Log Anomaly Detection Method Based on CNN-BiLSTM Model

doi:10.19678/j.issn.1000-3428.0061750

Abstract

Abstract: At present, the field of log anomaly detection has difficulties such as large data volume, high concealment of faults and attack threats, and complex feature engineering of traditional methods.The rapid research and development of deep learning provides new ideas for solving these problems.Here we propose to combine Convolutional Neural Network(CNN) and Bi-LSTM. The superior CNN-BiLSTM deep learning model not only considers the significant time series characteristics of the log key, but also takes into account the spatial location characteristics of the log parameters, and uses the splicing mapping method to perform feature fusion processing to avoid mutual inundation to the greatest extent, which is feasible in analyzing model complexity After the performance, based on the Hadoop log HDFS data set, comparing CNN and Bi-LSTM to verify the superior CNN-BiLSTMassification effect of the CNN-BiLSTM model, reaching about 91% log anomaly detection accuracy, and reaching 94% detection accuracy on the WC98_day Web log data set. Verify the good generalization ability of the CNN-BiLSTM model, and finally analyze the importance of word embedding and fully connected layer structure in the CNN-BiLSTM model through ablation experiments.

Key words: log anomaly detection, deep learning, feature fusion, generalization ability, ablation experiment

摘要： 目前日志异常检测领域存在数据量大、故障和攻击威胁隐蔽性高、传统方法特征工程复杂等困难，研究卷积神经网络（CNN）、循环神经网络等迅速发展的深度学习技术，能够为解决这些问题提供新的思路。提出结合CNN和双向长短时记忆循环神经网络（Bi-LSTM）优势的CNN-BiLSTM深度学习模型，在考虑日志键显著时间序列特征基础上，兼顾日志参数的空间位置特征，通过拼接映射方法进行最大程度避免特征淹没的融合处理。在此基础上，分析模型复杂度，同时在Hadoop日志HDFS数据集上进行实验，对比支持向量机（SVM）、CNN和Bi-LSTM验证CNN-BiLSTM模型的分类效果。分析和实验结果表明，CNN-BiLSTM达到平均91%的日志异常检测准确度，并在WC98_day网络日志数据集上达到94%检测准确度，验证了模型良好的泛化能力，与SVM CNN和Bi-LSTM相比具有更优的检测性能。此外，通过消融实验表明，词嵌入和全连接层结构对于提升模型准确率具有重要作用。

关键词: 日志异常检测, 深度学习, 特征融合, 泛化能力, 消融实验

CLC Number:

TP319

SUN Jia, ZHANG Jianhui, BU Youjun, CHEN Bo, HU Nan, WANG Fangyu. Log Anomaly Detection Method Based on CNN-BiLSTM Model[J]. Computer Engineering, 2022, 48(7): 151-158,167.

孙嘉, 张建辉, 卜佑军, 陈博, 胡楠, 王方玉. 基于CNN-BiLSTM模型的日志异常检测方法[J]. 计算机工程, 2022, 48(7): 151-158,167.

