CN118210670A - Log abnormality detection method and device, electronic equipment and storage medium - Google Patents
Log abnormality detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN118210670A CN118210670A CN202410082532.8A CN202410082532A CN118210670A CN 118210670 A CN118210670 A CN 118210670A CN 202410082532 A CN202410082532 A CN 202410082532A CN 118210670 A CN118210670 A CN 118210670A
- Authority
- CN
- China
- Prior art keywords
- log
- vector
- detected
- abnormality detection
- model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 111
- 230000005856 abnormality Effects 0.000 title claims abstract description 79
- 239000013598 vector Substances 0.000 claims abstract description 164
- 238000000034 method Methods 0.000 claims abstract description 37
- 238000004590 computer program Methods 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 14
- 230000015654 memory Effects 0.000 claims description 12
- 238000012549 training Methods 0.000 claims description 6
- 238000013145 classification model Methods 0.000 claims description 5
- 238000013507 mapping Methods 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 4
- 238000000605 extraction Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012706 support-vector machine Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a log abnormality detection method, a log abnormality detection device, electronic equipment and a storage medium. The method comprises the following steps: acquiring a log to be detected; vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected; inputting the log sequence vector corresponding to the log to be detected into a pre-trained log detection model to obtain a predicted log vector, wherein the pre-trained log detection model is an N-BEATS model; and carrying out abnormality judgment on the predicted log vector to obtain a log abnormality detection result. According to the technical scheme, the prediction log vector is obtained through the N-BEATS model prediction, so that the accuracy of the prediction log vector can be effectively improved, and the accuracy of log abnormality detection is improved.
Description
Technical Field
The present invention relates to the field of log analysis technologies, and in particular, to a method and apparatus for detecting log anomalies, an electronic device, and a storage medium.
Background
The system log records various system states and important events, and can help system developers to check positioning problems and repair the anomalies when the anomalies occur so as to maintain stable operation of the system.
As the functionality of the system increases, the number of log records increases exponentially, and when an abnormality occurs in the system, it becomes more difficult for a developer to screen out useful information from a large amount of log information. Currently, long Short-Term Memory (LSTM) networks are widely used for log anomaly detection to quickly locate anomaly logs.
In the process of implementing the present invention, the inventor finds that at least the following technical problems exist in the prior art: the existing LSTM-based log abnormality detection scheme has the problem that the log abnormality detection accuracy is low.
Disclosure of Invention
The invention provides a log abnormality detection method, a log abnormality detection device, electronic equipment and a storage medium, so as to improve the accuracy of log abnormality detection.
According to an aspect of the present invention, there is provided a log abnormality detection method including:
acquiring a log to be detected;
vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected;
Inputting the log sequence vector corresponding to the log to be detected into a pre-trained log detection model to obtain a predicted log vector, wherein the pre-trained log detection model is an N-BEATS model;
And carrying out abnormality judgment on the predicted log vector to obtain a log abnormality detection result.
According to another aspect of the present invention, there is provided a log abnormality detection apparatus including:
the log acquisition module is used for acquiring logs to be detected;
The vectorization processing module is used for vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected;
the log vector prediction module is used for inputting the log sequence vector corresponding to the log to be detected into a pre-trained log detection model to obtain a predicted log vector, wherein the pre-trained log detection model is an N-BEATS model;
And the abnormality judgment module is used for carrying out abnormality judgment on the prediction log vector to obtain a log abnormality detection result.
According to another aspect of the present invention, there is provided an electronic apparatus including:
At least one processor;
and a memory communicatively coupled to the at least one processor;
the memory stores a computer program executable by the at least one processor, and the computer program is executed by the at least one processor, so that the at least one processor can execute the log anomaly detection method according to any embodiment of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the log anomaly detection method according to any one of the embodiments of the present invention when executed.
Compared with the log vector obtained through LSTM prediction, the N-BEATS model prediction method has the advantage that the predicted log vector obtained through the N-BEATS model prediction has higher accuracy, so that the accuracy of log abnormality detection is improved.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a log anomaly detection method according to a first embodiment of the present invention;
FIG. 2 is a flowchart of a log anomaly detection method according to a second embodiment of the present invention;
FIG. 3 is a flowchart of a log anomaly detection method according to a third embodiment of the present invention;
Fig. 4 is a schematic structural diagram of a log abnormality detection device according to a fourth embodiment of the present invention;
Fig. 5 is a schematic structural diagram of an electronic device implementing a log anomaly detection method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The technical scheme of the application obtains, stores, uses, processes and the like the data, which all meet the relevant regulations of national laws and regulations.
