loganomaly unsupervised detection of sequential and
play

LogAnomaly: Unsupervised Detection of Sequential and Quantitative - PowerPoint PPT Presentation

Oct 05, 2023 •2.31k likes •2.58k views

LogAnomaly: Unsupervised Detection of Sequential and Quantitative Anomalies in Unstructured Logs Weibin Meng , Ying Liu, Yichen Zhu, Shenglin Zhang, Dan Pei Yuqing Liu, Yihao Chen, Ruizhi Zhang, Shimin Tao, Pei Sun and Rong Zhou 2019/9/10 1

  1. LogAnomaly: Unsupervised Detection of Sequential and Quantitative Anomalies in Unstructured Logs Weibin Meng , Ying Liu, Yichen Zhu, Shenglin Zhang, Dan Pei Yuqing Liu, Yihao Chen, Ruizhi Zhang, Shimin Tao, Pei Sun and Rong Zhou 2019/9/10 1 Weibin Meng

  2. Internet Services The number of Internet provide Stability of services services is growing various types of are becoming rapidly services more important Traffic will increase more than three times 400 396 300 319 254 200 201 156 100 122 0 2017 2018 2019 2020 2021 2022 Source: Cisco VNI Global IP 2019/9/10 2 Weibin Meng

  3. Anomaly Detection ■ Anomalies will impact revenue and user experience. ■ Anomaly detection plays an important role in service management. 2019/9/10 3 Weibin Meng

  4. Logs for Anomaly Detection ■ Logs are one of the most valuable data for anomaly detection Diverse General ■ Logs record a vast range of ■ Every service and device runtime information generates logs Types Timestamps Detailed messages Switch Jul 10 19:03:03 Interface te-1/1/59, changed state to down Unstructured RAS KERNEL INFO 87 L3 EDRAM error(s) (dcr 0x0157) detected and Supercomputer Jun 4 6:45:50 corrected over 27362 seconds logs INFO dfs.DataNode$PacketResponder: PacketResponder 1 for block blk_- HDFS Jun 8 13:42:26 1608999687919862906 terminating Neighbour(rid:10.231.0.43, addr:10.231.39.61) on vlan23, changed state Router Jul 11 11:05:07 from Exchange to Loading 2019/9/10 4 Weibin Meng

  5. Logs for Anomaly Detection scenario pattern detection A single log can reflect an Single log Keywords & anomaly. anomaly Regular expressions e.g., “ power down ” The number of multiple logs Quantitative Logs changes can reflect anomalies. Anomalies e.g., num(down) != num(up) Based on log sequence The sequence of multiple logs Sequential changes can reflect anomalies. Anomalies e.g., OSPF failed to start Our work focus on log sequence anomaly detection 2019/9/10 5 Weibin Meng

  6. Manual Detection Not all anomalies are An operator has The explosion of logs explicitly displayed incomplete information • e.g., 10T/day in Huawei • Some anomalies hide in log of the overall system sequence. Automatically detect anomalies based on unstructured logs Workflow of OSPF (a network protocol) startup : Quantitative relationship of Interface flapping : Down → Attempt → Init → Two-way→ Exstart → Exchange → Loading → Full num(interface down) = num(interface up) Runtime logs: Runtime logs : OSPF ADJCHG, Nbr 1.1.1.1 on FastEthernet0/0 from Attempt to Init Line protocol on Interface ae3, changed state to down OSPF ADJCHG, Nbr 1.1.1.1 on FastEthernet0/0 from Init to Two-way Interface ae3, changed state to down Interface ae3, changed state to up OSPF ADJCHG, Nbr 1.1.1.1 on FastEthernet0/0 from Two-way to Exstart OSPF ADJCHG, Nbr 1.1.1.1 on FastEthernet0/0 from Two-way to Exstart An interface down event Every log is normal, occurs but OSPF failed to start 2019/9/10 6 Weibin Meng

