LOG MESSAGE ANOMALY DETECTION
First Claim
Patent Images
1. A computer-based method for detecting anomalies in a message log, comprising:
- parsing a log message, which is stored in computer-based memory, from an unstructured text string to a structured form;
grouping structured log messages that contain a same value of a same program variable;
identifying one or more invariants for respective types of log message groups; and
applying invariants to log sequences of respective log types to detect anomalies using a computer-based processor.
2 Assignments
0 Petitions
Accused Products
Abstract
One or more techniques and/or systems are disclosed for detecting anomalies in a message log. A log message is parsed from an unstructured text string to a structured form, comprising messages signature and parameter values. Structured log messages that contain a same parameter value of a same program variable are grouped together. One or more invariants for are identified from respective types of log message groups. Invariants are applied to log sequences of respective log types.
-
Citations
20 Claims
-
1. A computer-based method for detecting anomalies in a message log, comprising:
-
parsing a log message, which is stored in computer-based memory, from an unstructured text string to a structured form; grouping structured log messages that contain a same value of a same program variable; identifying one or more invariants for respective types of log message groups; and applying invariants to log sequences of respective log types to detect anomalies using a computer-based processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for detecting anomalies in a message log, comprising:
-
a memory component configured to store data; a processor configured process data; a log message parsing component operably coupled with the memory component and processor, and configured to parse a log message from an unstructured text string to a structured form; a grouping component operably coupled with the memory component and processor, and configured to group structured log messages that contain a same value of a same program variable; an invariant identification component operably coupled with the memory component and processor, and configured to identify one or more invariants for respective types of log message groups; and an anomaly detection component operably coupled with the memory component and processor, and configured to apply invariants to respective log sequences to detect anomalies. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A computer-based method for detecting anomalies in a message log, comprising:
-
parsing a log message, which is stored in computer-based memory, from an unstructured text string to a structured form, comprising; extracting one or more parameter values from the log message using empirical rules to extract parameter values leaving raw message signatures; and extracting a message signature from the log message using a clustering algorithm; grouping structured log messages that contain a same value of a same program variable, comprising; enumerating a value range of a log parameter for a log message; determining whether a first log parameter and a second log parameter are cogenetic, comprising determining one of; whether the value range of the first log parameter and the value range of the second log parameter are equivalent; and whether the value range of the first log parameter is a subset of the value range of the second log parameter; and grouping log messages that comprise cogenetic log parameters; identifying one or more invariants for respective types of log message groups, comprising; extracting a set of message count vectors for respective log message groups that are related to a same target program variable to form a count matrix; identifying an invariant space of the count matrix; identifying one or more invariant candidates in the invariant space using combinations of non-zero coefficients in different dimensions to construct an invariant candidate; and validating invariants from the invariant candidates comprising determining that an invariant candidate fits with the collected historical log data if it is satisfied by a desired threshold of log message groups; and applying invariants to respective log sequences to detect anomalies using a computer-based processor.
-
Specification