基于并列GRU分类模型的日志异常检测方法  被引量：5

作　　者：周建国 戴华[1,2] 杨庚[1,2] 周倩[3] 王俊[4] Zhou Jianguo;Dai Hua;Yang Geng;Zhou Qian;Wang Jun(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China;Jiangsu Key Laboratory of Big Data Security and Intelligent Processing,Nanjing University of Posts and Telecommunications,Nanjing 210023,China;School of Modern Posts,Nanjing University of Posts and Telecommunications,Nanjing 210023,China;School of Geographic and Biologic Information,Nanjing University of Posts and Telecommunications,Nanjing 210023,China)

机构地区：[1]南京邮电大学计算机学院,江苏南京210023 [2]南京邮电大学江苏省大数据安全与智能处理重点试验室,江苏南京210023 [3]南京邮电大学现代邮政学院,江苏南京210023 [4]南京邮电大学地理与生物信息学院,江苏南京210023

出　　处：《南京理工大学学报》2022年第2期198-204,共7页Journal of Nanjing University of Science and Technology

基　　金：国家自然科学基金(61872197;61972209;61902199;61771251);中国博士后科学基金(2019M651919);南京邮电大学自然科学研究基金(NY217119;NY219142)。

摘　　要：为了能够更有效地检测出系统日志的异常,该文对现有基于深度学习的日志异常检测算法Deeplog进行了研究和改进,提出一种基于并列门循环单元(Gate recurrent unit,GRU)分类模型的日志异常检测方法。该方法包含模型训练阶段和异常检测阶段。在训练阶段,利用日志模板解析器解析原始日志数据集中的日志模板,进而生成日志模板滑动窗口数据集和相应的日志模板频度向量集,并作为输入训练成并列GRU分类模型;在检测阶段,利用并列GRU分类模型,对进程日志序列进行异常检测。试验结果表明,该文提出的异常检测方法比现有方法在查全率、调和分数等评价指标上均有明显改善和提升。In order to detect the abnormality of the system log more effectively,this paper studies and improves the existing deep learning-based log anomaly detection algorithm Deeplog.This paper proposes a log anomaly detection method based on parallel gate recurrent unit(GRU)classification model.The method includes two phases,one is the model training phase and the other is the anomaly detection phase.In the training phase,a log parser is used to extract log templates from the raw log data,and then the corresponding log template sliding windows and log template frequency vectors are generated and taken as the training data to train the parallel GRU classification model.In the detection phase,the trained parallel GRU classification model is used to detect anomalies of process log sequences.The experimental results show that the proposed anomaly detection method outperforms the existing method on several metrics,such as recall rate and F 1 score.

关 键 词：日志分析 异常检测 深度学习 系统安全 频度特征 

分 类 号：TP391.1[自动化与计算机技术—计算机应用技术]