  7. Previous studies ■ Existing log anomaly detection : Quantitative anomalies detection methods Sliding/session windows ■ Quantitative pattern based methods ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 Count Matrix T 1 , T 2 , T 3 , T 1 , T 4 v 1 v 2 v 3 v 4 ■ Sequential pattern based methods C j 1 1 1 0 PreFix(SIGMETRIS’18)PCA(SOSP’09) C j+1 1 1 1 0 ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 C j+2 1 0 1 1 T 1 , T 2 , T 3 , T 1 , T 4 C j+3 1 0 1 1 Only comparing template indexes loses the • ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 Templates (log keys) : Logs: LogCluster (ICSE’16) IM(ATC’10) T 1 . Interface *, changed state to down T 1 , T 2 , T 3 , T 1 , T 4 L 1 . Interface ae3, changed state to down T 2 . Vlan-interface *, changed state to down information hidden in template semantics L 2 . Vlan-interface vlan22, changed state to down T 3 . Interface *, changed state to up L 3 . Interface ae3, changed state to up. T 4 . Vlan-interface *, changed state to up L 4 . Interface ae1, changed state to down Logs -> Template indexes : L 5 . Vlan-interface vlan22, changed state to up Sliding/session windows L 1 ->T 1 , L 2 ->T 2 , L 3 ->T 3 L 6 . Interface ae1, changed state to up L 4 ->T 1 , L 5 ->T 4 , L 6 ->T 3 ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 sequence next Log template index sequence : T 1 , T 2 , T 3 , T 1 , T 4 T 1 , T 2 , T 3 , T 1 , T 4 , T 3 v 1 [ v 1 v 2 v 3 ] ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 [ v 2 v 3 v 1 ] v 4 T 1 , T 2 , T 3 , T 1 , T 4 [ v 3 v 1 v 4 ] v 3 ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 ∆𝑢 DeepLog (CCS’17) T 1 , T 2 , T 3 , T 1 , T 4 Sequential anomalies detection methods 2019/9/10 7 Weibin Meng

  8. Challenges Valuable information could be lost if only log Services can generate template index is used. new log templates Some templates are similar in between semantics but different in two re-trainings indexes Existing methods cannot Existing approaches cannot detect sequential and address this problem quantitative anomalies simultaneously. 2019/9/10 8 Weibin Meng

  9. Overview of LogAnomaly 𝐰 (% & ) 𝐰 (% &'( ) 𝐰 (% &',-( ) … Match Template Historical Template sequence logs Vector LSTM Sequence Vector Attention 𝐰 (% &', ) sequence Synonyms& Extract Count LSTM Antonyms Vector An anomaly template2Vec 𝐃 +.01/ 𝐃 + 𝐃 +./ … detection Word Template Templates system based Vectors Vectors Model template2Vec template2Vec on Classification Offline learning unstructured Online detection logs Temporary Existing Temporary Vectors Vectors Templates Update Template Vector Real-time Comparison Output sequence sequence Match logs 2019/9/10 9 Weibin Meng

  10. Template Representation 𝐰 (% & ) 𝐰 (% &'( ) 𝐰 (% &',-( ) … Match Template Historical Template sequence logs Vector LSTM Sequence Vector Attention 𝐰 (% &', ) sequence Synonyms& Extract Count LSTM Antonyms Vector template2Vec 𝐃 +.01/ 𝐃 + 𝐃 +./ … Address the Word Template first Templates Vectors Vectors Model challenge and template2Vec template2Vec Classification Offline learning save template semantics. Online detection Temporary Existing Temporary Vectors Vectors Templates Update Template Vector Real-time Comparison Output sequence sequence Match logs 2019/9/10 10 Weibin Meng

  11. Template Representations Goals Insights ■ Some existing templates have similar ■ Convert log templates to “soft ” semantics representations ■ Some logs containing antonyms look similar ■ Takes antonyms and synonyms into but have opposite semantics consideration Logs: Templates : 1.Interface ae3, changed state to down 1 .Interface *, changed state to down 2.Vlan-interface vlan22, changed state to down 2.Vlan-interface *, changed state to down 3.Interface ae3, changed state to up 3. Interface *, changed state to up 4.Vlan-interface vlan22, changed state to up 4.Vlan-interface *, changed state to up 5.Interface ae1, changed state to down 6.Vlan-interface vlan20, changed state to down Logs>Templates: 7.Interface ae1, changed state to up L1->T1 L2->T2 L3->T3 L4->T4 8.Vlan-interface vlan20, changed state to up L5->T1 L6->T2 L7->T3 L8->T4 2019/9/10 11 Weibin Meng

