from system logs through deep learning
play

from System Logs through Deep Learning Min Du , Feifei Li, Guineng - PowerPoint PPT Presentation

Dec 14, 2023 •22 likes •1.08k views

DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning Min Du , Feifei Li, Guineng Zheng, Vivek Srikumar University of Utah Background 2 Background System Event Log 3 Background System Event Log Available

  1. Log Key Anomaly Detection model Example log key sequence: 25 18 54 57 18 56 … 25 18 54 57 56 18 … ➢ a rigorous set of logic and control flows ➢ a ( more structured ) natural language natural language modeling multi-class classifier: history sequence => next key to appear A log key is detected to be abnormal if it does not follow the prediction. 49

  2. Log Key Anomaly Detection model Use long short-term memory ( LSTM ) architecture 50

  3. Log Key Anomaly Detection model Use long short-term memory ( LSTM ) architecture 51

  4. Log Key Anomaly Detection model Use long short-term memory ( LSTM ) architecture Training: log key sequence: 25 18 54 57 18 56 … 25 18 54 57 56 18 … h=3 52

  5. Log Key Anomaly Detection model Use long short-term memory ( LSTM ) architecture Training: log key sequence: 25 18 54 57 18 56 … 25 18 54 57 56 18 … h=3 53

  6. Log Key Anomaly Detection model Use long short-term memory ( LSTM ) architecture Training: log key sequence: 25 18 54 57 18 56 … 25 18 54 57 56 18 … h=3 54

  7. Log Key Anomaly Detection model Use long short-term memory ( LSTM ) architecture Training: log key sequence: 25 18 54 57 18 56 … 25 18 54 57 56 18 … h=3 55

  8. Log Key Anomaly Detection model Use long short-term memory ( LSTM ) architecture Detection: In detection stage, DeepLog checks if the actual next log key is among its top g probable predictions. 56

  9. Log Key Anomaly Detection model 57

  10. Log Key Anomaly Detection model 58

  11. Log Key Anomaly Detection model 59

  12. Workflow Construction Input: log key sequence 25 18 54 57 18 56 … 25 18 54 57 56 18 … Output: 60

  13. Workflow Construction Method 1: Using Log Key Anomaly Detection model --- LSTM prediction probabilities 61

  14. Workflow Construction Method 1: Using Log Key Anomaly Detection model --- LSTM prediction probabilities An example of concurrency detection: 62

  15. Workflow Construction Method 1: Using Log Key Anomaly Detection model --- LSTM prediction probabilities An example of concurrency detection: 63

  16. Workflow Construction Method 1: Using Log Key Anomaly Detection model --- LSTM prediction probabilities An example of concurrency detection: 64

  17. Workflow Construction Method 1: Using Log Key Anomaly Detection model --- LSTM prediction probabilities An example of concurrency detection: 65

  18. Workflow Construction Method 1: Using Log Key Anomaly Detection model --- LSTM prediction probabilities An example of concurrency detection: 66

  19. Workflow Construction Method 2: A density-based clustering approach 67

  20. Workflow Construction Method 2: A density-based clustering approach Co-occurrence matrix of log keys ( 𝒍 𝒋 , 𝒍 𝒌 ) within distance 𝒆 𝑔 𝑒 ( 𝑙 𝑗 , 𝑙 𝑘 ) : the frequency of ( 𝑙 𝑗 , 𝑙 𝑘 ) appearing together within distance d 𝑔 ( 𝑙 𝑗 ) : the frequency of 𝑙 𝑗 in the input sequence 𝑞 𝑒 ( i , 𝑘 ) : the probability of ( 𝑙 𝑗 , 𝑙 𝑘 ) appearing together within distance d 68

