log messages other than the priority messages. Thereby, the anomaly detection device 300 can acquire the sequence estimation result by the priority Markov model and the sequence estimation result by the normal Markov model.

FIG. 31 is a flowchart illustrating another example of sequence estimation processing. The anomaly detection device 300 may use the duration value to perform auxiliary sequence estimation. The anomaly detection device 300 refers to the sequence estimation result, searches for log messages with multiple sequence values, and determines whether or not there is a log message with multiple sequence candidates (step S540). If there is no log message to which multiple sequence values have been assigned (step S540: NO), anomaly detection device 300 terminates the sequence estimation process.

If there is a log message with a plurality of sequence values (step S540: YES), the anomaly detection device 300 compares the duration value of the log message with the duration value of the Markov model (step S542). The anomaly detection device 300 calculates duration values for state transitions between log messages included in the estimated sequence, and calculates duration values and durations in a plurality of Markov models corresponding to each of the plurality of estimated sequence values. Compare with value. The anomaly detection device 300 determines the sequence value corresponding to the Markov model having the duration value closest to the sequence value of the log message (step S544).

FIG. 32 is a diagram for explaining the sequence determination process. For example, assume that a group of messages (sequence S1) arranged in order of log messages m11, m12, and m13 is estimated to be sequence S2 and sequence S3. In this case, anomaly detection device 300 calculates duration values d11 and d12 of sequence S1, and the difference between calculated d11 and d12 and duration values d21 and d22 of sequence S2 is the duration of calculated d11 and d12 and sequence S3. It is judged to be larger than the difference between the values d31 and d32. As a result, the anomaly detection device 300 can estimate that the message group (sequence S1) is the sequence S3.

[Abnormality judgment processing]
FIG. 33 is a flowchart illustrating an example of a processing procedure for abnormality determination processing. The anomaly detection device 300 repeats the anomaly determination process (step S610) for the number of log messages X to which the sequence value is assigned by the sequence estimation process. The abnormality detection device 300 writes an abnormality flag in the detection result accumulation unit 208 in association with the log message X determined to be abnormal by the abnormality determination process (step S612).

FIG. 34 is a flowchart illustrating an example of processing contents of abnormality determination processing. The anomaly detection device 300 determines whether the target log message X matches any one Markov model of the priority Markov model and the normal Markov model (step S610). If so (step S610: YES), it is determined whether or not they match the duration value (step S612).

If the anomaly detection device 300 does not match any one of the priority Markov model and the normal Markov model (step S610: NO), the anomaly detection device 300 sets the anomaly flag for the target log message X to ON (step S614). . If the duration value in the matched Markov model does not match the duration value between log messages having the same sequence value as the target log message X (step S612: NO), the anomaly detection device 300 is set to ON (step S614).

<Effects of Embodiment>
As described above, according to the sequence estimation system 1 of the first embodiment, the collection units (200, 300) that collect log messages from the monitoring target system 100 and some of the log messages collected by the collection unit A prioritized Markov model that is trained using log messages as first learning data and outputs a result of estimating a sequence that includes a plurality of log messages, and some of the log messages collected by the collection unit and a model generator 326 that generates a normal Markov model that outputs a result of estimating a sequence, which is a model learned using log messages other than the log messages as second learning data. be able to. According to this sequence estimation system 1, by performing sequence estimation using a priority Markov model and a normal Markov model, it is possible to detect log messages related to unknown anomalies and complex anomalies in the monitored system.

According to the sequence estimation system 1, as priority messages (first learning data), priority Markov Models can be created. According to the sequence estimation system 1, it is possible to estimate a sequence including log messages that do not occur repeatedly in one log message group but appear in any log message group.

According to the sequence estimation system 1, since the index is processed and registered by deleting a predetermined parameter from the collected log messages, for example, it is possible to delete information that is less related to the type of the log message, such as numerical values. can. According to this sequence estimation system 1, the amount of processing such as clustering of log messages for model creation can be suppressed.

According to the sequence estimation system 1, log messages registered as registered indexes are classified into types, a set of log messages including the types of the classified log messages is estimated, and a priority Markov model is applied to the estimated log messages. , and a normal Markov model is trained on a non-portion of the set of estimated log messages, thereby creating a prioritized Markov model and a normal Markov model.

According to the sequence estimation system 1, the index is divided into a plurality of elements, the index is vectorized by assigning a higher weight to the element closer to the beginning of the index, and the vectorized index is selected from among a plurality of log message types. categorized into one of the log message types. As a result, according to the sequence estimation system 1, morphological analysis of log messages and dictionaries can be eliminated, and vectorization is possible even when different languages are mixed. Furthermore, according to the sequence estimation system 1, vectorization can be performed by utilizing the property that the leading portion of the index element is often important, and the less important element is often present at the end of the index.

According to the sequence estimating system 1, the message set estimating unit generates a plurality of pseudo message groups using log message groups belonging to each designated log message type among the log message types classified by the message classifying unit, Based on a plurality of time-series correlation coefficients calculated for a plurality of pseudo message groups, it is estimated that the log messages belonging to the specified log message type are the same set of log messages. According to the sequence estimation system 1, by calculating the time-series correlation coefficient by combining the bootstrap method and the ensemble method, it is possible to estimate a set of time-series correlated log messages with high accuracy, Also, the correlation coefficient of log messages can be calculated with high stability. Furthermore, since the number of pseudo data can be made the same by using the bootstrap method, it is possible to easily compare the correlation coefficients.

According to the sequence estimation system 1, the message set estimation unit generates a plurality of pseudo message groups using log message groups belonging to each log message type among all log message types classified by the message classification unit. Based on multiple time-series correlation coefficients calculated for the pseudo-message group, it is estimated that the log messages belonging to the log message type are the same set of log messages, and the inclusion of the estimated log message set Merge log messages for each other's log message types in a relationship or co-occurrence relationship. According to the sequence estimation system 1, even if the designation (key) of the type of log message is unknown, it is possible to estimate a set of log messages correlated in chronological order with high accuracy. A message correlation coefficient can be calculated, and furthermore, according to the sequence estimation system 1, it is possible to correct log message types that overlap each other in containment or co-occurrence relation.

According to the sequence estimation system 1, the model generator can cluster time differences between log messages included in the priority Markov model and cluster time differences between log messages included in the normal Markov model. As a result, the sequence estimation system 1 can use the time difference between the clustered log messages when estimating the sequence, and the sequence can be estimated with high accuracy.

According to the sequence estimation system 1, clustering (division) of time differences between log messages is repeated until predetermined conditions are satisfied in consideration of the magnitude and variation of time differences between log messages. . According to the sequence estimation system 1, when it is desired to perform clustering considering multiple conditions (magnitude and variation of values) regarding the time difference between log messages, clusters satisfying predetermined conditions are generated without first setting the number of clusters. can do.

According to the sequence estimation system 1, after clustering the time difference between log messages in units of a predetermined period, the number of data included in each cluster in the period in which learning data is included is corrected to the same number, and the number of data in clusters in units of a predetermined period. Eliminate outliers from the time difference between clustered log messages based on the combined results. According to the sequence estimation system 1, for example, the time difference between log messages with the smallest value in the combined result can be eliminated as an abnormal value. As a result, the sequence estimation system 1 can cluster time differences between log messages containing only normal values, and can increase the accuracy of time differences between log messages.

According to the sequence estimation system 1, the model generating unit increases the order of the priority Markov model by estimating it based on the log message two or more previous log messages, and does not increase the order of the normal Markov model. By the way, if the Malcolm model's higher order is applied to both the priority Markov model and the normal Markov model, the estimation accuracy may be degraded. In particular, when the length of the sequence estimated from the message set is long, deterioration of estimation accuracy is likely to occur. Therefore, the sequence estimation system 1 limits the range of order enhancement, and enhances only the priority Markov model (partial enhancement). Thereby, the sequence estimation system 1 can stably obtain high estimation accuracy even when the sequence length is long.

According to the sequence estimation system 1, a collection unit that collects log messages from the monitored system 100, and a priority Markov model trained using some of the log messages of the learning data as the first learning data are stored in the collected multiple input a part of the log messages, estimate a sequence including a plurality of log messages based on the output of the prioritized Markov model, and replace the log messages other than the first learning data among the learning data with the second Log messages other than some of the collected log messages are input to the normal Markov model trained as training data for the normal Markov model, and based on the output of the normal Markov model, a sequence containing multiple log messages to estimate According to the sequence estimation system 1, by performing sequence estimation using the priority Markov model and the normal Markov model, it is possible to detect log messages related to unknown anomalies and complex anomalies in the monitored system.

According to the sequence estimation system 1, when there is common data that is temporally common to the second learning data of the normal Markov model among the first learning data, learning data obtained by excluding the common data from the first learning data to create a prioritized Markov model. According to the sequence estimation system 1, it is possible to avoid biasing the common message to the priority Markov model.

According to the sequence estimation system 1, when there are log messages estimated to belong to a plurality of sequences as a result of estimation by the priority Markov model and the normal Markov model, the time difference between the log messages included in the log messages and , the time difference between log messages contained in the preferred Markov model or the normal Markov model, and determine the sequence corresponding to the closest model. According to the sequence estimation system 1, sequence estimation can be completed even when estimation is performed using a plurality of Markov models.

According to the sequence estimation system 1, when it cannot be estimated that a collected log message belongs to a sequence as a result of estimation by the priority Markov model and the normal Markov model, it is possible to determine that the log message is abnormal.

According to the sequence estimation system 1, if the collected log messages are inferred to belong to a sequence, but the time difference between log messages does not match the time difference between log messages contained in the prioritized Markov model or the normal Markov model, Abnormality of the log message can be determined.

Although each embodiment and modifications have been described, these are only examples and are not limited to these. A section may be combined with one or more other embodiments or one or more other modifications to realize one aspect of the present invention.

A program for executing each process of the data processing device 200 and the abnormality detection device 300 in this embodiment is recorded in a computer-readable recording medium, and the program recorded in the recording medium is read into the computer system. The above-described various processes related to the user terminal device 100 and the data processing device 200 may be performed by setting and executing.

Note that the “computer system” referred to here may include hardware such as an OS and peripheral devices. The "computer system" also includes the home page providing environment (or display environment) if the WWW system is used. In addition, "computer-readable recording medium" means writable non-volatile memory such as flexible disk, magneto-optical disk, ROM, flash memory, portable medium such as CD-ROM, hard disk built in computer system, etc. storage device.

Furthermore, "computer-readable recording medium" means a volatile memory (e.g., DRAM (Dynamic
Random Access Memory)), which holds a program for a certain period of time. Also, the program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium.

Here, the "transmission medium" for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the program may be for realizing part of the functions described above. Further, it may be a so-called difference file (difference program) that can realize the above-described functions in combination with a program already recorded in the computer system.

1 sequence estimation system 100 monitoring target system 200 data processing device 202 format conversion unit 204 data processing unit 206 log data storage unit 208 detection result storage unit 210 visualization unit 300 anomaly detection device 310 message registration unit 320 learning unit 322 message classification unit 324 message Set estimating unit 326 Model creating unit 330 Estimating unit 332 Sequence estimating unit 334 Abnormality determining unit 400 User terminal device

Claims (21)

a collector that collects log messages from the monitored system;
a first model trained by using some of the log messages collected by the collection unit as first learning data, the first model outputting a result of estimating a sequence including a plurality of log messages; a second model trained by using log messages other than the part of the log messages collected by the collection unit as second learning data, the second model outputting a result of estimating the sequence; a model generator that generates
A learning device comprising: The first learning data is a set of log data with a small number of occurrences per sequence but a high probability of occurrence per sequence.
A learning device according to claim 1. 3. The learning device according to claim 1, further comprising a registration unit that processes and registers an index by deleting a predetermined parameter from the log messages collected by the collection unit. a message classification unit that classifies log messages registered as indexes by the registration unit into types;
a message set estimating unit for estimating a set of log messages including the types of the log messages classified by the message classifying unit;
The first model is trained on a part of a set of log messages estimated by the message set estimating unit, and the second model is trained on a set of log messages estimated by the message set estimating unit. learned outside of some
4. A learning device according to claim 3. The message classifying unit divides the index registered by the registering unit into a plurality of elements, and vectorizes the index by assigning a higher weight to an element closer to the beginning of the index, and divides the vectorized index into a plurality of elements. Classify into one of the log message types of
5. The learning device according to claim 4. The message set estimating unit generates a plurality of pseudo message groups using log message groups belonging to each of the log message types specified among the log message types classified by the message classifying unit, and the plurality of pseudo message groups estimating that the log messages belonging to the specified log message type are the same set of log messages based on a plurality of time-series correlation coefficients calculated for
5. The learning device according to claim 4. The message set estimating unit generates a plurality of pseudo message groups using log message groups belonging to each log message type among all log message types classified by the message classifying unit. Based on the calculated multiple time-series correlation coefficients, it is estimated that the log messages belonging to the log message type are the same set of log messages, and the inclusive relationship or co-occurrence of the estimated set of log messages is determined. Integrate the log messages of each related log message type,
5. The learning device according to claim 4. The model generation unit
clustering time differences between log messages included in the first model;
clustering time differences between log messages included in the second model;
A learning device according to any one of claims 1 to 7. The clustering of the time differences between log messages repeatedly divides the time differences between a plurality of log messages until a predetermined condition is satisfied in consideration of the magnitude and variation of the time differences between the log messages.
9. A learning device according to claim 8. The clustering of the time difference between log messages is performed by clustering the time difference between log messages in units of a predetermined period, correcting the number of data contained in each cluster in the period containing the learning data to the same number, and clustering the clusters in units of the predetermined period. Eliminate outliers from the time difference between clustered log messages based on the combined results of the data counts;
10. A learning device according to claim 8 or 9. The model generation unit increases the order of the first model by estimating the log message based on the log message two or more years ago, and does not increase the order of the second model.
A learning device according to any one of claims 1 to 10. a collector that collects log messages from the monitored system;
inputting some of the plurality of log messages collected by the collecting unit into a first model trained using some of the log messages of the learning data as first learning data; a first estimator for estimating a sequence containing a plurality of log messages based on the output of the model of
A second model trained using log messages other than the first learning data among the learning data as second learning data, other than some log messages among the plurality of log messages collected by the collecting unit. a second estimator for inputting log messages of and estimating a sequence containing a plurality of log messages based on the output of the second model;
An estimator, comprising: The first learning data is a set of log data with a small number of occurrences per sequence but a high probability of occurrence per sequence.
The estimation device according to claim 12. When there is common data temporally common to the second learning data of the second model among the first learning data of the first model, the common data is excluded from the first learning data A model creation unit that creates the first model from learning data,
The estimation device according to claim 12 or 13. When there are log messages estimated to belong to a plurality of sequences as a result of estimation by the first estimation unit and the second estimation unit, the time difference between the log messages included in the log messages, and the A sequence determination unit that compares the time difference between log messages included in the first model or the second model and determines the sequence corresponding to the closest model;
The estimating device according to any one of claims 12 to 14. an abnormality determination unit that determines an abnormality in the log message when it cannot be estimated that the log message collected by the collection unit belongs to a sequence as a result of the estimation by the first estimation unit and the second estimation unit; prepare
The estimating device according to any one of claims 12 to 15. The anomaly determination unit estimates that the log messages collected by the collection unit belong to a sequence, but the time difference between the log messages collected by the collection unit does not match the first model or the second model. 17. The estimating device according to claim 16, wherein if the time difference between the log messages contained in the log messages does not match, it is determined that the log message is abnormal. a collector that collects log messages from the monitored system;
a first model trained by using some of the log messages collected by the collection unit as first learning data, the first model outputting a result of estimating a sequence including a plurality of log messages; a second model trained by using log messages other than the part of the log messages collected by the collection unit as second learning data, the second model outputting a result of estimating the sequence; a model generator that generates
A first model trained using some log messages of a plurality of log messages as first learning data, wherein some of the plurality of log messages collected by the collecting unit are input. , a first estimator for estimating a sequence comprising a plurality of log messages based on the output of the first model;
Some of the plurality of log messages collected by the collecting unit are stored in a second model trained using log messages other than the some of the plurality of log messages as second learning data. a second estimator that inputs log messages other than
A sequence estimation system comprising: collecting log messages from the monitored system;
A first model trained using some of the collected log messages as first learning data, the first model outputting a result of estimating a sequence containing a plurality of log messages, and the collected log messages. generating a second model that is trained using log messages other than the part of the log messages as second learning data and that outputs a result of estimating the sequence;
A first model trained by using some log messages of a plurality of log messages as first learning data, wherein some of the collected log messages are input, and the first model estimating a sequence containing a plurality of log messages based on the output of the model of
log messages other than the part of the collected log messages to a second model trained using log messages other than the part of the plurality of log messages as second learning data; and estimating a sequence containing a plurality of log messages based on the output of the second model;
A sequence estimation method comprising: to the computer,
collecting log messages from the monitored system;
A first model trained using some of the collected log messages as first learning data, the first model outputting a result of estimating a sequence containing a plurality of log messages, and the collected log messages. generating a second model that is trained using log messages other than the part of the log messages as second learning data and that outputs a result of estimating the sequence;
The program that causes the to run. to the computer,
collecting log data from the monitored system;
A first model trained by using some log messages of a plurality of log messages as first learning data, wherein some of the collected log messages are input, and the first model estimating a sequence containing a plurality of log messages based on the output of the model of
log messages other than the part of the collected log messages to a second model trained using log messages other than the part of the plurality of log messages as second learning data; and estimating a sequence containing a plurality of log messages based on the output of the second model;
The program that causes the to run.

Images