  12. Template2Vec ■ template2Vec : ( template representation method) 1. Construct the set of synonyms and antonyms Combine domain knowledge and WordNet • 2. Generate word vectors by using dLCE [1] algorithm dLCE is a distributional lexical-contrast embedding model • 3. Calculate template vectors. Syns&Ants Word vectors Adding Synonyms Antonyms (2) Interface [x1,…,xn] Relations Word pairs methods … … Interface Vlan-interface down up down low WordNet changed [x1,…,xn] … … … … Synonyms (3) (1) Templates Template vectors Interface port Operators T 1 Interface * changed state to up V1 [x1,…,xn] (3) DOWN UP WordNet … … … … Antonyms T n+1 Interface * changed state to up [x1,…,xn] powerDown powerOn Operators Vn+1 [1] Kim Anh Nguyen, Sabine Schulte, and Ngoc Thang Vu. Integrating distributional lexical contrast into word embeddings for antonym-synonym 2019/9/10 distinction. arXiv preprint arXiv:1605.07766 , 2016. 12 Weibin Meng

  13. Template Approximation 𝐰 (% & ) 𝐰 (% &'( ) 𝐰 (% &',-( ) … Match Template Historical Template sequence logs Vector LSTM Sequence Vector Attention 𝐰 (% &', ) sequence Synonyms& Extract Count LSTM Antonyms Vector template2Vec 𝐃 +.01/ A mechanism 𝐃 + 𝐃 +./ … to address Word Template Templates Vectors Vectors Model new templates template2Vec template2Vec at runtime Classification Offline learning Online detection Temporary Existing Temporary Vectors Vectors Templates Update Template Vector Similarity Real-time Output sequence sequence comparison Match logs 2019/9/10 13 Weibin Meng

  14. Template Approximation Between two re-trainings ■ Extract a temporary template for the log of a new type ■ Map the temporary template vector into one of the existing vector Word Template Templates Vectors Vectors offline online Existing Temporary Temporary Vectors Vectors Templates Template Approximation Real-time Between Two Consecutive Trainings logs 2019/9/10 14 Weibin Meng

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Sequential techniques for Hypothesis testing & Change detection George V. Moustakides

Sequential techniques for Hypothesis testing & Change detection George V. Moustakides

Sequential techniques for Hypothesis testing & Change detection George V. Moustakides University of Patras Outline Sequential hypothesis testing The Sequential Probability Ratio Test (SPRT) for optimum hypothesis testing

393 views • 27 slides
Asynchronous random sampling for decentralized detection Georgios Fellouris , Columbia

Asynchronous random sampling for decentralized detection Georgios Fellouris , Columbia

Asynchronous random sampling for decentralized detection Georgios Fellouris , Columbia University, NY, USA George V. Moustakides , University of Patras, Greece Outline Sequential hypothesis testing and SPRT Sequential change detection and

943 views • 24 slides
Anomaly Detection and Categorization Using Unsupervised Deep Learning S6340 Thursday 7 th April

Anomaly Detection and Categorization Using Unsupervised Deep Learning S6340 Thursday 7 th April

Anomaly Detection and Categorization Using Unsupervised Deep Learning S6340 Thursday 7 th April 2016 GPU Technology Conference A. Stephen McGough , Noura Al Moubayed, Jonathan Cumming, Eduardo Cabrera, Peter Matthews, Toby P . Breckon, Ed

599 views • 29 slides
Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan

Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan

Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan Li , Wenxiao Chen, Dan Pei Department of Computer Science and Technology Tsinghua University November 18, 2018 1/37 Table of Contents 1 Background

573 views • 41 slides
Nonparametric Sequential Change Detection for High-Dimensional Problems Yasin Ylmaz Electrical

Nonparametric Sequential Change Detection for High-Dimensional Problems Yasin Ylmaz Electrical

Nonparametric Sequential Change Detection for High-Dimensional Problems Nonparametric Sequential Change Detection for High-Dimensional Problems Yasin Ylmaz Electrical Engineering, University of South Florida Allerton 2017 Nonparametric