  21. Parameter Value Anomaly Detection model Example: Log messages of a particular log key: 𝒖 𝟑 : 𝑼𝒑𝒑𝒍 𝟏. 𝟕𝟐 𝒕𝒇𝒅𝒑𝒐𝒆𝒕 𝒖𝒑 𝒆𝒇𝒃𝒎𝒎𝒑𝒅𝒃𝒖𝒇 𝒐𝒇𝒖𝒙𝒑𝒔𝒍 … 𝒖′ 𝟑 : 𝑼𝒑𝒑𝒍 𝟐. 𝟐 𝒕𝒇𝒅𝒑𝒐𝒆𝒕 𝒖𝒑 𝒆𝒇𝒃𝒎𝒎𝒑𝒅𝒃𝒖𝒇 𝒐𝒇𝒖𝒙𝒑𝒔𝒍 … …. 69

  22. Parameter Value Anomaly Detection model Example: Log messages of a particular log key: 𝒖 𝟑 : 𝑼𝒑𝒑𝒍 𝟏. 𝟕𝟐 𝒕𝒇𝒅𝒑𝒐𝒆𝒕 𝒖𝒑 𝒆𝒇𝒃𝒎𝒎𝒑𝒅𝒃𝒖𝒇 𝒐𝒇𝒖𝒙𝒑𝒔𝒍 … 𝒖′ 𝟑 : 𝑼𝒑𝒑𝒍 𝟐. 𝟐 𝒕𝒇𝒅𝒑𝒐𝒆𝒕 𝒖𝒑 𝒆𝒇𝒃𝒎𝒎𝒑𝒅𝒃𝒖𝒇 𝒐𝒇𝒖𝒙𝒑𝒔𝒍 … …. Parameter value vectors overtime: [ 𝒖 𝟑 - 𝒖 𝟐 , 0.61], [ 𝒖′ 𝟑 - 𝒖′ 𝟐 , 1.1], …. 70

  23. Parameter Value Anomaly Detection model Example: Log messages of a particular log key: 𝒖 𝟑 : 𝑼𝒑𝒑𝒍 𝟏. 𝟕𝟐 𝒕𝒇𝒅𝒑𝒐𝒆𝒕 𝒖𝒑 𝒆𝒇𝒃𝒎𝒎𝒑𝒅𝒃𝒖𝒇 𝒐𝒇𝒖𝒙𝒑𝒔𝒍 … 𝒖′ 𝟑 : 𝑼𝒑𝒑𝒍 𝟐. 𝟐 𝒕𝒇𝒅𝒑𝒐𝒆𝒕 𝒖𝒑 𝒆𝒇𝒃𝒎𝒎𝒑𝒅𝒃𝒖𝒇 𝒐𝒇𝒖𝒙𝒑𝒔𝒍 … …. Parameter value vectors overtime: [ 𝒖 𝟑 - 𝒖 𝟐 , 0.61], [ 𝒖′ 𝟑 - 𝒖′ 𝟐 , 1.1], …. Multi-variate time series data anomaly detection problem! 71

  24. Parameter Value Anomaly Detection model Multi-variate time series data anomaly detection problem ✓ Leverage LSTM-based approach; ✓ A parameter value vector is given as input at each time step; ✓ An anomaly is detected if the mean-square-error (MSE) between prediction and actual data is too big. 72

  25. Parameter Value Anomaly Detection model Multi-variate time series data anomaly detection problem ✓ Leverage LSTM-based approach; ✓ A parameter value vector is given as input at each time step; ✓ An anomaly is detected if the mean-square-error (MSE) between prediction and actual data is too big. value history time 73

  26. Parameter Value Anomaly Detection model Multi-variate time series data anomaly detection problem ✓ Leverage LSTM-based approach; ✓ A parameter value vector is given as input at each time step; ✓ An anomaly is detected if the mean-square-error (MSE) between prediction and actual data is too big. value history prediction time 74

  27. Parameter Value Anomaly Detection model Multi-variate time series data anomaly detection problem ✓ Leverage LSTM-based approach; ✓ A parameter value vector is given as input at each time step; ✓ An anomaly is detected if the mean-square-error (MSE) between prediction and actual data is too big. value history prediction actual time 75

  28. Parameter Value Anomaly Detection model Multi-variate time series data anomaly detection problem ✓ Leverage LSTM-based approach; ✓ A parameter value vector is given as input at each time step; ✓ An anomaly is detected if the mean-square-error (MSE) between prediction and actual data is too big. value history prediction MSE > Threshold ? actual time 76