/ / Recommend / Download Citations

URL: http://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0061750

http://www.ecice06.com/EN/Y2022/V48/I7/151

Figures/Tables 12

References

[1] AGOSTI M, CRIVELLARI F, DI NUNZIO G M.Web log analysis:a review of a decade of studies about information acquisition, inspection and interpretation of user interaction[J].Data Mining and Knowledge Discovery, 2012, 24(3):663-696.
[2] HE S L, ZHU J M, HE P J, et al.Experience report:system log analysis for anomaly detection[C]//Proceedings of the 27th International Symposium on Software Reliability Engineering.Washington D.C., USA:IEEE Press, 2016:207-218.
[3] KRIZHEVSKY A, SUTSKEVER I, HINTON G E.ImageNet classification with deep convolutional neural networks[J].Communications of the ACM, 2017, 60(6):84-90.
[4] MIKOLOV T, KARAFIA T M, BURGET L, et al.Recurrentneural network based language model[C]//Proceedings of 2010 Conference of the International Speech Communication Association.Makuhari, Japan:[s.n.], 2010:1045-1048.
[5] GOLOVIN D, SOLNIK B, MOITRA S, et al.Google Vizier:a service for black-box optimization[C]//Proceedings of the 23rd ACM SIGKDD International Conference.New York, USA:ACM Press, 2017:1-10.
[6] MENG W B, LIU Y, ZHU Y C, et al.LogAnomaly:unsupervised detection of sequential and quantitative anomalies in unstructured logs[EB/OL].[2021-04-10].https://blog.csdn.net/qq_37660745/article/details/108471442.
[7] YUAN Y L, SRIKANT ADHATARAO S, LIN M K, et al.ADA:adaptive deep log anomaly detector[C]//Proceedings of IEEE Conference on Computer Communications.Washington D.C., USA:IEEE Press, 2020:2449-2458.
[8] DU M, LI F F, ZHENG G N, et al.DeepLog:anomaly detection and diagnosis from system logs through deep learning[C]//Proceedings of 2017 ACM SIGSAC Conference on Computer and Communications Security.New York, USA:ACM Press, 2017:1-10.
[9] HASHEMI S, MÄNTYLÄ M.OneLog:towards end-to-end training in software log anomaly detection[EB/OL].[2021-04-10].https://arxiv.org/abs/2104.07324.
[10] 梅御东, 陈旭, 孙毓忠, 等.一种基于日志信息和CNN-text的软件系统异常检测方法[J].计算机学报, 2020, 43(2):366-380. MEI Y D, CHEN X, SUN Y Z, et al.A method for software system anomaly detection based on log information and CNN-text[J].Chinese Journal of Computers, 2020, 43(2):366-380.(in Chinese)
[11] DUAN S F, ZHAO H.Attention is all You need for Chinese word segmentation[C]//Proceedings of 2020 Conference on Empirical Methods in Natural Language Processing.Stroudsburg, USA:Association for Computational Linguistics, 2020:1-10.
[12] HUANG S H, LIU Y, FUNG C, et al.HitAnomaly:hierarchical transformers for anomaly detection in system log[J].IEEE Transactions on Network and Service Management, 2020, 17(4):2064-2076.
[13] GUO Y C, WEN Y J, JIANG C W, et al.Detecting log anomalies with multi-head attention(LAMA)[EB/OL].[2021-04-10].https://arxiv.org/abs/2101.02392.
[14] NEDELKOSKI S, BOGATINOVSKI J, ACKER A, et al.Self-attentive classification-based anomaly detection in unstructured logs[C]//Proceedings of 2020 IEEE International Conference on Data Mining.Washington D.C., USA:IEEE Press, 2020:1196-1201.
[15] MIKOLOV T, SUTSKEVER I, CHEN K, et al.Distributed representations of words and phrases and their compositionality[C]//Proceedings of the 26th Advances in Neural Information Processing Systems.New York, USA:Curran Associates, 2013:3111-3119.
[16] ZHENG J.A novel computer-aided multi-label emotion recognition of text method based on word embedding and BiLSTM[C]//Proceedings of International Informatization and Engineering Associations.[S.l.]:Computer Science and Electronic Technology International Society, 2019:10.
[17] 王勇, 李战怀, 张阳.基于序列关联规则挖掘的Web日志预测精度研究[J].计算机工程, 2006, 32(12):39-41. WANG Y, LI Z H, ZHANG Y.Mining sequential association rule for improving Web document prediction[J].Computer Engineering, 2006, 32(12):39-41.(in Chinese)
[18] 任肖肖.基于多源报警日志的网络安全威胁态势感知关键技术研究[D].郑州:解放军信息工程大学, 2014. REN X X.Research on crucial technologies of network security threat situation awareness based on multi-source alerts[D].Zhengzhou:PLA Information Engineering University, 2014.(in Chinese)
[19] YANG J, YANG J Y, ZHANG D, et al.Feature fusion:parallel strategy vs.serial strategy[J].Pattern Recognition, 2003, 36(6):1369-1381.
[20] SUN Q S, ZHONG J, HENG P A, et al.A novel feature fusion method based on partial least squares regression[C]//Proceedings of ICAPR'05.Berlin, Germany:Springer, 2005, 268-277.
[21] WEI X, LING H, ARMANDO F, et al.Detecting large-scale system problems by mining console logs[C]//Proceedings of 2009 ACM Symposium on Operating Systems Principles.New York, USA:ACM Press, 2009:117-132.
[22] SHI C Y, XU C J, YANG X J.Study of TFIDF algorithm[J].Journal of Computer Applications, 2009, 29(s1):167-180.

Please choose a citation manager

Content to export