System logs play a critical role in maintaining the reliability of software systems. Fruitful studies have explored automatic log-based anomaly detection and achieved notable accuracy on benchmark datasets. However, when applied to large-scale cloud systems, these solutions face limitations due to high resource consumption and lack of adaptability to evolving logs. In this paper, we present an accurate, lightweight, and adaptive log-based anomaly detection framework, referred to as SeaLog. Our method introduces a Trie-based Detection Agent (TDA) that employs a lightweight, dynamically-growing trie structure for real-time anomaly detection. To enhance TDA's accuracy in response to evolving log data, we enable it to receive feedback from experts. Interestingly, our findings suggest that contemporary large language models, such as ChatGPT, can provide feedback with a level of consistency comparable to human experts, which can potentially reduce manual verification efforts. We extensively evaluate SeaLog on two public datasets and an industrial dataset. The results show that SeaLog outperforms all baseline methods in terms of effectiveness, runs 2X to 10X faster and only consumes 5% to 41% of the memory resource.
相關內容
在數(shu)據(ju)(ju)(ju)(ju)(ju)挖掘中(zhong),異(yi)(yi)常(chang)(chang)檢(jian)(jian)測(ce)(ce)(ce)(英語:anomaly detection)對(dui)(dui)(dui)不符合預(yu)期模(mo)式或數(shu)據(ju)(ju)(ju)(ju)(ju)集中(zhong)其他(ta)項目的(de)(de)(de)(de)項目、事件或觀測(ce)(ce)(ce)值的(de)(de)(de)(de)識(shi)別(bie)。通常(chang)(chang)異(yi)(yi)常(chang)(chang)項目會(hui)轉(zhuan)變(bian)成銀行欺詐、結構缺陷、醫(yi)療問題(ti)(ti)、文本錯誤(wu)等類(lei)型(xing)(xing)的(de)(de)(de)(de)問題(ti)(ti)。異(yi)(yi)常(chang)(chang)也被稱(cheng)為離群值、新奇、噪聲、偏(pian)差和例(li)外。
特(te)別(bie)是(shi)(shi)(shi)在檢(jian)(jian)測(ce)(ce)(ce)濫用與網絡(luo)入侵時,有(you)趣性(xing)對(dui)(dui)(dui)象(xiang)往(wang)往(wang)不是(shi)(shi)(shi)罕見對(dui)(dui)(dui)象(xiang),但卻是(shi)(shi)(shi)超出預(yu)料的(de)(de)(de)(de)突發活動。這(zhe)種模(mo)式不遵循通常(chang)(chang)統計定(ding)(ding)義中(zhong)把異(yi)(yi)常(chang)(chang)點(dian)看作是(shi)(shi)(shi)罕見對(dui)(dui)(dui)象(xiang),于是(shi)(shi)(shi)許(xu)多異(yi)(yi)常(chang)(chang)檢(jian)(jian)測(ce)(ce)(ce)方(fang)法(fa)(fa)(特(te)別(bie)是(shi)(shi)(shi)無(wu)監(jian)督的(de)(de)(de)(de)方(fang)法(fa)(fa))將對(dui)(dui)(dui)此類(lei)數(shu)據(ju)(ju)(ju)(ju)(ju)失效(xiao),除非進行了(le)合適的(de)(de)(de)(de)聚(ju)(ju)集。相反(fan),聚(ju)(ju)類(lei)分(fen)(fen)析算法(fa)(fa)可(ke)能可(ke)以(yi)檢(jian)(jian)測(ce)(ce)(ce)出這(zhe)些模(mo)式形成的(de)(de)(de)(de)微聚(ju)(ju)類(lei)。
有(you)三大(da)類(lei)異(yi)(yi)常(chang)(chang)檢(jian)(jian)測(ce)(ce)(ce)方(fang)法(fa)(fa)。[1] 在假(jia)設(she)數(shu)據(ju)(ju)(ju)(ju)(ju)集中(zhong)大(da)多數(shu)實例(li)都(dou)是(shi)(shi)(shi)正常(chang)(chang)的(de)(de)(de)(de)前提下,無(wu)監(jian)督異(yi)(yi)常(chang)(chang)檢(jian)(jian)測(ce)(ce)(ce)方(fang)法(fa)(fa)能通過(guo)尋找(zhao)與其他(ta)數(shu)據(ju)(ju)(ju)(ju)(ju)最不匹配的(de)(de)(de)(de)實例(li)來(lai)檢(jian)(jian)測(ce)(ce)(ce)出未標記(ji)測(ce)(ce)(ce)試(shi)數(shu)據(ju)(ju)(ju)(ju)(ju)的(de)(de)(de)(de)異(yi)(yi)常(chang)(chang)。監(jian)督式異(yi)(yi)常(chang)(chang)檢(jian)(jian)測(ce)(ce)(ce)方(fang)法(fa)(fa)需(xu)要一(yi)(yi)個(ge)已經被標記(ji)“正常(chang)(chang)”與“異(yi)(yi)常(chang)(chang)”的(de)(de)(de)(de)數(shu)據(ju)(ju)(ju)(ju)(ju)集,并(bing)涉(she)及到訓練(lian)分(fen)(fen)類(lei)器(與許(xu)多其他(ta)的(de)(de)(de)(de)統計分(fen)(fen)類(lei)問題(ti)(ti)的(de)(de)(de)(de)關鍵區別(bie)是(shi)(shi)(shi)異(yi)(yi)常(chang)(chang)檢(jian)(jian)測(ce)(ce)(ce)的(de)(de)(de)(de)內(nei)在不均衡(heng)性(xing))。半監(jian)督式異(yi)(yi)常(chang)(chang)檢(jian)(jian)測(ce)(ce)(ce)方(fang)法(fa)(fa)根據(ju)(ju)(ju)(ju)(ju)一(yi)(yi)個(ge)給(gei)定(ding)(ding)的(de)(de)(de)(de)正常(chang)(chang)訓練(lian)數(shu)據(ju)(ju)(ju)(ju)(ju)集創建一(yi)(yi)個(ge)表示正常(chang)(chang)行為的(de)(de)(de)(de)模(mo)型(xing)(xing),然(ran)后檢(jian)(jian)測(ce)(ce)(ce)由學習模(mo)型(xing)(xing)生(sheng)成的(de)(de)(de)(de)測(ce)(ce)(ce)試(shi)實例(li)的(de)(de)(de)(de)可(ke)能性(xing)。
