Unified Anomaly Detection for Syntactically Diverse Logs in Cloud Datacenter

Zhang Shenglin; Li Dongwen; Sun Yongqian; Meng Weibin; Zhang Yuzhe; Zhang Yuzhi; Liu Ying; Pei Dan

doi:10.7544/issn1000-1239.2020.20190875

Journal of Computer Research and Development > 2020 > 57(4): 778-790. > DOI: 10.7544/issn1000-1239.2020.20190875

Zhang Shenglin, Li Dongwen, Sun Yongqian, Meng Weibin, Zhang Yuzhe, Zhang Yuzhi, Liu Ying, Pei Dan. Unified Anomaly Detection for Syntactically Diverse Logs in Cloud Datacenter[J]. Journal of Computer Research and Development, 2020, 57(4): 778-790. DOI: 10.7544/issn1000-1239.2020.20190875

Citation:

PDF (3112 KB)

Unified Anomaly Detection for Syntactically Diverse Logs in Cloud Datacenter

¹(College of Software, Nankai University, Tianjin 300350)
²(Department of Computer Science and Technology, Tsinghua University, Beijing 100084)
³(Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084)
⁴(Beijing National Research Center for Information Science and Technology, Beijing 100084)

Funds: This work was supported by the National Key Research and Development Plan of China (2018YFB0204304).

More Information

Published Date: March 31, 2020

Graphical Abstract

Abstract

Abstract

Benefit from the rapid development of natural language processing and machine learning methods, log based automatic anomaly detection is becoming increasingly popular for the software and hardware systems in cloud datacenters. Current unsupervised learning methods, requiring no labelled anomalies, still need to obtain a large number of normal logs and generally suffer from low accuracy. Although current supervised learning methods are accurate, they need much labelling efforts. This is because the syntax of different types of logs generated by different software/hardware systems varies greatly, and thus for each type of logs, supervised methods need sufficient anomaly labels to train its corresponding anomaly detection model. Meanwhile, different types of logs usually have the same or similar semantics when anomalies occur. In this paper, we propose LogMerge, which learns the semantic similarity among different types of logs and then transfers anomaly patterns across these logs. In this way, labelling efforts are reduced significantly. LogMerge employs a word embedding method to construct the vectors of words and templates, and then utilizes a clustering technique to group templates based on semantics, addressing the challenge that different types of logs are different in syntax. In addition, LogMerge combines CNN and LSTM to build an anomaly detection model, which not only effectively extracts the sequential feature of logs, but also minimizes the impact of noises in logs. We have conducted extensive experiments on publicly available datasets, which demonstrates that compared with the current supervised/unsupervised learning methods, LogMerge achieves higher accuracy. Moreover, LogMerge achieves high accuracy when there are few anomaly labels in the target type of logs, which therefore significantly reduces labelling efforts.
- syslog,
- anomaly detection,
- cloud datacenter,
- word embedding,
- CNN,
- LSTM

FullText(HTML)

References (0)

Cited By

Cited by

Periodical cited type(12)

1.	赵海鹏，容晓峰. 融合Transformer与1D-CNN的日志异常检测方法. 西安工业大学学报. 2025(01): 138-148 .
2.	王圣凯，阮树骅，汪邓喆. 基于eBPF的云环境下payload进程检测方法. 计算机应用研究. 2023(07): 2157-2161 .
3.	魏钧宇，张广艳，陈军超. 数据模式感知的低成本云日志存储系统. 计算机研究与发展. 2023(11): 2442-2452 . 本站查看
4.	林国峰，詹伶俐，沈德仁. 空管自动化系统智能运维技术研究综述. 西华大学学报(自然科学版). 2022(02): 20-26 .
5.	周建国，戴华，杨庚，周倩，王俊. 基于并列GRU分类模型的日志异常检测方法. 南京理工大学学报. 2022(02): 198-204 .
6.	王蓓蓓，余晶鑫. 非侵入式空管自动化系统智能运维方法. 电子技术与软件工程. 2022(12): 193-197 .
7.	何书前，孙学朝，蒋文娟，余绪杭. 一种改进的模糊聚类日志异常检测方法. 现代电子技术. 2022(16): 30-34 .
8.	闫力，夏伟. 基于机器学习的日志异常检测综述. 计算机系统应用. 2022(09): 57-69 .
9.	徐洁. 基于机器学习的日志异常检测设计. 电子技术与软件工程. 2022(24): 210-213 .
10.	冯云，刘宝旭，张金莉，汪旭童，刘潮歌，申明喆，刘奇旭. 一种无监督的窃密攻击及时发现方法. 计算机研究与发展. 2021(05): 995-1005 . 本站查看
11.	张颖，彭然. 基于改进蜻蜓优化多核模糊聚类算法的异常检测. 数学的实践与认识. 2021(19): 208-219 .
12.	陈玮，黄维芳. 基于智能算法的电力交易数据中心通用数据调度方法. 自动化与仪器仪表. 2021(11): 131-133 .