基于系统日志混合特征的在线异常检测方法

Online Anomaly Detection Method Based on Mixed Features of System Logs

系统日志是记录系统运行情况的重要信息载体,通过分析日志可以检测出系统中发生的异常。传统基于系统日志的自动化异常检测方法往往仅根据系统日志的单一特征进行分析,异常漏检率较高,且大多为批处理方法,无法对运行中系统产生的日志流进行在线检测。针对上述问题,提出了基于日志混合特征的在线异常检测方法,即MFAD(online anomaly detection method based on mixed features of system logs)。该方法使用层次聚类提取日志的统计特征,并通过高斯混合模型提取日志的序列特征,最后关联统计特征和序列特征构建混合特征检测模型以对日志进行异常检测。实验结果表明,MFAD能够通过日志流对系统进行在线异常检测,响应迅速,并且具有较高的准确性。

The system log is an important information carrier to record the operation of the system.By analyzing the log,we can detect the abnormalities in the system.The traditional automatic anomaly detection methods based on system logs are often analyzed only according to the single characteristics of a system log.The anomaly missed detection rate is high,and most of them are batch processing methods,which can not detect the log flow generated by the running system online.To solve the above problems,this paper proposes an online anomaly detection method based on mixed features of system logs(MFAD).The method uses hierarchical clustering to extract the statistical features of logs,extracts the sequence features of logs through a Gaussian mixture model,and finally associates the statistical features and sequence features to construct a hybrid feature detection model to detect anomalies in the logs.The experimental results show that MFAD can detect the system online through log flow,respond quickly and have high accuracy.