Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

< Back to Article

Table 1.

Comparison of methods for log anomaly detection.

More »

Table 1 Expand

Fig 1.

LSTM auto encoder algorithm illustration.

More »

Fig 1 Expand

Fig 2.

A concrete example showing a few log lines from a VMWare log file.

More »

Fig 2 Expand

Fig 3.

A schematic diagram of a single log file.

The diagram illustrates the generation of logs. Each virtual machine generates log files in chronological order over time. The intervals between log file generations are often inconsistent, resulting in some virtual machines generating a large number of log files within a given time frame ‘K’, while others generate fewer log files. The number of log lines in each log file also tends to vary.

More »

Fig 3 Expand

Fig 4.

One case of log file anomaly detection is shown.

More »

Fig 4 Expand

Fig 5.

Another case of log file anomaly detection is shown.

The latest log file on each virtual machine at time T is the object to be detected Discriminator is a detection system. Normal and Anormal represent the two categories into which the log files are divided. In one case (Fig 4), T3 is a noisy normal log file alerted as an anomaly. In another case (Fig 5), T3 is a noisy normal log file considered as normal.

More »

Fig 5 Expand

Fig 6.

A brief overview of virtual machine log anomaly detection.

In the training phase, the training log set undergoes log parsing to obtain log templates. The log templates are then sorted based on their length to create a mapping dictionary between the log templates and numerical values. This dictionary converts the log data into numerical data. The feature vector data, obtained through feature extraction, serves as input for training the SVM discriminator. In the testing phase, the log set is mapped into numerical data using the dictionary obtained during the training phase. The feature vector data, obtained through feature extraction, is then used as input for the SVM discriminator to detect anomalies.

More »

Fig 6 Expand

Fig 7.

Data processing diagram, logs are classified and converted into numerical vectors through Algorithm 1.

More »

Fig 7 Expand

Fig 8.

Overview of Algorithm 2.

More »

Fig 8 Expand

Table 2.

D1 training without noise—Testing without noise.

More »

Table 2 Expand

Table 3.

D2 training without noise—Testing with noise.

More »

Table 3 Expand

Table 4.

D3 training with noise—Testing without noise.

More »

Table 4 Expand

Table 5.

D4 Training with noise—Testing with noise.

More »

Table 5 Expand

Table 6.

D5 training without noise—Log sequence disorder—Testing without noise.

More »

Table 6 Expand

Fig 9.

Comparison of F1 score.

More »

Fig 9 Expand

Fig 10.

Comparison of accuracy.

More »

Fig 10 Expand

Fig 11.

Ablation study.

More »

Fig 11 Expand

Table 7.

Training time.

More »

Table 7 Expand