SaTC: CORE: Medium: Large-Scale Data Driven Anomaly Detection and Diagnosis from System Logs

SaTC：核心：中：大规模数据驱动的系统日志异常检测和诊断

• 批准号: 1801446
• 负责人: Robert Ricci
• 金额: $ 110万
• 依托单位: University of Utah
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-08-01 至 2023-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1801446&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Large; Scale

Detecting unusual and anomalous behavior in computer systems is a critical part of ensuring they are secure and trustworthy. System logs, which record actions taken by programs, are a promising source of data for such anomaly detection. However, existing practices and tools for doing log analysis require deep expertise, as well as heavy human involvement in both defining and interpreting possible anomalies, which limits their scalability and effectiveness. This project's goal is to improve the state of the art around log-based anomaly detection by developing a framework called DeepLog through (a) advancing natural language processing techniques to extract structured information from a wide variety of log files to support analysis across different data sources and across time, (b) developing new methods to model legitimate workflows and log event sequences over time, (c) adapting machine learning methods to identify deviations from those workflows that represent potential anomalies, and (d) creating tools for system administrators to help them diagnose possible security issues more effectively and efficiently. The work will be integrated into a freely available software package to benefit both other researchers and practicing system administrators and used to support both classroom and research-based educational activities at the investigators' institutions.Toward log parsing, the team will adapt named entity recognition methods to parse unstructured logs as well as structured logs where the structure is not pre-defined by, e.g., regular expressions, into structured key-value pairs of log event types and parameters. This data can be seen as a multi-dimensional feature space whose contents are constrained by the execution of the underlying programs and thus reflects a hidden structure that defines the set of valid, non-anomalous execution sequences. To help articulate this hidden structure, the team will develop long-short-term-memory (LSTM)-based neural network models that use both the key and value elements to extract semantically meaningful subsequences of program behavior from data extracted from system runs known to be normal. Once these models are developed using known-good training data, they can be applied to anomaly detection by flagging for consideration new log entries that are unexpected given the current state of the system, logs, and model; they can also be used to infer the underlying workflows and hidden structures described earlier. These models will be improved through that online learning methods, administrators' feedback about the seriousness of reported anomalies, and generative adversarial training models which create execution sequences that, though anomalous, hew closely to the hidden structures embedded in the logs and the LSTM-based models.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

检测计算机系统中的异常行为是确保其安全和值得信赖的关键部分。记录程序所采取的操作的系统日志是此类异常检测的有前途的数据源。 然而，用于进行日志分析的现有实践和工具需要深厚的专业知识，以及大量人员参与定义和解释可能的异常，这限制了其可扩展性和有效性。 该项目的目标是通过开发一个名为 DeepLo​​g 的框架来提高基于日志的异常检测的技术水平：(a) 先进的自然语言处理技术从各种日志文件中提取结构化信息以支持跨不同数据源的分析随着时间的推移，(b) 开发新方法来建模合法工作流程并随时间记录事件序列，(c) 采用机器学习方法来识别与代表潜在异常的工作流程的偏差，以及 (d) 为系统管理员创建工具来帮助他们诊断可能的安全问题更加有效和高效。 这项工作将被集成到一个免费的软件包中，以使其他研究人员和执业系统管理员受益，并用于支持研究人员机构的课堂和基于研究的教育活动。对于日志解析，该团队将采用命名实体识别方法将非结构化日志以及结构未通过正则表达式等预定义的结构化日志解析为日志事件类型和参数的结构化键值对。 该数据可以看作是一个多维特征空间，其内容受到底层程序执行的约束，因此反映了定义有效、非异常执行序列集的隐藏结构。 为了帮助阐明这种隐藏结构，该团队将开发基于长短期记忆（LSTM）的神经网络模型，该模型使用键和值元素从已知的系统运行中提取的数据中提取程序行为的语义有意义的子序列。正常一点。 一旦使用已知良好的训练数据开发了这些模型，它们就可以通过标记考虑新的日志条目来应用于异常检测，这些日志条目在给定系统、日志和模型的当前状态下是意外的；它们还可以用于推断前面描述的底层工作流程和隐藏结构。 这些模型将通过在线学习方法、管理员对报告的异常严重性的反馈以及生成对抗训练模型来改进，这些模型创建执行序列，尽管异常，但密切关注嵌入在日志和基于 LSTM 中的隐藏结构该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

A Year of Automated Anomaly Detection in a Datacenter

• 发表时间: 2020
• 作者: Rufaida Ahmed;J. Porter;Abubaker Abdelmutalab;R. Ricci

Right for the Right Reason: Evidence Extraction for Trustworthy Tabular Reasoning

正确的理由：为可信的表格推理提取证据

• DOI: 10.18653/v1/2022.acl-long.231
• 发表时间: 2022
• 期刊: Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics
• 作者: Gupta, Vivek;Zhang, Shuo;Vempala, Alakananda;He, Yujie;Choji, Temma;Srikumar, Vivek
• 通讯作者: Srikumar, Vivek

Learning Constraints for Structured Prediction Using Rectifier Networks

• DOI: 10.18653/v1/2020.acl-main.438
• 发表时间: 2020-05
• 期刊: ArXiv
• 作者: Xingyuan Pan;Maitrey Mehta;Vivek Srikumar

Augmenting Neural Networks with First-order Logic

• DOI: 10.18653/v1/p19-1028
• 发表时间: 2019-06
• 期刊: ArXiv
• 作者: Tao Li;Vivek Srikumar

Structured Tuning for Semantic Role Labeling

• DOI: 10.18653/v1/2020.acl-main.744
• 发表时间: 2020-05
• 期刊: ArXiv
• 作者: Tao Li;Parth Anand Jawale;M. Palmer;Vivek Srikumar