The growth of systems complexity increases the need of automated techniques dedicated to different log analysis tasks such as Log-based Anomaly Detection (LAD). The latter has been widely addressed in the literature, mostly by means of different deep learning techniques. Nevertheless, the focus on deep learning techniques results in less attention being paid to traditional Machine Learning (ML) techniques, which may perform well in many cases, depending on the context and the used datasets. Further, the evaluation of different ML techniques is mostly based on the assessment of their detection accuracy. However, this is is not enough to decide whether or not a specific ML technique is suitable to address the LAD problem. Other aspects to consider include the training and prediction time as well as the sensitivity to hyperparameter tuning. In this paper, we present a comprehensive empirical study, in which we evaluate different supervised and semi-supervised, traditional and deep ML techniques w.r.t. four evaluation criteria: detection accuracy, time performance, sensitivity of detection accuracy as well as time performance to hyperparameter tuning. The experimental results show that supervised traditional and deep ML techniques perform very closely in terms of their detection accuracy and prediction time. Moreover, the overall evaluation of the sensitivity of the detection accuracy of the different ML techniques to hyperparameter tuning shows that supervised traditional ML techniques are less sensitive to hyperparameter tuning than deep learning techniques. Further, semi-supervised techniques yield significantly worse detection accuracy than supervised techniques.
Graph anomaly detection (GAD) has gained increasing attention in recent years due to its critical application in a wide range of domains, such as social networks, financial risk management, and traffic analysis. Existing GAD methods can be categorized into node and edge anomaly detection models based on the type of graph objects being detected. However, these methods typically treat node and edge anomalies as separate tasks, overlooking their associations and frequent co-occurrences in real-world graphs. As a result, they fail to leverage the complementary information provided by node and edge anomalies for mutual detection. Additionally, state-of-the-art GAD methods, such as CoLA and SL-GAD, heavily rely on negative pair sampling in contrastive learning, which incurs high computational costs, hindering their scalability to large graphs. To address these limitations, we propose a novel unified graph anomaly detection framework based on bootstrapped self-supervised learning (named BOURNE). We extract a subgraph (graph view) centered on each target node as node context and transform it into a dual hypergraph (hypergraph view) as edge context. These views are encoded using graph and hypergraph neural networks to capture the representations of nodes, edges, and their associated contexts. By swapping the context embeddings between nodes and edges and measuring the agreement in the embedding space, we enable the mutual detection of node and edge anomalies. Furthermore, we adopt a bootstrapped training strategy that eliminates the need for negative sampling, enabling BOURNE to handle large graphs efficiently. Extensive experiments conducted on six benchmark datasets demonstrate the superior effectiveness and efficiency of BOURNE in detecting both node and edge anomalies.