580 views • 26 slides
Sequential Attention-based Detection of Semantic Incongruities from EEG While Listening to Speech

Sequential Attention-based Detection of Semantic Incongruities from EEG While Listening to Speech

Sequential Attention-based Detection of Semantic Incongruities from EEG While Listening to Speech Nara Institute of Science and Technology, Japan Shunnosuke Motomura Hiroki Tanaka Satoshi Nakamura /xx 1 Background: Assessment of sentences

242 views • 13 slides
Sequential Detection and Isolation of a Correlated Pair Anamitra Chaudhuri Department of

Sequential Detection and Isolation of a Correlated Pair Anamitra Chaudhuri Department of

Sequential Detection and Isolation of a Correlated Pair Anamitra Chaudhuri Department of Statistics University of Illinois, Urbana-Champaign Joint work with Georgios Fellouris 2020 IEEE International Symposium on Information Theory Los

806 views • 29 slides
FraudVis : Understanding Unsupervised Fraud Detection Algorithms Jiao Sun 1 , Qixin Zhu 1 , Zhifei

FraudVis : Understanding Unsupervised Fraud Detection Algorithms Jiao Sun 1 , Qixin Zhu 1 , Zhifei

FraudVis : Understanding Unsupervised Fraud Detection Algorithms Jiao Sun 1 , Qixin Zhu 1 , Zhifei Liu 1 , Xin Liu 1 , Jihae Lee 1 , Lei Shi 2 , Zhigang Su 3 , Ling Huang 1 and Wei Xu 1 1 Institute of Interdisciplinary Information Sciences ,

288 views • 16 slides
Unsupervised scene adaptation for faster multi-scale pedestrian detection Speaker Federico

Unsupervised scene adaptation for faster multi-scale pedestrian detection Speaker Federico

Unsupervised scene adaptation for faster multi-scale pedestrian detection Speaker Federico Bartoli 1 Giuseppe Lisanti 1 , Svebor Karaman 1 , Andrew D. Bagdanov 2 and Alberto Del Bimbo 1 1 MICC (Media Integration and Communication Center) -

311 views • 19 slides
Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection

Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection

Memristor Based Autoencoder for Unsupervised Real-Time Network Intrusion and Anomaly Detection Md. Shahanur Alam, B. Rasitha Fernando, Yassine Jaoudi, Chris Yakopcic, Raqibul Hasan, Tarek M. Taha, and Guru Subramanyam Dept. Of Electrical and

428 views • 19 slides
Magnifying (unknown) rare clusters to increase the chance of detection, using unsupervised

Magnifying (unknown) rare clusters to increase the chance of detection, using unsupervised

Magnifying (unknown) rare clusters to increase the chance of detection, using unsupervised learning Erzsbet Mernyi Department of Statistics and Department of Electrical and Computer Engineering Rice University, Houston, Texas E. Mernyi,

541 views • 32 slides
Unstructured Sequential Change Detection in Sensor Networks Grigory Sokolov Department of

Unstructured Sequential Change Detection in Sensor Networks Grigory Sokolov Department of

Unstructured Sequential Change Detection in Sensor Networks Grigory Sokolov Department of Mathematics University of Southern California Los Angeles, California United States of America gsokolov@usc.edu Joint work with Georgios Fellouris

299 views • 25 slides
Unsupervised, Fast and Precise Recognition of Digital Arcs in Noisy Images T. P . NGUYEN, B.

Unsupervised, Fast and Precise Recognition of Digital Arcs in Noisy Images T. P . NGUYEN, B.

Introduction Arc segmentation Unsupervised Noise Detection A framework for arc recognition along noisy curves Experimentations Conclusions and futur work Unsupervised, Fast and Precise Recognition of Digital Arcs in Noisy Images T. P .