  29. Parameter Value Anomaly Detection model Multi-variate time series data anomaly detection problem ✓ Leverage LSTM-based approach; ✓ A parameter value vector is given as input at each time step; ✓ An anomaly is detected if the mean-square-error (MSE) between prediction and actual data is too big. value history time 77

  30. Parameter Value Anomaly Detection model Multi-variate time series data anomaly detection problem ✓ Leverage LSTM-based approach; ✓ A parameter value vector is given as input at each time step; ✓ An anomaly is detected if the mean-square-error (MSE) between prediction and actual data is too big. value history actual prediction time 78

  31. Parameter Value Anomaly Detection model Multi-variate time series data anomaly detection problem ✓ Leverage LSTM-based approach; ✓ A parameter value vector is given as input at each time step; ✓ An anomaly is detected if the mean-square-error (MSE) between prediction and actual data is too big. value history actual MSE > Threshold ? prediction time 79

  32. Parameter Value Anomaly Detection model Multi-variate time series data anomaly detection problem ✓ Leverage LSTM-based approach; ✓ A parameter value vector is given as input at each time step; ✓ An anomaly is detected if the mean-square-error (MSE) between prediction and actual data is too big. value history … time 80

  33. LSTM model online update Q: How to handle false positive? 81

  34. LSTM model online update Q: How to handle false positive? Log sequence: history 82

  35. LSTM model online update Q: How to handle false positive? Log sequence: history model 83

  36. LSTM model online update Q: How to handle false positive? Log sequence: history model prediction 84

  37. LSTM model online update Q: How to handle false positive? Log sequence: current history Anomaly? model prediction 85

  38. LSTM model online update Q: How to handle false positive? Log sequence: current history Yes Anomaly? model prediction 86

  39. LSTM model online update Q: How to handle false positive? Log sequence: current history Yes Anomaly? False model prediction positive? 87

  40. LSTM model online update Q: How to handle false positive? Log sequence: current history Yes Anomaly? False model prediction positive? Yes update model using this case: “ history -> current ” 88

  41. Evaluation – log key anomaly detection Up is good Evaluation results on HDFS log data [1] . (over a million log entries with labeled anomalies) [1] PCA (SOSP’09), IM (UsenixATC’10), N -gram (baseline language model) 89

  42. Evaluation – parameter value anomaly detection MSE: mean square error Evaluation results on OpenStack cloud log with different confidence intervals (CIs) 90

  43. Evaluation – parameter value anomaly detection MSE: mean square error generated on CloudLab; Evaluation results on OpenStack cloud log VM creation/deletion operations; with different confidence intervals (CIs) injected performance anomalies. 91

  44. Evaluation – parameter value anomaly detection MSE: mean square error thresholds Evaluation results on OpenStack cloud log with different confidence intervals (CIs) 92

  45. Evaluation – parameter value anomaly detection MSE: mean square error thresholds ANOMALY Evaluation results on OpenStack cloud log with different confidence intervals (CIs) 93

  46. Evaluation – parameter value anomaly detection MSE: mean square error thresholds ANOMALY False Positive Evaluation results on OpenStack cloud log with different confidence intervals (CIs) 94

  47. Evaluation – LSTM model online update Up is good Evaluation on Blue Gene/L log, with and without online model update. 95

  48. Evaluation – LSTM model online update Up is good HPC log with labeled anomalies; Evaluation on Blue Gene/L log, Available at with and without online model update. https://www.usenix.org/cfdr-data 96

  49. Evaluation – case study: network security log Dataset: IEEE VAST Challenge 2011 (Mini Challenge 2 – Computer Networking Operations) The dataset contains firewall log, IDS log, etc. 97

  50. Evaluation – case study: network security log Dataset: IEEE VAST Challenge 2011 (Mini Challenge 2 – Computer Networking Operations) The dataset contains firewall log, IDS log, etc. Detection results. 98