Self-supervised learning (SSL) has emerged as a promising alternative to create supervisory signals to real-world problems, avoiding the extensive cost of manual labeling. SSL is particularly attractive for unsupervised tasks such as anomaly detection (AD), where labeled anomalies are rare or often nonexistent. A large catalog of augmentation functions has been used for SSL-based AD (SSAD) on image data, and recent works have reported that the type of augmentation has a significant impact on accuracy. Motivated by those, this work sets out to put image-based SSAD under a larger lens and investigate the role of data augmentation in SSAD. Through extensive experiments on 3 different detector models and across 420 AD tasks, we provide comprehensive numerical and visual evidences that the alignment between data augmentation and anomaly-generating mechanism is the key to the success of SSAD, and in the lack thereof, SSL may even impair accuracy. To the best of our knowledge, this is the first meta-analysis on the role of data augmentation in SSAD.
There is a growing trend of cyberattacks against Internet of Things (IoT) devices; moreover, the sophistication and motivation of those attacks is increasing. The vast scale of IoT, diverse hardware and software, and being typically placed in uncontrolled environments make traditional IT security mechanisms such as signature-based intrusion detection and prevention systems challenging to integrate. They also struggle to cope with the rapidly evolving IoT threat landscape due to long delays between the analysis and publication of the detection rules. Machine learning methods have shown faster response to emerging threats; however, model training architectures like cloud or edge computing face multiple drawbacks in IoT settings, including network overhead and data isolation arising from the large scale and heterogeneity that characterizes these networks. This work presents an architecture for training unsupervised models for network intrusion detection in large, distributed IoT and Industrial IoT (IIoT) deployments. We leverage Federated Learning (FL) to collaboratively train between peers and reduce isolation and network overhead problems. We build upon it to include an unsupervised device clustering algorithm fully integrated into the FL pipeline to address the heterogeneity issues that arise in FL settings. The architecture is implemented and evaluated using a testbed that includes various emulated IoT/IIoT devices and attackers interacting in a complex network topology comprising 100 emulated devices, 30 switches and 10 routers. The anomaly detection models are evaluated on real attacks performed by the testbed's threat actors, including the entire Mirai malware lifecycle, an additional botnet based on the Merlin command and control server and other red-teaming tools performing scanning activities and multiple attacks targeting the emulated devices.
Two-component mixture models have proved to be a powerful tool for modeling heterogeneity in several cluster analysis contexts. However, most methods based on these models assume a constant behavior for the mixture weights, which can be restrictive and unsuitable for some applications. In this paper, we relax this assumption and allow the mixture weights to vary according to the index (e.g., time) to make the model more adaptive to a broader range of data sets. We propose an efficient MCMC algorithm to jointly estimate both component parameters and dynamic weights from their posterior samples. We evaluate the method's performance by running Monte Carlo simulation studies under different scenarios for the dynamic weights. In addition, we apply the algorithm to a time series that records the level reached by a river in southern Brazil. The Taquari River is a water body whose frequent flood inundations have caused various damage to riverside communities. Implementing a dynamic mixture model allows us to properly describe the flood regimes for the areas most affected by these phenomena.
With the development of Big data technology, data analysis has become increasingly important. Traditional clustering algorithms such as K-means are highly sensitive to the initial centroid selection and perform poorly on non-convex datasets. In this paper, we address these problems by proposing a data-driven Bregman divergence parameter optimization clustering algorithm (DBGSA), which combines the Universal Gravitational Algorithm to bring similar points closer in the dataset. We construct a gravitational coefficient equation with a special property that gradually reduces the influence factor as the iteration progresses. Furthermore, we introduce the Bregman divergence generalized power mean information loss minimization to identify cluster centers and build a hyperparameter identification optimization model, which effectively solves the problems of manual adjustment and uncertainty in the improved dataset. Extensive experiments are conducted on four simulated datasets and six real datasets. The results demonstrate that DBGSA significantly improves the accuracy of various clustering algorithms by an average of 63.8\% compared to other similar approaches like enhanced clustering algorithms and improved datasets. Additionally, a three-dimensional grid search was established to compare the effects of different parameter values within threshold conditions, and it was discovered the parameter set provided by our model is optimal. This finding provides strong evidence of the high accuracy and robustness of the algorithm.
