LogEvent2vec: LogEvent-to-vector based anomaly detection for large-scale logs in internet of things

Jin Wang; Yangning Tang; Shiming He; Changqing Zhao; Pradip Kumar Sharma; Osama Alfarraj; Amr Tolba

doi:10.3390/s20092451

LogEvent2vec: LogEvent-to-vector based anomaly detection for large-scale logs in internet of things

Jin Wang, Yangning Tang, Shiming He^*, Changqing Zhao, Pradip Kumar Sharma, Osama Alfarraj, Amr Tolba

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

65 Citations (Scopus)

8 Downloads (Pure)

Abstract

Log anomaly detection is an efficient method to manage modern large-scale Internet of Things (IoT) systems. More and more works start to apply natural language processing (NLP) methods, and in particular word2vec, in the log feature extraction. Word2vec can extract the relevance between words and vectorize the words. However, the computing cost of training word2vec is high. Anomalies in logs are dependent on not only an individual log message but also on the log message sequence. Therefore, the vector of words from word2vec can not be used directly, which needs to be transformed into the vector of log events and further transformed into the vector of log sequences. To reduce computational cost and avoid multiple transformations, in this paper, we propose an offline feature extraction model, named LogEvent2vec, which takes the log event as input of word2vec to extract the relevance between log events and vectorize log events directly. LogEvent2vec can work with any coordinate transformation methods and anomaly detection models. After getting the log event vector, we transform log event vector to log sequence vector by bary or tf-idf and three kinds of supervised models (Random Forests, Naive Bayes, and Neural Networks) are trained to detect the anomalies. We have conducted extensive experiments on a real public log dataset from BlueGene/L (BGL). The experimental results demonstrate that LogEvent2vec can significantly reduce computational time by 30 times and improve accuracy, comparing with word2vec. LogEvent2vec with bary and Random Forest can achieve the best F1-score and LogEvent2vec with tf-idf and Naive Bayes needs the least computational time.

Original language	English
Article number	2451
Number of pages	19
Journal	Sensors (Switzerland)
Volume	20
Issue number	9
Early online date	26 Apr 2020
DOIs	https://doi.org/10.3390/s20092451
Publication status	Published - May 2020

Bibliographical note

Funding: This work was funded by the National Natural Science Foundation of China (Nos. 61802030), the Research Foundation of Education Bureau of Hunan Province, China (No. 19B005), and the International Cooperative Project for “Double First-Class”, CSUST (No. 2018IC24), the open research fund of Key Lab
of Broadband Wireless Communication and Sensor Network Technology (Nanjing University of Posts and Telecommunications), Ministry of Education (No. JZNY201905), the Open Research Fund of the Hunan Provincial Key Laboratory of Network Investigational Technology (No. 2018WLZC003). This work was funded by the Researchers Supporting Project No. (RSP-2019/102) King Saud University, Riyadh, Saudi Arabia. Acknowledgments: We thank Researchers Supporting Project No. (RSP-2019/102) King Saud University, Riyadh,
Saudi Arabia, for funding this research. We thank Francesco Cauteruccio for proofreading this paper.

Keywords

Device management
IoT
Log anomaly detection
Log event
Log template
Word2vec
log anomaly detection
log template
log event
word2vec
device management

Access to Document

10.3390/s20092451Licence: CC BY

Wang_etal_sensors_LogEvent2vec_VOR
This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.https://creativecommons.org/licenses/by/4.0/
Final published version, 1 MBLicence: CC BY

Cite this

@article{ba2d52678daf4613a839e778b24cc9a6,

title = "LogEvent2vec: LogEvent-to-vector based anomaly detection for large-scale logs in internet of things",

abstract = "Log anomaly detection is an efficient method to manage modern large-scale Internet of Things (IoT) systems. More and more works start to apply natural language processing (NLP) methods, and in particular word2vec, in the log feature extraction. Word2vec can extract the relevance between words and vectorize the words. However, the computing cost of training word2vec is high. Anomalies in logs are dependent on not only an individual log message but also on the log message sequence. Therefore, the vector of words from word2vec can not be used directly, which needs to be transformed into the vector of log events and further transformed into the vector of log sequences. To reduce computational cost and avoid multiple transformations, in this paper, we propose an offline feature extraction model, named LogEvent2vec, which takes the log event as input of word2vec to extract the relevance between log events and vectorize log events directly. LogEvent2vec can work with any coordinate transformation methods and anomaly detection models. After getting the log event vector, we transform log event vector to log sequence vector by bary or tf-idf and three kinds of supervised models (Random Forests, Naive Bayes, and Neural Networks) are trained to detect the anomalies. We have conducted extensive experiments on a real public log dataset from BlueGene/L (BGL). The experimental results demonstrate that LogEvent2vec can significantly reduce computational time by 30 times and improve accuracy, comparing with word2vec. LogEvent2vec with bary and Random Forest can achieve the best F1-score and LogEvent2vec with tf-idf and Naive Bayes needs the least computational time.",

keywords = "Device management, IoT, Log anomaly detection, Log event, Log template, Word2vec, log anomaly detection, log template, log event, word2vec, device management",

author = "Jin Wang and Yangning Tang and Shiming He and Changqing Zhao and Sharma, {Pradip Kumar} and Osama Alfarraj and Amr Tolba",

