• Home

  • Documents

  • System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A...
29

System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution
Page 2: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

2

Page 3: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

3

System Event LogExist practically on

every computer system!

Automatic Analysis?

Page 4: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

4

SystemEventLog

Started service A on port 80Executor updated: app-1 is now LOADING……

Page 5: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

5

SystemEventLog

Structured Data

Log key

printf(“Started service %s on port %d”, x, y);

LOG PARSING

Started service A on port 80Executor updated: app-1 is now LOADING……

Started service * on port *Executor updated: * is now LOADING……

Page 6: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

6

SystemEventLog

Structured Data Anomaly Detection

LOG ANALYSIS

LOG PARSING

Started service A on port 80Executor updated: app-1 is now LOADING……

Started service * on port *Executor updated: * is now LOADING……

Log key

printf(“Started service %s on port %d”, x, y);

Page 7: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

7

Page 8: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

8

SPELLA streaming log

parser published in ICDM’16

Deletion of file1 complete. Deletion of file1 complete.

log keylog message

Deletion of file2 complete. Deletion of * complete.

parameters

[ ]

[file2]

Page 9: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

9

DeepLog

Anomaly Detection Diagnosis

Page 10: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

10

TrainingStage

DetectionStage

MODELS

Page 11: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

11

DetectionStage

MODELS

Page 12: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

12

DetectionStage

MODELS

Page 13: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

13

DetectionStage

MODELS

Page 14: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

14

DetectionStage

MODELS

Page 15: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

15

TrainingStage

MODELS

Page 16: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

16

TrainingStage

MODELS

Page 17: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

17

TrainingStage

MODELS

Page 18: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

18

TrainingStage

MODELS

Page 19: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

19

TrainingStage

MODELS

Page 20: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

20

TrainingStage

MODELS

Page 21: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

21

Use long short-term memory (LSTM) architecture

In detection stage, DeepLog checks if the actual next log key is among its top g probable predictions.

Page 22: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

22

Method 1: Using LSTM prediction probabilities

Method 2: Using co-occurrence matrix

Page 23: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

23

Page 24: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

24

Multi-variate time series data anomaly detection problem!--- Leverage LSTM to check reconstruction error.

Page 25: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

25

Evaluation results on HDFS log data. (over a million log entries with labeled anomalies)

PCA (SOSP’09), IM (UsenixATC’10), N-gram (baseline language model)

Page 26: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

26

Evaluation results on Blue Gene/L log, with and without online model update.

Page 27: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

27

Evaluation results on OpenStack cloud log with different confidence intervals (CIs)

Page 28: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

28

Diagnosis using constructed workflow.

Injected anomaly: during VM creation, network speed from controller to compute node is throttled.

Page 29: System Event Log - School of Computingmind/papers/deepLog_short.pdf · 2017-12-04 · 29 DeepLog A realtime system log anomaly detection framework. LSTM is used to model system execution

29

DeepLog

➢ A realtime system log anomaly detection framework.

➢ LSTM is used to model system execution paths and log parameter values.

➢ Workflow models are built to help anomaly diagnosis.

➢ It supports online model update.

Min [email protected]


DeepLog: Anomaly Detection and Diagnosis from …lifeifei/papers/deeplog.pdfDeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning Min Du, Feifei Li, Guineng

DeepLog: Anomaly Detection and Diagnosis from …lifeifei/papers/deeplog.pdfDeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning Min Du, Feifei Li, Guineng

Documents
DTT TrainingGuide v3.56 WebHow to Access Information About Your Surveillance System • To access System Log, click . • Select “System Log.” • A new window with 5 tabs will

DTT TrainingGuide v3.56 WebHow to Access Information About Your Surveillance System • To access System Log, click . • Select “System Log.” • A new window with 5 tabs will

Documents
IBM Disconnected Log Collector: IBM Disconnected Log ...4 IBM Disconnected Log Collector: IBM Disconnected Log Collector Guide System requirements for Disconnected Log Collector IBM

IBM Disconnected Log Collector: IBM Disconnected Log ...4 IBM Disconnected Log Collector: IBM Disconnected Log Collector Guide System requirements for Disconnected Log Collector IBM