  51. Evaluation – case study: network security log Dataset: IEEE VAST Challenge 2011 (Mini Challenge 2 – Computer Networking Operations) The dataset contains firewall log, IDS log, etc. Detection results. Could be fixed with prior knowledge of “documented IP” 99

  52. Evaluation – workflow construction Constructed workflow of VM Creation . (previously generated OpenStack cloud log) 100

Recommend

Minjie Wang Deep Learning Deep Learning trend in the past 10 years Caffe State-of-art DL

Minjie Wang Deep Learning Deep Learning trend in the past 10 years Caffe State-of-art DL

Tofu: Parallelizing Deep Learning Systems with Automatic Tiling Minjie Wang Deep Learning Deep Learning trend in the past 10 years Caffe State-of-art DL system is based on dataflow GPU#0 w1 w2 data g1 g2 Forward propagation

405 views • 38 slides
Mining Invariants from Logs for System Problem Detection Jian-Guang LOU, Qiang FU Software

Mining Invariants from Logs for System Problem Detection Jian-Guang LOU, Qiang FU Software

Mining Invariants from Logs for System Problem Detection Jian-Guang LOU, Qiang FU Software Analytics Microsoft Research Asia Background Many systems produce log messages for trouble-shooting. Logs usually record important system actions

706 views • 31 slides
Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms

Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms

Deep 3D Representation Learning for Visual Computing Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms Conclusion 2 Outline Overview of 3D deep learning Background 3D deep learning tasks 3D deep

1.66k views • 122 slides
Logs on Logs on Logs No More Append Atomic & Remap Eric Mackay Venkatesh Srinivas Basics

Logs on Logs on Logs No More Append Atomic & Remap Eric Mackay Venkatesh Srinivas Basics

Logs on Logs on Logs No More Append Atomic & Remap Eric Mackay Venkatesh Srinivas Basics of Block Device Interfaces I/O is done in granularity of blocks 512 bytes is pretty standard Writing is slooooooow Data is

898 views • 15 slides
ACCELERATE DEEP LEARNING WITH NVIDIA'S DEEP LEARNING PLATFORM | STEPHEN JONES | GTC16 DEEP

ACCELERATE DEEP LEARNING WITH NVIDIA'S DEEP LEARNING PLATFORM | STEPHEN JONES | GTC16 DEEP

ACCELERATE DEEP LEARNING WITH NVIDIA'S DEEP LEARNING PLATFORM | STEPHEN JONES | GTC16 DEEP LEARNING EVERYWHERE INTERNET & CLOUD MEDICINE & BIOLOGY MEDIA & ENTERTAINMENT SECURITY & DEFENSE AUTONOMOUS MACHINES Image

307 views • 26 slides
Geotechnical Desktop Study Borings >100 feet deep Water Well Logs Regional Geology Fault

Geotechnical Desktop Study Borings >100 feet deep Water Well Logs Regional Geology Fault

Geotechnical Desktop Study Borings >100 feet deep Water Well Logs Regional Geology Fault Mapping & Behavior Geotechnical Desktop Study Borings Identified >100 Feet Deep Faulting Grain Size Distribution Comparison Inverted Siphon

733 views • 30 slides
Deep Learning on GPUs March 2016 What is Deep Learning? GPUs and DL AGENDA DL in practice

Deep Learning on GPUs March 2016 What is Deep Learning? GPUs and DL AGENDA DL in practice

Deep Learning on GPUs March 2016 What is Deep Learning? GPUs and DL AGENDA DL in practice Scaling up DL 2 What is Deep Learning? 3 DEEP LEARNING EVERYWHERE INTERNET & CLOUD MEDICINE & BIOLOGY SECURITY & DEFENSE MEDIA &

1.45k views • 39 slides
Reproducibility and Replicability in Deep Reinforcement Learning (and Other Deep Learning

Reproducibility and Replicability in Deep Reinforcement Learning (and Other Deep Learning