Example 1
Fig. 1 is a flowchart of a log abnormality detection method according to a first embodiment of the present invention, where the method may be applied to abnormality detection of a log, and the method may be performed by a log abnormality detection device, where the log abnormality detection device may be implemented in hardware and/or software, and the log abnormality detection device may be configured in a terminal and/or a server. As shown in fig. 1, the method includes:
S110, acquiring a log to be detected.
In this embodiment, the log to be detected refers to a system log to be subjected to anomaly detection, and may include information such as a running state of a system program. The number of the logs to be detected may be one, two or more, and is not particularly limited herein.
Specifically, the log to be detected may be read from a preset storage path of the electronic device, or may be retrieved from another device communicatively connected to the electronic device, which is not limited herein.
S120, vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected.
The log sequence vector refers to a vector representation of a log to be detected.
Specifically, the log to be detected can be analyzed to obtain structured log data, and further vectorization representation is performed on the structured log data to obtain a log sequence vector corresponding to the log to be detected.
S130, inputting the log sequence vector corresponding to the log to be detected into a pre-trained log detection model to obtain a predicted log vector, wherein the pre-trained log detection model is an N-BEATS model.
The predicted log vector is a log vector obtained by predicting the log sequence vector through a log detection model.
In this embodiment, the log sequence vector may be used as an input of the log detection model, and input to the log detection model that is trained in advance, so that the log detection model outputs the predicted log vector. Wherein the training step of the N-BEATS model may include: and acquiring a plurality of sample logs and labels corresponding to the sample logs, and training the initial N-BEATS model according to the plurality of sample logs and the labels corresponding to the sample logs until the training stopping condition is met, so as to obtain a trained log detection model.
It should be noted that, compared with the LSTM model, the N-BEATS model and the N-BEATS model can process a plurality of log sequence vectors with different time scales in parallel, so that global features of the log sequence vectors can be better captured, and accuracy of predicting the log vectors is improved. In addition, the N-BEATS model has the characteristics of strong interpretation, high training speed, strong universality and the like.
And S140, carrying out abnormality judgment on the predicted log vector to obtain a log abnormality detection result.
The log abnormality detection result refers to an abnormality detection result of a log, and may be detection results of normal log, abnormal log, uncertain detection result, and the like.
Specifically, abnormal judgment of the prediction log vector can be achieved through technical means such as text similarity and threshold judgment.
Optionally, after vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected, the method further includes: and inputting the log sequence vector corresponding to the log to be detected into a pre-training completion log classification model to obtain a log classification result, wherein the log classification result is a service log or a system log.
The log classification model may be a support vector machine, specifically, the log sequence vector corresponding to the log to be detected may be input into a support vector machine trained in advance to obtain a log classification result, and then the log sequence vector is input into a log detection model corresponding to the log classification result, so that the accuracy of log anomaly detection may be improved.
In some alternative embodiments, the method further comprises: the log detection models with different input sequence lengths can be evaluated according to one or more of recall ratio, precision ratio, operation time and system resource consumption, and the target log detection model and the optimal input sequence length are determined based on the evaluation result, so that the phenomenon of over-fitting caused by too long sequence length is avoided, and the consumption of computer resources and time can be reduced. The input sequence length refers to the length of the log sequence vector.
Compared with the log vector obtained through LSTM prediction, the N-BEATS model prediction method has the advantage that the predicted log vector obtained through the N-BEATS model prediction has higher accuracy, so that the accuracy of log abnormality detection is improved.
Example two
Fig. 2 is a flowchart of a log abnormality detection method according to a second embodiment of the present invention, where the method according to the present embodiment may be combined with each of the alternatives in the log abnormality detection method provided in the foregoing embodiment. The log abnormality detection method provided by the embodiment is further optimized. Optionally, the vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected includes: analyzing the log to be detected to obtain log template data; and extracting features of the log template data to obtain a log sequence vector corresponding to the log to be detected.
As shown in fig. 2, the method includes:
S210, acquiring a log to be detected.
S220, analyzing the log to be detected to obtain log template data.