note = "Funding: This work was funded by the National Natural Science Foundation of China (Nos. 61802030), the Research Foundation of Education Bureau of Hunan Province, China (No. 19B005), and the International Cooperative Project for “Double First-Class”, CSUST (No. 2018IC24), the open research fund of Key Lab of Broadband Wireless Communication and Sensor Network Technology (Nanjing University of Posts and Telecommunications), Ministry of Education (No. JZNY201905), the Open Research Fund of the Hunan Provincial Key Laboratory of Network Investigational Technology (No. 2018WLZC003). This work was funded by the Researchers Supporting Project No. (RSP-2019/102) King Saud University, Riyadh, Saudi Arabia. Acknowledgments: We thank Researchers Supporting Project No. (RSP-2019/102) King Saud University, Riyadh, Saudi Arabia, for funding this research. We thank Francesco Cauteruccio for proofreading this paper.",

year = "2020",

month = may,

doi = "10.3390/s20092451",

language = "English",

volume = "20",

journal = "Sensors (Switzerland)",

issn = "1424-8220",

publisher = "MDPI",

number = "9",

}

TY - JOUR

T1 - LogEvent2vec

T2 - LogEvent-to-vector based anomaly detection for large-scale logs in internet of things

AU - Wang, Jin

AU - Tang, Yangning

AU - He, Shiming

AU - Zhao, Changqing

AU - Sharma, Pradip Kumar

AU - Alfarraj, Osama

AU - Tolba, Amr

N1 - Funding: This work was funded by the National Natural Science Foundation of China (Nos. 61802030), the Research Foundation of Education Bureau of Hunan Province, China (No. 19B005), and the International Cooperative Project for “Double First-Class”, CSUST (No. 2018IC24), the open research fund of Key Lab of Broadband Wireless Communication and Sensor Network Technology (Nanjing University of Posts and Telecommunications), Ministry of Education (No. JZNY201905), the Open Research Fund of the Hunan Provincial Key Laboratory of Network Investigational Technology (No. 2018WLZC003). This work was funded by the Researchers Supporting Project No. (RSP-2019/102) King Saud University, Riyadh, Saudi Arabia. Acknowledgments: We thank Researchers Supporting Project No. (RSP-2019/102) King Saud University, Riyadh, Saudi Arabia, for funding this research. We thank Francesco Cauteruccio for proofreading this paper.

PY - 2020/5

Y1 - 2020/5

N2 - Log anomaly detection is an efficient method to manage modern large-scale Internet of Things (IoT) systems. More and more works start to apply natural language processing (NLP) methods, and in particular word2vec, in the log feature extraction. Word2vec can extract the relevance between words and vectorize the words. However, the computing cost of training word2vec is high. Anomalies in logs are dependent on not only an individual log message but also on the log message sequence. Therefore, the vector of words from word2vec can not be used directly, which needs to be transformed into the vector of log events and further transformed into the vector of log sequences. To reduce computational cost and avoid multiple transformations, in this paper, we propose an offline feature extraction model, named LogEvent2vec, which takes the log event as input of word2vec to extract the relevance between log events and vectorize log events directly. LogEvent2vec can work with any coordinate transformation methods and anomaly detection models. After getting the log event vector, we transform log event vector to log sequence vector by bary or tf-idf and three kinds of supervised models (Random Forests, Naive Bayes, and Neural Networks) are trained to detect the anomalies. We have conducted extensive experiments on a real public log dataset from BlueGene/L (BGL). The experimental results demonstrate that LogEvent2vec can significantly reduce computational time by 30 times and improve accuracy, comparing with word2vec. LogEvent2vec with bary and Random Forest can achieve the best F1-score and LogEvent2vec with tf-idf and Naive Bayes needs the least computational time.

AB - Log anomaly detection is an efficient method to manage modern large-scale Internet of Things (IoT) systems. More and more works start to apply natural language processing (NLP) methods, and in particular word2vec, in the log feature extraction. Word2vec can extract the relevance between words and vectorize the words. However, the computing cost of training word2vec is high. Anomalies in logs are dependent on not only an individual log message but also on the log message sequence. Therefore, the vector of words from word2vec can not be used directly, which needs to be transformed into the vector of log events and further transformed into the vector of log sequences. To reduce computational cost and avoid multiple transformations, in this paper, we propose an offline feature extraction model, named LogEvent2vec, which takes the log event as input of word2vec to extract the relevance between log events and vectorize log events directly. LogEvent2vec can work with any coordinate transformation methods and anomaly detection models. After getting the log event vector, we transform log event vector to log sequence vector by bary or tf-idf and three kinds of supervised models (Random Forests, Naive Bayes, and Neural Networks) are trained to detect the anomalies. We have conducted extensive experiments on a real public log dataset from BlueGene/L (BGL). The experimental results demonstrate that LogEvent2vec can significantly reduce computational time by 30 times and improve accuracy, comparing with word2vec. LogEvent2vec with bary and Random Forest can achieve the best F1-score and LogEvent2vec with tf-idf and Naive Bayes needs the least computational time.

KW - Device management

KW - IoT

KW - Log anomaly detection

KW - Log event

KW - Log template

KW - Word2vec

KW - log anomaly detection

KW - log template

KW - log event

KW - word2vec

KW - device management

UR - http://www.scopus.com/inward/record.url?scp=85084058085&partnerID=8YFLogxK

U2 - 10.3390/s20092451

DO - 10.3390/s20092451

M3 - Article

C2 - 32357404

AN - SCOPUS:85084058085

SN - 1424-8220

VL - 20

JO - Sensors (Switzerland)

JF - Sensors (Switzerland)

IS - 9

M1 - 2451

ER -

LogEvent2vec: LogEvent-to-vector based anomaly detection for large-scale logs in internet of things

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this