Reproducibility and Replicability in Deep Reinforcement Learning (and Other Deep Learning Methods) Peter Henderson Statistical Society of Canada Annual Meeting 2018 Contributors Riashat Islam Phil Bachman Doina Precup David Meger Joelle

850 views • 37 slides
Image Classification with DIGITS NVIDIA Deep Learning Institute 1 DEEP LEARNING INSTITUTE DLI

Image Classification with DIGITS NVIDIA Deep Learning Institute 1 DEEP LEARNING INSTITUTE DLI

Image Classification with DIGITS NVIDIA Deep Learning Institute 1 DEEP LEARNING INSTITUTE DLI Mission Helping people solve challenging problems using AI and deep learning. Developers, data scientists and engineers Self-driving cars,

1.44k views • 72 slides
Deep Neural Networks and Deep Reinforcement Learning Deep Learning, Goodfellow, Bengio and

Deep Neural Networks and Deep Reinforcement Learning Deep Learning, Goodfellow, Bengio and

Deep Neural Networks and Deep Reinforcement Learning Deep Neural Networks and Deep Reinforcement Learning Deep Learning, Goodfellow, Bengio and Courville [chapt. 6,7,8]; AIMA [sect. 21.1-21.3]; Sutton and Barto, Reinforcement Learning: an

527 views • 35 slides
Natural Language Processing with Deep Learning CS224N The Future of Deep Learning + NLP Kevin

Natural Language Processing with Deep Learning CS224N The Future of Deep Learning + NLP Kevin

Natural Language Processing with Deep Learning CS224N The Future of Deep Learning + NLP Kevin Clark Deep Learning for NLP 5 years ago No Seq2Seq No Attention No large-scale QA/reading comprehension datasets No TensorFlow or

1.41k views • 92 slides
An Overview of Deep Residual Learning Semih Yagcioglu 01.03.2016 Deep Residual Learning

An Overview of Deep Residual Learning Semih Yagcioglu 01.03.2016 Deep Residual Learning

An Overview of Deep Residual Learning Semih Yagcioglu 01.03.2016 Deep Residual Learning Microsoft Research Asia (MSRA) Kaiming He, Xiangyu Zhang, Shaoqing Ren, & Jian Sun. Deep Residual Learning for Image Recognition. arXiv

1.32k views • 54 slides
Deep Reinforcement Learning [Mastering the Game of Go with Deep Reinforcement Learning and Tree

Deep Reinforcement Learning [Mastering the Game of Go with Deep Reinforcement Learning and Tree

Deep Reinforcement Learning [Mastering the Game of Go with Deep Reinforcement Learning and Tree Search, Nature 2016] CS 486/686 University of Waterloo Lecture 21: July 12, 2017 Outline AlphaGo Supervised Learning of Policy Networks

540 views • 15 slides
Mocha.jl Deep Learning in Julia Chiyuan Zhang (@pluskid) CSAIL, MIT Deep Learning Learning

Mocha.jl Deep Learning in Julia Chiyuan Zhang (@pluskid) CSAIL, MIT Deep Learning Learning

Mocha.jl Deep Learning in Julia Chiyuan Zhang (@pluskid) CSAIL, MIT Deep Learning Learning with multi-layer (3~30) neural networks, on a huge training set. State-of-the-art on many AI tasks Computer Vision : Image Classification,

1.53k views • 23 slides
Deep Learning: Theory and Practice Deep Learning - Practical 02-04-2020 Considerations

Deep Learning: Theory and Practice Deep Learning - Practical 02-04-2020 Considerations

Deep Learning: Theory and Practice Deep Learning - Practical 02-04-2020 Considerations deeplearning.cce2020@gmail.com Deep Networks Intuition Neural networks with multiple hidden layers - Deep networks [Hinton, 2006] Deep Networks Intuition

1.33k views • 28 slides
Deep Learning: State of the Art (2020) Deep Learning Lecture Series https://deeplearning.mit.edu

Deep Learning: State of the Art (2020) Deep Learning Lecture Series https://deeplearning.mit.edu