Specifically, the log to be detected may be analyzed by a log analysis algorithm, so as to obtain log template data, where the log analysis algorithm may be Drain, spell, lenma, logmine, etc., and is not limited herein.
And S230, extracting features of the log template data to obtain a log sequence vector corresponding to the log to be detected.
Specifically, words in log template data can be mapped to a vector space to obtain a word vector set corresponding to the log template data; determining the weight of each word vector in the word vector set; and carrying out weighted average processing on the word vector set corresponding to the log template data based on the weight of each word vector in the word vector set to obtain a log sequence vector corresponding to the log to be detected.
The method comprises the steps of analyzing a log to be detected through a Drain algorithm to obtain log template data, mapping words in the log template data to a vector space through Word2Vec to obtain a Word vector set corresponding to the log template data, calculating weights of all Word vectors in the Word vector set through a TF-IDF algorithm, and carrying out weighted average processing on the Word vector set corresponding to the log template data according to the weights of all Word vectors in the Word vector set to obtain a log sequence vector corresponding to the log to be detected. The log sequence vector calculation formula may be as follows:
Where x represents the log sequence vector, ω i represents the weight of the i-th word vector, and w i represents the i-th word vector.
S240, inputting the log sequence vector corresponding to the log to be detected into a pre-trained log detection model to obtain a predicted log vector, wherein the pre-trained log detection model is an N-BEATS model.
S250, carrying out abnormality judgment on the predicted log vector to obtain a log abnormality detection result.
According to the technical scheme, the log template data are obtained by analyzing the log to be detected; and extracting features of the log template data to obtain a log sequence vector corresponding to the log to be detected, thereby realizing automatic extraction of the features of the log to be detected.
Example III
Fig. 3 is a flowchart of a log abnormality detection method according to a third embodiment of the present invention, where the method according to the present embodiment may be combined with each of the alternatives in the log abnormality detection method provided in the foregoing embodiment. The log abnormality detection method provided by the embodiment is further optimized. Optionally, the performing abnormality judgment on the prediction log vector to obtain a log abnormality detection result includes: obtaining a target log vector; determining cosine similarity of the prediction log vector and the target log vector; and determining a log abnormality detection result based on cosine similarity of the prediction log vector and the target log vector.
As shown in fig. 3, the method includes:
s310, acquiring a log to be detected.
S320, vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected.
S330, inputting the log sequence vector corresponding to the log to be detected into a pre-trained log detection model to obtain a predicted log vector, wherein the pre-trained log detection model is an N-BEATS model.
S340, acquiring a target log vector.
The target log vector is a log vector corresponding to the actual log, that is, the target log vector is a vector for judging whether the predicted log vector is abnormal or not.
Specifically, the target log vector may be read from a preset storage path of the electronic device, and may be also called from another device communicatively connected to the electronic device, which is not limited herein.
S350, determining cosine similarity of the prediction log vector and the target log vector.
Illustratively, the cosine similarity calculation formula is as follows:
where a represents a predictive log vector and b represents a target log vector.
S360, determining a log abnormality detection result based on cosine similarity of the prediction log vector and the target log vector.
In this embodiment, after the log abnormality detection result is obtained, the log abnormality detection result may be sent to the user client, so that the user may check and determine whether the log is abnormal.
Optionally, determining the log anomaly detection result based on cosine similarity of the prediction log vector and the target log vector includes: if the cosine similarity between the predicted log vector and the target log vector is greater than a preset similarity threshold, determining that the log abnormality detection result is that the log is normal; and if the cosine similarity of the predicted log vector and the target log vector is not greater than a preset similarity threshold, determining that the log abnormality detection result is log abnormality.
For example, the preset similarity threshold may be 0.5, and if the cosine similarity between the predicted log vector and the target log vector is greater than 0.5, determining that the log abnormality detection result is that the log is normal; if the cosine similarity of the predicted log vector and the target log vector is not more than 0.5, determining that the log abnormality detection result is log abnormality.
According to the technical scheme provided by the embodiment of the invention, the log abnormality detection result is determined by predicting the cosine similarity of the log vector and the target log vector, so that the automatic detection of the log abnormality is realized.