Humans have a natural instinct to identify unknown object instances in their environments. The intrinsic curiosity about these unknown instances aids in learning about them, when the corresponding knowledge is eventually available. This motivates us to propose a novel computer vision problem called: `Open World Object Detection', where a model is tasked to: 1) identify objects that have not been introduced to it as `unknown', without explicit supervision to do so, and 2) incrementally learn these identified unknown categories without forgetting previously learned classes, when the corresponding labels are progressively received. We formulate the problem, introduce a strong evaluation protocol and provide a novel solution, which we call ORE: Open World Object Detector, based on contrastive clustering and energy based unknown identification. Our experimental evaluation and ablation studies analyze the efficacy of ORE in achieving Open World objectives. As an interesting by-product, we find that identifying and characterizing unknown instances helps to reduce confusion in an incremental object detection setting, where we achieve state-of-the-art performance, with no extra methodological effort. We hope that our work will attract further research into this newly identified, yet crucial research direction.
Behaviors of the synthetic characters in current military simulations are limited since they are generally generated by rule-based and reactive computational models with minimal intelligence. Such computational models cannot adapt to reflect the experience of the characters, resulting in brittle intelligence for even the most effective behavior models devised via costly and labor-intensive processes. Observation-based behavior model adaptation that leverages machine learning and the experience of synthetic entities in combination with appropriate prior knowledge can address the issues in the existing computational behavior models to create a better training experience in military training simulations. In this paper, we introduce a framework that aims to create autonomous synthetic characters that can perform coherent sequences of believable behavior while being aware of human trainees and their needs within a training simulation. This framework brings together three mutually complementary components. The first component is a Unity-based simulation environment - Rapid Integration and Development Environment (RIDE) - supporting One World Terrain (OWT) models and capable of running and supporting machine learning experiments. The second is Shiva, a novel multi-agent reinforcement and imitation learning framework that can interface with a variety of simulation environments, and that can additionally utilize a variety of learning algorithms. The final component is the Sigma Cognitive Architecture that will augment the behavior models with symbolic and probabilistic reasoning capabilities. We have successfully created proof-of-concept behavior models leveraging this framework on realistic terrain as an essential step towards bringing machine learning into military simulations.
In recent years, object detection has experienced impressive progress. Despite these improvements, there is still a significant gap in the performance between the detection of small and large objects. We analyze the current state-of-the-art model, Mask-RCNN, on a challenging dataset, MS COCO. We show that the overlap between small ground-truth objects and the predicted anchors is much lower than the expected IoU threshold. We conjecture this is due to two factors; (1) only a few images are containing small objects, and (2) small objects do not appear enough even within each image containing them. We thus propose to oversample those images with small objects and augment each of those images by copy-pasting small objects many times. It allows us to trade off the quality of the detector on large objects with that on small objects. We evaluate different pasting augmentation strategies, and ultimately, we achieve 9.7\% relative improvement on the instance segmentation and 7.1\% on the object detection of small objects, compared to the current state of the art method on MS COCO.
It is important to detect anomalous inputs when deploying machine learning systems. The use of larger and more complex inputs in deep learning magnifies the difficulty of distinguishing between anomalous and in-distribution examples. At the same time, diverse image and text data are available in enormous quantities. We propose leveraging these data to improve deep anomaly detection by training anomaly detectors against an auxiliary dataset of outliers, an approach we call Outlier Exposure (OE). This enables anomaly detectors to generalize and detect unseen anomalies. In extensive experiments on natural language processing and small- and large-scale vision tasks, we find that Outlier Exposure significantly improves detection performance. We also observe that cutting-edge generative models trained on CIFAR-10 may assign higher likelihoods to SVHN images than to CIFAR-10 images; we use OE to mitigate this issue. We also analyze the flexibility and robustness of Outlier Exposure, and identify characteristics of the auxiliary dataset that improve performance.
小貼士
登錄享
注冊地址: 北京市海淀區羊坊店路18號2幢3層301-191