Deep Learning: State of the Art (2020) Deep Learning Lecture Series https://deeplearning.mit.edu 2020 For the full list of references visit: http://bit.ly/deeplearn-sota-2020 Outline Deep Learning Growth, Celebrations, and Limitations

1.1k views • 87 slides
12. Unsupervised Deep Learning CS 535 Deep Learning, Winter 2018 Fuxin Li With materials from

12. Unsupervised Deep Learning CS 535 Deep Learning, Winter 2018 Fuxin Li With materials from

12. Unsupervised Deep Learning CS 535 Deep Learning, Winter 2018 Fuxin Li With materials from Wanli Ouyang, Zsolt Kira, Lawrence Neal, Raymond Yeh, Junting Lou and Teck-Yian Lim Unsupervised Learning in General Unsupervised learning is

1.48k views • 115 slides
Regularization for Deep Learning Lecture slides for Chapter 7 of Deep Learning

Regularization for Deep Learning Lecture slides for Chapter 7 of Deep Learning

Regularization for Deep Learning Lecture slides for Chapter 7 of Deep Learning www.deeplearningbook.org Ian Goodfellow 2016-09-27 Definition Regularization is any modification we make to a learning algorithm that is intended to reduce

179 views • 13 slides
Introduction to Deep Learning Outline Deep Learning RNN CNN Attention

Introduction to Deep Learning Outline Deep Learning RNN CNN Attention

Introduction to Deep Learning Outline Deep Learning RNN CNN Attention Transformer Pytorch Introduction Basics Examples RNNs Some slides borrowed from Fei-Fei Li & Justin Johnson &

1.1k views • 55 slides
System Unit 5, Lesson 2 Learning Goals Today we will be learning: The EA sound

System Unit 5, Lesson 2 Learning Goals Today we will be learning: The EA sound

The Respiratory System Unit 5, Lesson 2 Learning Goals Today we will be learning: The EA sound Reviewing Transition Words Ordinal Numbers The Respir iratory ry System By: Helen Frost Lets take a BIG, DEEP, BREATHE

518 views • 18 slides
Deep learning for NLP: Introduction CS 6956: Deep Learning for NLP Words are a very fantastical

Deep learning for NLP: Introduction CS 6956: Deep Learning for NLP Words are a very fantastical

Deep learning for NLP: Introduction CS 6956: Deep Learning for NLP Words are a very fantastical banquet, just so many strange dishes And yet, we seem to do fine We can understand and generate language effortlessly. Almost 1 Wouldnt it be

1.62k views • 52 slides
Deep Reinforcement Learning and Complex Environments Raia Hadsell End-to-end Deep Learning

Deep Reinforcement Learning and Complex Environments Raia Hadsell End-to-end Deep Learning

Deep Reinforcement Learning and Complex Environments Raia Hadsell End-to-end Deep Learning for robots? slide from V. Vanhoucke End-to-end Deep Learning for robots? 2010 : Speech Recognition Audio Acoustic Model Phonetic Model

1.05k views • 65 slides
It Can Understand the Logs, Literally Aidi Pi , Wei Chen, Will Zeller and Xiaobo Zhou IPDPSW19

It Can Understand the Logs, Literally Aidi Pi , Wei Chen, Will Zeller and Xiaobo Zhou IPDPSW19

It Can Understand the Logs, Literally Aidi Pi , Wei Chen, Will Zeller and Xiaobo Zhou IPDPSW19 @ Rio de Janeiro Outline Introduction to distributed system logs Challenges NLog: A NLP based log analysis approach Evaluation

197 views • 18 slides
FPL 2019 - PhD Forum FPGA Accelerated Deep Learning Radio Modulation Classification Using MATLAB

FPL 2019 - PhD Forum FPGA Accelerated Deep Learning Radio Modulation Classification Using MATLAB

FPL 2019 - PhD Forum FPGA Accelerated Deep Learning Radio Modulation Classification Using MATLAB System Objects & PYNQ Andrew Maclellan, Lewis McLaughlin, Louise Crockett, Robert W. Stewart Motivation Impact of Deep Learning: Natural

319 views • 10 slides

More recommend