Example IV
Fig. 4 is a schematic structural diagram of a log anomaly detection device according to a fourth embodiment of the present invention. As shown in fig. 4, the apparatus includes:
a log obtaining module 410, configured to obtain a log to be detected;
The vectorization processing module 420 is configured to perform vectorization processing on the log to be detected, so as to obtain a log sequence vector corresponding to the log to be detected;
the log vector prediction module 430 is configured to input a log sequence vector corresponding to the log to be detected into a pre-trained log detection model, to obtain a predicted log vector, where the pre-trained log detection model is an N-BEATS model;
and the abnormality judgment module 440 is configured to perform abnormality judgment on the predicted log vector to obtain a log abnormality detection result.
Compared with the log vector obtained through LSTM prediction, the N-BEATS model prediction method has the advantage that the predicted log vector obtained through the N-BEATS model prediction has higher accuracy, so that the accuracy of log abnormality detection is improved.
In some alternative embodiments, vectorization processing module 420 includes:
The log analysis unit is used for analyzing the log to be detected to obtain log template data;
And the log feature extraction unit is used for carrying out feature extraction on the log template data to obtain a log sequence vector corresponding to the log to be detected.
In some alternative embodiments, the log feature extraction unit may be specifically configured to:
Determining the weight of each word vector in the word vector set;
And carrying out weighted average processing on the word vector set corresponding to the log template data based on the weight of each word vector in the word vector set to obtain the log sequence vector corresponding to the log to be detected.
In some alternative embodiments, the N-BEATS model includes a generic linear layer, a gated loop unit, and a multi-headed attention layer.
In some alternative embodiments, the anomaly determination module 440 includes:
The target log vector acquisition unit is used for acquiring a target log vector;
The cosine similarity determining unit is used for determining cosine similarity of the prediction log vector and the target log vector;
and the log abnormality detection result determining unit is used for determining a log abnormality detection result based on the cosine similarity of the predicted log vector and the target log vector.
In some optional embodiments, the log anomaly detection result determining unit may be specifically configured to:
if the cosine similarity between the predicted log vector and the target log vector is greater than a preset similarity threshold, determining that the log abnormality detection result is that the log is normal;
And if the cosine similarity of the predicted log vector and the target log vector is not greater than a preset similarity threshold, determining that the log abnormality detection result is log abnormality.
In some optional embodiments, the log anomaly detection apparatus further includes:
And the log classification model is used for inputting the log sequence vector corresponding to the log to be detected into a pre-trained log classification model to obtain a log classification result, wherein the log classification result is a service log or a system log.
The log abnormality detection device provided by the embodiment of the invention can execute the log abnormality detection method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example five
Fig. 5 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital assistants, cellular telephones, smartphones, wearable devices (e.g., helmets, eyeglasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An I/O interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the respective methods and processes described above, such as a log abnormality detection method, which includes:
acquiring a log to be detected;
vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected;
Inputting the log sequence vector corresponding to the log to be detected into a pre-trained log detection model to obtain a predicted log vector, wherein the pre-trained log detection model is an N-BEATS model;
And carrying out abnormality judgment on the predicted log vector to obtain a log abnormality detection result.
In some embodiments, the log anomaly detection method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into the RAM 13 and executed by the processor 11, one or more steps of the log abnormality detection method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the log anomaly detection method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system-on-chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. A log anomaly detection method, comprising:
acquiring a log to be detected;
vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected;
Inputting the log sequence vector corresponding to the log to be detected into a pre-trained log detection model to obtain a predicted log vector, wherein the pre-trained log detection model is an N-BEATS model;
And carrying out abnormality judgment on the predicted log vector to obtain a log abnormality detection result.
2. The method of claim 1, wherein the vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected comprises:
Analyzing the log to be detected to obtain log template data;
and extracting features of the log template data to obtain a log sequence vector corresponding to the log to be detected.
3. The method of claim 2, wherein the feature extracting the log template data to obtain a log sequence vector corresponding to the log to be detected includes:
Mapping words in the log template data to a vector space to obtain a word vector set corresponding to the log template data;
Determining the weight of each word vector in the word vector set;
And carrying out weighted average processing on the word vector set corresponding to the log template data based on the weight of each word vector in the word vector set to obtain the log sequence vector corresponding to the log to be detected.
4. The method of claim 1, wherein the N-BEATS model includes a generic linear layer, a gated loop unit, and a multi-headed attention layer.