550 views • 51 slides
Simultaneous and sequential detection of multiple interacting change points Long Nguyen

Simultaneous and sequential detection of multiple interacting change points Long Nguyen

Simultaneous and sequential detection of multiple interacting change points Long Nguyen Department of Statistics University of Michigan Joint work with Ram Rajagopal (Stanford University) 1 Introduction Statistical inference in the

786 views • 39 slides
THE MAGIC OF UNSUPERVISED LEARNING Agustinus Nalwan Head of AI Carsales.com.au A LITTLE BIT

THE MAGIC OF UNSUPERVISED LEARNING Agustinus Nalwan Head of AI Carsales.com.au A LITTLE BIT

THE MAGIC OF UNSUPERVISED LEARNING Agustinus Nalwan Head of AI Carsales.com.au A LITTLE BIT ABOUT MYSELF AI 4 Years SAVING OUR FOREST BUSHFIRE DETECTION BACK TO THE MAIN TOPIC THE MAGIC OF UNSUPERVISED LEARNING SUPERVISED LEARNING

1.11k views • 82 slides
Ne NetBouncer uncer: A : Act ctiv ive D e Device and ice and Link Failure Lo Li

Ne NetBouncer uncer: A : Act ctiv ive D e Device and ice and Link Failure Lo Li

Ne NetBouncer uncer: A : Act ctiv ive D e Device and ice and Link Failure Lo Li Localization in Data Ce Center r Netw twork orks Presented by Akash Kulkarni Problems that may occur in Data Center Routing misconfigurations

670 views • 22 slides
IPv6 route lookup performance and scaling Michal Kubeek SUSE Labs mkubecek@suse.cz

IPv6 route lookup performance and scaling Michal Kubeek SUSE Labs mkubecek@suse.cz

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) IPv6 route lookup performance and scaling Michal Kubeek SUSE Labs mkubecek@suse.cz Proceedings of NetDev 1.1: The Technical

420 views • 25 slides
Topology Inference from BGP Routing Dynamics David Andersen, Nick Feamster, Steve Bauer, Hari

Topology Inference from BGP Routing Dynamics David Andersen, Nick Feamster, Steve Bauer, Hari

Topology Inference from BGP Routing Dynamics David Andersen, Nick Feamster, Steve Bauer, Hari Balakrishnan MIT Laboratory for Computer Science October 2002 http://nms.ls.mit.edu/ron/ Current Topologies: AS Topologies AT&T MIT BBN

639 views • 20 slides
PromCon 2019 Fun and profit with Alertmanager Simon Pasquier (@SimonHiker), November 7, 2019

PromCon 2019 Fun and profit with Alertmanager Simon Pasquier (@SimonHiker), November 7, 2019

PromCon 2019 Fun and profit with Alertmanager Simon Pasquier (@SimonHiker), November 7, 2019 Prometheus Who am I? Software engineer working at Red Hat Alertmanager & consul_exporter maintainer Prometheus Alerting craft

575 views • 34 slides
Multipath TCP How one little change can make: Google more robust your iPhone service

Multipath TCP How one little change can make: Google more robust your iPhone service

Multipath TCP How one little change can make: Google more robust your iPhone service cheaper your home broadband quicker prevent the Internet from melting down enable remote brain surgery cure hyperbole Prof. Mark Handley

1.13k views • 48 slides
LHCnet: Proposal for LHC Network infrastructure extending globally to Tier2 and Tier3 sites

LHCnet: Proposal for LHC Network infrastructure extending globally to Tier2 and Tier3 sites

LHCnet: Proposal for LHC Network infrastructure extending globally to Tier2 and Tier3 sites Artur Barczyk, Harvey Newman California Institute of Technology / US LHCNet LHCT2S Meeting CERN, January 13 th , 2011 1 THE PROBLEM TO SOLVE 2 LHC

668 views • 39 slides
Goals of this lecture After this lecture you should be able to Basic network events

Goals of this lecture After this lecture you should be able to Basic network events

HELSINKI UNIVERSITY OF TECHNOLOGY HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmki, Lic.Sc. (Tech.) Timescales of different events Measuring network with packets: This course focuses Resource allocation primarily on packet delay,loss,

315 views • 7 slides
CS 598: Network Security Matthew Caesar January 29, 2013 1 Why secure data centers?

CS 598: Network Security Matthew Caesar January 29, 2013 1 Why secure data centers?

Lecture 3: Data Center and Enterprise Network Security CS 598: Network Security Matthew Caesar January 29, 2013 1 Why secure data centers? Consolidation brings many benefits Easier management, statistical multiplexing

1.51k views • 103 slides

More recommend