Documents
ELK: Moose-ively scaling your log system

ELK: Moose-ively scaling your log system

Technology
System log

System log

Technology
SALES MANAGEMENT SYSTEM Name : Password : Please Log In

SALES MANAGEMENT SYSTEM Name : Password : Please Log In

Documents
Comware V3 Switch System Log Message

Comware V3 Switch System Log Message

Documents
SonicWall Management Services System Log

SonicWall Management Services System Log

Documents
SYSTEM LOG FILES RECORDS RETENTION SCHEDULEarchives.msu.edu/records/documents/SystemLogFiles... · The System Log Files Records Retention Schedule applies to all system documentation

SYSTEM LOG FILES RECORDS RETENTION SCHEDULEarchives.msu.edu/records/documents/SystemLogFiles... · The System Log Files Records Retention Schedule applies to all system documentation

Documents
LOG Plus system architecture enqnap.logsystem.pl/marketing/LOG-Plus-system-architecture-en.pdf · system through accounts in the LOG Plus system. The administrator has full privileges

LOG Plus system architecture enqnap.logsystem.pl/marketing/LOG-Plus-system-architecture-en.pdf · system through accounts in the LOG Plus system. The administrator has full privileges

Documents
Log in to the Grant Management System (GMS):

Log in to the Grant Management System (GMS):

Documents
Quality Sashco Products Roof System Log Builder Log Caulk • CPR Log … · 2019. 11. 6. · Log Wall System Your Choice Of 6x8 Or 6x12 Double Tongue & Groove Kiln Dried Logs •

Quality Sashco Products Roof System Log Builder Log Caulk • CPR Log … · 2019. 11. 6. · Log Wall System Your Choice Of 6x8 Or 6x12 Double Tongue & Groove Kiln Dried Logs •

Documents
System Logging and Log Analysis - Marcus Ranum

System Logging and Log Analysis - Marcus Ranum

Documents
Model Enterprise Log Management System™ Log Management System ' ˇc˙ ( ˇ ˚ ˇ˛ ˘ ˇ * ˘ˇˆ˙ Log , - 9˜ ... ESLog Management v1.0 Rev 1.15 Author Enterprise System Co.,Ltd

Model Enterprise Log Management System™ Log Management System ' ˇc˙ ( ˇ ˚ ˇ˛ ˘ ˇ * ˘ˇˆ˙ Log , - 9˜ ... ESLog Management v1.0 Rev 1.15 Author Enterprise System Co.,Ltd

Documents
Ie-26 Speed Log System

Ie-26 Speed Log System

Documents
Log-in System

Log-in System

Documents
SPH3UIB DAY 3/4/5 NOTES METRIC SYSTEM,GRAPHING RULES, LOG-LOG DATA ANALYSIS

SPH3UIB DAY 3/4/5 NOTES METRIC SYSTEM,GRAPHING RULES, LOG-LOG DATA ANALYSIS

Documents
agileSI™ - SAP® Security · PDF fileSOLUTION ARCHITECTURE Security Audit Log System Log System Parameters Tables Transport Log Gateway Config & Log SAP® Security Sources

agileSI™ - SAP® Security · PDF fileSOLUTION ARCHITECTURE Security Audit Log System Log System Parameters Tables Transport Log Gateway Config & Log SAP® Security Sources

Documents
System Log Setup

System Log Setup

Documents
DeepLog: Anomaly Detection and Diagnosis from System Logs ...€¦ · DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning Min Du, Feifei Li, Guineng Zheng,

DeepLog: Anomaly Detection and Diagnosis from System Logs ...€¦ · DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning Min Du, Feifei Li, Guineng Zheng,

Documents
Welding Log Condensate System Coladas

Welding Log Condensate System Coladas

Documents
DeepLog: Anomaly Detection and Diagnosis from System Logs ...lifeifei/papers/dl_ccs.pdf · DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning Min Du,

DeepLog: Anomaly Detection and Diagnosis from System Logs ...lifeifei/papers/dl_ccs.pdf · DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning Min Du,

Documents
System Log Messages Reference

System Log Messages Reference

Documents
FALS (Faculty Activity Log System) - Welcome - Human

FALS (Faculty Activity Log System) - Welcome - Human

Documents
Log-structured File System Sriram Govindan sgovinda@cse

Log-structured File System Sriram Govindan sgovinda@cse

Documents
BAYER ROTARY LOG PALLET SYSTEM

BAYER ROTARY LOG PALLET SYSTEM

Documents
Management System | Log in

Management System | Log in

Documents
Post2-log in system

Post2-log in system

Documents
System Event Log Troubleshooting Guide

System Event Log Troubleshooting Guide

Documents
System Log Information Avaya

System Log Information Avaya

Documents