5. The method of claim 1, wherein performing anomaly determination on the prediction log vector to obtain a log anomaly detection result comprises:
Obtaining a target log vector;
Determining cosine similarity of the prediction log vector and the target log vector;
and determining a log abnormality detection result based on cosine similarity of the prediction log vector and the target log vector.
6. The method of claim 5, wherein the determining a log anomaly detection result based on cosine similarity of the predicted log vector and the target log vector comprises:
if the cosine similarity between the predicted log vector and the target log vector is greater than a preset similarity threshold, determining that the log abnormality detection result is that the log is normal;
And if the cosine similarity of the predicted log vector and the target log vector is not greater than a preset similarity threshold, determining that the log abnormality detection result is log abnormality.
7. The method according to any one of claims 1-6, wherein after the vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected, the method further includes:
And inputting the log sequence vector corresponding to the log to be detected into a pre-training completion log classification model to obtain a log classification result, wherein the log classification result is a service log or a system log.
8. A log abnormality detection device, characterized by comprising:
the log acquisition module is used for acquiring logs to be detected;
The vectorization processing module is used for vectorizing the log to be detected to obtain a log sequence vector corresponding to the log to be detected;
the log vector prediction module is used for inputting the log sequence vector corresponding to the log to be detected into a pre-trained log detection model to obtain a predicted log vector, wherein the pre-trained log detection model is an N-BEATS model;
And the abnormality judgment module is used for carrying out abnormality judgment on the prediction log vector to obtain a log abnormality detection result.
9. An electronic device, the electronic device comprising:
At least one processor;
and a memory communicatively coupled to the at least one processor;
Wherein the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the log anomaly detection method of claim 8.
10. A computer readable storage medium storing computer instructions for causing a processor to execute the log anomaly detection method of claim 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410082532.8A CN118210670A (en) | 2024-01-19 | 2024-01-19 | Log abnormality detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410082532.8A CN118210670A (en) | 2024-01-19 | 2024-01-19 | Log abnormality detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118210670A true CN118210670A (en) | 2024-06-18 |
Family
ID=91451437
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410082532.8A Pending CN118210670A (en) | 2024-01-19 | 2024-01-19 | Log abnormality detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118210670A (en) |
-
2024
- 2024-01-19 CN CN202410082532.8A patent/CN118210670A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114692778B (en) | Multi-mode sample set generation method, training method and device for intelligent inspection | |
| CN116629620A (en) | Risk level determining method and device, electronic equipment and storage medium | |
| CN116089231A (en) | Fault alarm method and device, electronic equipment and storage medium | |
| CN114866437B (en) | Node detection method, device, equipment and medium | |
| CN116166814A (en) | Event detection method, device, equipment and storage medium | |
| CN115600607A (en) | Log detection method and device, electronic equipment and medium | |
| CN118210670A (en) | Log abnormality detection method and device, electronic equipment and storage medium | |
| CN114581711A (en) | Target object detection method, apparatus, device, storage medium, and program product | |
| CN117112445B (en) | Machine learning model stability detection method, device, equipment and medium | |
| CN116933896B (en) | Super-parameter determination and semantic conversion method, device, equipment and medium | |
| CN117746069B (en) | Graph searching model training method and graph searching method | |
| CN114037058B (en) | Pre-training model generation method and device, electronic equipment and storage medium | |
| CN113434378B (en) | Webpage stability detection method and device, electronic equipment and readable storage medium | |
| CN117115568B (en) | Data screening method, device, equipment and storage medium | |
| CN116225767A (en) | Log fault classification model training method, device, equipment and storage medium | |
| CN117611164A (en) | Risk statement identification method and device, electronic equipment and storage medium | |
| CN114912541A (en) | Classification method, classification device, electronic equipment and storage medium | |
| CN117609723A (en) | Object identification method and device, electronic equipment and storage medium | |
| CN116524959A (en) | Voice emotion determining method, device, equipment and medium | |
| CN117933353A (en) | Reinforced learning model training method and device, electronic equipment and storage medium | |
| CN116975653A (en) | Sample information determining method and device, electronic equipment and storage medium | |
| CN116662194A (en) | Software quality measurement method, device, equipment and medium | |
| CN116720186A (en) | Malicious code identification method and device, electronic equipment and storage medium | |
| CN115859151A (en) | Method, device, equipment and storage medium for identifying malicious website | |
| CN117271289A (en) | Webpage monitoring method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |