摘要
随着计算机科学和互联网技术的不断进步,信息技术的发展迈入了一个新的高度。支撑社会运转的软、硬件系统,不管从规模大小或是复杂程度,都到达了前所未有的水平。如今政府大力推进“互联网+”计划,互联网与传统行业结合得更加紧密,相互促进彼此的发展。在这个云计算和大数据大行其道的年代,维护互联网及其软硬件系统的稳定运行、检测和修复潜在的异常就变得更加重要。
日志监控是软件监控系统中的重要组成部分。通过对日志内容和日志输出特征的分析,可以判断当前系统的运行状态,预测可能发生的异常。目前已经有很多关于日志分析的研究,已有的监控系统也取得了很好的效果。但当前日志分析技术仍然面对着一些问题,主要表现在如下方面:1)日志数量巨大。大型软件系统每天可以产生 TB 数量级大小的日志,逐条分析日志内容会对日志分析系统造成巨大压力。2)日志结构不固定,并且可能不完整。日志的有效内容(payload)并不遵循特定的格式,在系统高负载的情况下日志内容可能出现丢失,给日志的自动化处理带来困难。3)不同系统产生的日志内容差异巨大,通用的日志监控系统存在检测准确率不高的问题。
我们针对以上这些问题进行了研究,经过实验,提出了基于日志监控的行为异常检测技术,并且实现了相应的日志监控系统。本文的研究工作主要体现在以下几个方面:
1.提出了基于日志标准化和层次聚类的日志预处理方法。首先对日志信息进行正规化处理,然后采用自底向上层次聚类算法,基于日志有效内容的相似度对日志进行聚类。
2.提出了基于行为异常的通用日志异常检测算法。从聚类后的日志中提取出特有行为模式,基于行为模式的异常指数和相似度等特征对日志序列进行异常检测,预测系统状态。
3.设计实现了基于行为异常检测的日志监控系统。通过训练得到的行为模型,
对日志流进行实时高效地分析,帮助管理人员有效监控和维护生产环境。
关键词:日志监控、异常检测、层次聚类、异常连续子序列
Abstract
With the continuous progress of computer science and Internet technology, the development of information technology has entered a new height. The hardware and software systems that support the operation of society have reached unprecedented levels, no matter in size or complexity. Now the government is pushing ahead with the Internet Plus program, which is more closely integrated with traditional industries and promotes each other's development. In this era of cloud computing and big data, it is even more important to maintain the stable operation, detection, and repair of potential anomalies in the Internet and its hardware and software systems.
Log monitoring is an important part of software monitoring system. By analyzing the log content and log output characteristics, we can judge the current system's operating state and predict possible anomalies. At present, there are a lot of research on log analysis, the existing monitoring system has also achieved good results. However, the current log analysis technology still faces some problems, mainly in the following aspects: 1) the number of logs is huge. Large software systems can generate TB orders of magnitude logs per day, and analyzing log content on a case-by-case basis can put a lot of pressure on log analysis systems. 2) The log structure is not fixed and may not be complete. The valid content of the log (payload) does not follow a specific format, and the log content may be lost under high system load, which can make it difficult to automate the processing of the log. 3) The log content produced by different systems is very different, and the general log monitoring system has the problem of low detection accuracy.
We have studied the above problems, and after experiments, the behavior anomaly detection technology based on log monitoring is proposed, and the corresponding log monitoring system is implemented. The research work of this paper is mainly reflected in the following aspects:
1. A log pre-processing method based on log standardization and hierarchical clustering is proposed. First, the log information is formalized, and then the log is clustered according to the similarity of the valid content of the log by using the bottom-up clustering algorithm.
2. A common log anomaly detection algorithm based on behavioral anomalies is proposed. The characteristic behavior pattern is extracted from the clustered log, and the abnormal detection of the log sequence is carried out based on the abnormal index and similarity of the behavior pattern, and the system state is predicted.
3. Design and implement a log monitoring system based on behavior anomaly detection. Behavioral models obtained through training,
Real-time and efficient analysis of log streams helps managers effectively monitor and maintain production environments.
Key words:Log monitoring, Anomaly detection, Hierarchical clustering, Anomalous contiguous subsequence
目 录
摘要 II
关键词 II
Abstract III
Key words IV
第一章 绪论 1
1.1 研究背景及意义 1
1.2 国内外研究现状 2
1.2.1 关于日志预分析处理的研究 2
1.2.2 关于日志异常检测的研究 2
1.2.3 现有的日志监控解决方案 3
1.3 本文研究内容和结构安排 5
1.3.1 研究内容 5
1.3.2 文章结构安排 5
第二章 相关技术概念 7
2.1 日志概述 7
2.1.1 日志定义 7
2.1.2 日志的功能 8
2.1.3 日志的特点 9
2.2 日志监控 10
2.2.1 日志收集 10
2.2.2 日志存储 12
2.2.3 常用日志分析方法 13
2.3 本章小结 13
第三章 基于层次聚类的日志数据预处理算法研究 15
3.1 引言 15
3.2 数据清洗 16
3.3 日志数据聚类方法分析 18
3.4 基于层次聚类的日志数据预处理框架 20
3.5 簇间相似度的计算 23
3.6 最优聚类粒度的计算 25
3.7 数据集的获取 26
3.8 实验及结果分析 27
3.9 本章小结 28
第四章 基于行为序列的的日志异常检测算法研究 29
4.1 连续子序列问题 29
4.1.1 异常连续子序列 29
4.1.2 滑动窗口模型 31
4.1.3 常用检测方法 31
4.2 基于行为模式的异常检测算法 33
4.2.1 日志流到行为序列的转换 33
4.2.2 生成行为模式 36
4.2.3 计算异常指数 39
4.3 实验结果对比与分析 40
4.3.1 实验评估标准 40
4.3.2 结果对比与分析 40
4.4 本章小结 41
第五章 基于行为序列的的日志异常检测系统的设计 43
5.1 需求分析 43
5.2 系统框架 44
5.3 日志采集模块 45
5.4 存储分析模块 47
5.4.1 日志存储模块 47
5.4.2 日志分析模块 47
5.5 前端展示模块 49
5.6 本章小结 49
第六章 全文总结与展望 50
6.1 本文工作总结 50
6.2 未来工作展望 50
参考文献 52