面向云数据中心多语法日志通用异常检测机制

doi:10.7544/issn1000-1239.2020.20190875

计算机研究与发展 ›› 2020, Vol. 57 ›› Issue (4): 778-790.doi: 10.7544/issn1000-1239.2020.20190875

所属专题： 2020数据驱动网络专题

面向云数据中心多语法日志通用异常检测机制

张圣林¹,李东闻¹,孙永谦¹,孟伟彬^2,3,4,张宇哲¹,张玉志¹,刘莹^3,4,裴丹^2,4

¹(南开大学软件学院天津 300350);²(清华大学计算机科学与技术系北京 100084);³(清华大学网络科学与网络空间研究院北京 100084);⁴(北京信息科学与技术国家研究中心北京 100084) (zhangsl@nankai.edu.cn)

出版日期: 2020-04-01
基金资助:
国家重点研发计划项目(2018YFB0204304)

Unified Anomaly Detection for Syntactically Diverse Logs in Cloud Datacenter

Zhang Shenglin¹, Li Dongwen¹, Sun Yongqian¹, Meng Weibin^2,3,4, Zhang Yuzhe¹, Zhang Yuzhi¹, Liu Ying^3,4, Pei Dan^2,4

¹(College of Software, Nankai University, Tianjin 300350);²(Department of Computer Science and Technology, Tsinghua University, Beijing 100084);³(Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084);⁴(Beijing National Research Center for Information Science and Technology, Beijing 100084)

Online: 2020-04-01
Supported by:
This work was supported by the National Key Research and Development Plan of China (2018YFB0204304).

摘要/Abstract

摘要： 得益于自然语言处理和机器学习方法的快速发展，基于日志对云数据中心软硬件系统进行自动异常检测变得越来越流行.无监督学习方法不需要标记异常日志，但通常存在准确性较低、仍需标注大量正常日志的问题.尽管有监督学习方法的准确性较高，但由于不同软硬件系统产生不同类型的、语法各异的日志，导致有监督学习方法需要为每一类型日志标注足够多的异常日志以训练相应的异常检测模型，这极大地增加了标注异常日志的人力成本.与此同时，不同类型日志在发生异常时往往具有相同或相似的语义.因此，提出了一种跨日志类型的通用异常检测机制——LogMerge.该机制通过学习多语法日志的语义相似性，可实现日志异常模式的跨日志类型迁移，从而大大减少了异常标注开销.LogMerge采用词嵌入方法先后构建单词和模板的向量，然后使用聚类方法将语义相同或相近的模板聚成一类，解决了不同类型日志语法不同带来的挑战.此外，LogMerge结合CNN与LSTM方法构建异常检测模型，既有效提取了日志序列的前后依赖性，又显著降低了日志序列中噪声带来的影响.使用公开日志数据集的实验表明，相比于当前的有监督学习方法和无监督学习方法，LogMerge取得了更高的准确性.实验还验证了LogMerge能够显著减少异常标注工作量——在目标类型日志异常标注较少时，依然能够取得较高的准确性.

关键词: 日志, 异常检测, 云数据中心, 词嵌入, CNN, LSTM

Abstract: Benefit from the rapid development of natural language processing and machine learning methods, log based automatic anomaly detection is becoming increasingly popular for the software and hardware systems in cloud datacenters. Current unsupervised learning methods, requiring no labelled anomalies, still need to obtain a large number of normal logs and generally suffer from low accuracy. Although current supervised learning methods are accurate, they need much labelling efforts. This is because the syntax of different types of logs generated by different software/hardware systems varies greatly, and thus for each type of logs, supervised methods need sufficient anomaly labels to train its corresponding anomaly detection model. Meanwhile, different types of logs usually have the same or similar semantics when anomalies occur. In this paper, we propose LogMerge, which learns the semantic similarity among different types of logs and then transfers anomaly patterns across these logs. In this way, labelling efforts are reduced significantly. LogMerge employs a word embedding method to construct the vectors of words and templates, and then utilizes a clustering technique to group templates based on semantics, addressing the challenge that different types of logs are different in syntax. In addition, LogMerge combines CNN and LSTM to build an anomaly detection model, which not only effectively extracts the sequential feature of logs, but also minimizes the impact of noises in logs. We have conducted extensive experiments on publicly available datasets, which demonstrates that compared with the current supervised/unsupervised learning methods, LogMerge achieves higher accuracy. Moreover, LogMerge achieves high accuracy when there are few anomaly labels in the target type of logs, which therefore significantly reduces labelling efforts.

Key words: syslog, anomaly detection, cloud datacenter, word embedding, CNN, LSTM

中图分类号:

TP391

张圣林, 李东闻, 孙永谦, 孟伟彬, 张宇哲, 张玉志, 刘莹, 裴丹. 面向云数据中心多语法日志通用异常检测机制[J]. 计算机研究与发展, 2020, 57(4): 778-790.

Zhang Shenglin, Li Dongwen, Sun Yongqian, Meng Weibin, Zhang Yuzhe, Zhang Yuzhi, Liu Ying, Pei Dan. Unified Anomaly Detection for Syntactically Diverse Logs in Cloud Datacenter[J]. Journal of Computer Research and Development, 2020, 57(4): 778-790.

	作者相关文章
	张圣林
	李东闻
	孙永谦
	孟伟彬
	张宇哲
	张玉志
	刘莹
	裴丹

[1]	古天龙, 冯旋, 李龙, 包旭光, 李云辉. 基于社会新闻数据集的伦理行为判别方法[J]. 计算机研究与发展, 2021, 58(2): 253-263.
[2]	胡超文, 邬昌兴, 杨亚连. 基于扩展的S-LSTM的文本蕴含识别[J]. 计算机研究与发展, 2020, 57(7): 1481-1489.
[3]	陈波, 陆游游, 蔡涛, 陈游旻, 屠要峰, 舒继武. 一种分布式持久性内存文件系统的一致性机制[J]. 计算机研究与发展, 2020, 57(3): 660-667.
[4]	陈游旻, 朱博弘, 韩银俊, 屠要峰, 舒继武. 一种持久性内存文件系统数据页的混合管理机制[J]. 计算机研究与发展, 2020, 57(2): 281-290.
[5]	吴尚宇, 谢婧雯, 王毅. 面向键值存储的日志结构合并树优化技术[J]. 计算机研究与发展, 2020, 57(11): 2432-2441.
[6]	张晗,郭渊博,李涛. 结合GAN与BiLSTM-Attention-CRF的领域命名实体识别[J]. 计算机研究与发展, 2019, 56(9): 1851-1858.
[7]	林欣,田鑫,季怡,徐云龙,刘纯平. 一种残差置乱上下文信息的场景图生成方法[J]. 计算机研究与发展, 2019, 56(8): 1721-1730.
[8]	王海涛,李战怀,张晓,赵晓南. 一种基于LSM树的键值存储系统性能优化方法[J]. 计算机研究与发展, 2019, 56(8): 1792-1802.
[9]	叶静,邹博伟,洪宇,沈龙骧,朱巧明,周国栋. 汉语否定与不确定覆盖域检测[J]. 计算机研究与发展, 2019, 56(7): 1506-1516.
[10]	张龙,王劲松. SDN中基于信息熵与DNN的DDoS攻击检测模型[J]. 计算机研究与发展, 2019, 56(5): 909-918.
[11]	席亮,王勇,张凤斌. 基于自适应人工鱼群FCM的异常检测算法[J]. 计算机研究与发展, 2019, 56(5): 1048-1059.
[12]	王海涛,李战怀,张晓,卜海龙,孔兰昕,赵晓南. 基于历史数据的虚拟机资源分配方法[J]. 计算机研究与发展, 2019, 56(4): 779-789.
[13]	黄继鹏,史颖欢,高阳. 面向小目标的多尺度Faster-RCNN检测算法[J]. 计算机研究与发展, 2019, 56(2): 319-327.
[14]	陈兴蜀, 陈佳昕, 金鑫, 葛龙. 云环境基于系统调用向量空间的进程异常检测[J]. 计算机研究与发展, 2019, 56(12): 2684-2693.
[15]	韩东明,郭方舟,潘嘉铖,郑文庭,陈为. 面向时序数据异常检测的可视分析综述[J]. 计算机研究与发展, 2018, 55(9): 1843-1852.

面向云数据中心多语法日志通用异常检测机制

Unified Anomaly Detection for Syntactically Diverse Logs in Cloud Datacenter

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价