Deep Log Sequence Analysis For System Anomaly Detection

As one of the hot tasks in the field of system anomaly detection,log sequence anomaly detection is committed to the detection of system exceptions by analyzing,learning and summarizing the structured log event template.In the aspect of system anomaly detection,log sequence is divided into two categories normal or abnormal.When the sequence characteristics of log sequence conform to normal operation,it is judged as normal;otherwise,it is abnormal.In recent years,with the extensive application of deep learning in system anomaly detection and other fields,the method of log sequence anomaly detection based on deep learning can automatically model and analyze log sequences without relying on complex feature engineering,and has achieved good results.However,the method ignores the effective use of the relationship between the log events in the log sequence,can extract a relatively single effective feature,and can not effectively mining the deeper relationship in the log sequence;and with the increase of the sequence length,the model will produce long dependence,which makes the output of the network decline with the increase of the sequence length,and cannot adapt to the new log pattern.In order to solve the above problems,this paper takes deep learning as the main line,and improves the model of anomaly detection by using the original log parser and feature extractor.This paper mainly does the following two aspects of research work:(1)In view of the problem that deep learning method can not make full use of the relationship between log events,and can not effectively mine the deeper relationship in log sequence,this paper proposes a log sequence anomaly detection model based on Bi-LSTM-CRF and multi headed attention mechanism.Firstly,the model uses Bi-LSTM network to learn the temporal characteristics between log sequences,and optimizes the model by dropout algorithm to avoid the over fitting of data.Moreover,the memory state of each layer of Bi-LSTM network is reset,which improves the ability of anomaly detection of Bi-LSTM network model.Secondly,the model combines the Bi-LSTM network and CRF perfectly,and inputs the results of Bi-LSTM model into CRF,which can effectively use the front and rear tags to detect the current log events;Finally,add multi-head attention The mechanism,using softmax to complete the classification of log sequence,and give the final results.(2)In order to deal with the problem of how to deal with the longer log sequence reasonably and how to adapt to the new log mode,this paper proposes an improved log sequence anomaly detection model based on the improved multi-channel time convolution network.Firstly,the model input log events using word embedding into the model.This method can not only accurately describe the semantic rules of log events in log sequence,but also reduce the calculation cost of the model by dimension reduction.Secondly,we improve the activation function of time convolution network and use weighted Re LU function,which not only solves the neuron necrosis The problem can also learn more effective features;Then,we add a gate controlled linear unit and use the multichannel mechanism to make the log sequence propagate through linear units without scaling gradient;Finally,we replace the output layer of the original network with global average pooling layer,which effectively solves the problem of over fitting.