公开(公告)号：WO2018175019A1

公开(公告)日：2018-09-27

申请号：PCT/US2018/018332

申请日：2018-02-15

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： ZHANG, Hui ,  XU, Jianwu ,  DEBNATH, Biplob

IPC: G06N5/04 ,  G06N99/00 ,  G06F21/55

Abstract: Systems and methods for enabling automated log analysis with controllable resource requirements are provided. A training set for log pattern learning is generated based on heterogeneous logs generated by a computer system. An incremental learning process is implemented to generate a set of log patterns from the training set. The heterogeneous logs are parsed using the set of log patterns. A set of applications is applied to the parsed logs.

公开(公告)号：WO2018039446A1

公开(公告)日：2018-03-01

申请号：PCT/US2017/048406

申请日：2017-08-24

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XU, Jianwu ,  DEBNATH, Biplob ,  ZONG, Bo ,  ZHANG, Hui ,  JIANG, Guofei ,  GE, Hancheng

IPC: G06F11/34

CPC classification number: G06N5/047 ,  G06F17/16 ,  G06F17/20 ,  G06F17/2282 ,  G06F17/277 ,  G06N7/00

Abstract: A heterogeneous log pattern editing recommendation system and computer- implemented method are provided. The system (600) has a processor (605) configured to identify, from heterogeneous logs, patterns including variable fields and constant fields. The processor (605) is also configured to extract a category feature, a cardinality feature, and a before-after n-gram feature by tokenizing the variable fields in the identified patterns. The processor (605) is additionally configured to generate target similarity scores between target fields to be potentially edited and other fields from among the variable fields in the heterogeneous logs using pattern editing operations based on the extracted category feature, the extracted cardinality feature, and the extracted before-after n-gram feature. The processor (605) is further configured to recommend, to a user, log pattern edits for at least one of the target fields based on the target similarity scores between the target fields in the heterogeneous logs.

Abstract translation: 提供了异构日志模式编辑推荐系统和计算机实现的方法。 系统（600）具有配置成从异构日志中识别包括可变字段和常量字段的模式的处理器（605）。 处理器（605）还被配置为通过对所识别的模式中的变量字段进行标记来提取类别特征，基数特征以及之前后的n元特征。 处理器（605）另外被配置为使用基于提取的类别特征，提取的基数特征和基于所提取的类别特征的模式编辑操作，从而在可能编辑的目标字段与异构日志中的可变字段之中的其他字段之间生成目标相似度分数 在n-gram特征前后提取。 处理器（605）还被配置为基于异构日志中的目标字段之间的目标相似度分数向用户推荐至少一个目标字段的日志模式编辑。

公开(公告)号：WO2017087437A1

公开(公告)日：2017-05-26

申请号：PCT/US2016/062135

申请日：2016-11-16

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： DEBNATH, Biplob ,  XU, Jianwu ,  ZHANG, Hui ,  JIANG, Guofei ,  HAMOONI, Hossein

IPC: G06F11/34

CPC classification number: G06K9/4604 ,  G06F11/34 ,  G06F17/30625 ,  G06F17/40

Abstract: Systems and methods are disclosed for parsing logs from arbitrary or unknown systems or applications by capturing heterogeneous logs from the arbitrary or unknown systems or applications; generating one pattern for every unique log message; building a pattern hierarchy tree by grouping patterns based on similarity metrics, and for every group it generates one pattern by combing all constituting patterns of that group; and selecting a set of patterns from the pattern hierarchy tree.

Abstract translation: 公开了系统和方法，用于通过从任意或未知系统或应用程序捕获异构日志来解析来自任意或未知系统或应用程序的日志; 为每个唯一的日志消息生成一个模式; 通过基于相似性度量对模式进行分组来构建模式层次树，并且对于每个组，通过组合所有组成模式来生成一个模式; 并从模式层次树中选择一组模式。

公开(公告)号：WO2018175021A1

公开(公告)日：2018-09-27

申请号：PCT/US2018/018339

申请日：2018-02-15

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： ZHANG, Hui ,  XU, Jianwu ,  ZONG, Bo

IPC: G06F21/36 ,  G06F21/45 ,  G06K9/62

Abstract: A method for implementing automatic and scalable log pattern learning in security log analysis is provided. The method includes collecting security logs generated by a computer system. An incremental learning process is implemented to generate a set of log patterns from the collected security logs. The collected security logs are parsed using the set of log patterns.

公开(公告)号：WO2018175020A1

公开(公告)日：2018-09-27

申请号：PCT/US2018/018337

申请日：2018-02-15

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： ZHANG, Hui ,  XU, Jianwu ,  ZONG, Bo

IPC: G06F21/36 ,  G06F21/45 ,  G06K9/62

Abstract: A security system using automatic and scalable log pattern learning in security log analysis is provided. The security system includes one or more management services configured to generate security logs, and a security log analysis service operatively coupled to the one or more management services. The security log analysis service is configured to collect the security logs generated by the one or more management services, implement an incremental learning process to generate a set of log patterns from the collected security logs, parse the collected security logs using the set of log patterns, and analyze the parsed security logs for one or more security applications.

公开(公告)号：WO2018044465A1

公开(公告)日：2018-03-08

申请号：PCT/US2017/044883

申请日：2017-08-01

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： XU, Jianwu ,  DEBNATH, Biplob ,  ZHANG, Hui ,  JIANG, Guofei

IPC: G06F11/34

Abstract: Methods and systems for log management include pre-processing heterogeneous logs and performing a log management action (112) on the pre-processed plurality of heterogeneous logs. Pre-processing the logs includes performing a fixed tokenization (104) of the heterogeneous logs based on a predefined set of symbols, performing a flexible tokenization (106) of the heterogeneous logs based on a user-defined set of rules, converting timestamps (108) in the heterogeneous logs to a single target timestamp format, and performing structural log tokenization (110) of the heterogeneous logs based on user-defined structural information.

Abstract translation: 用于日志管理的方法和系统包括预处理异构日志并对预处理的多个异构日志执行日志管理动作（112）。 预处理日志包括基于预定义的一组符号执行异构日志的固定标记（104），基于用户定义的一组规则执行异构日志的灵活标记（106），将时间戳（108） ）映射到单个目标时间戳格式，并且基于用户定义的结构信息执行异构日志的结构日志标记化（110）。

公开(公告)号：WO2017177018A1

公开(公告)日：2017-10-12

申请号：PCT/US2017/026377

申请日：2017-04-06

Applicant: NEC LABORATORIES AMERICA, INC

Inventor： XU, Jianwu ,  ZHANG, Ke ,  ZHANG, Hui ,  MIN, Renqiang ,  JIANG, Guofei

IPC: G06F11/00 ,  G06F11/07 ,  G06F11/34

Abstract: Mobile phones and methods for mobile phone failure prediction include receiving respective log files from one or more mobile phone components, including at least one user application. The log files have heterogeneous formats. A likelihood of failure of one or more mobile phone components is determined based on the received log files by clustering the plurality of log files according to structural log patterns and determining feature representations of the log files based on the log clusters. A user is alerted to a potential failure if the likelihood of component failure exceeds a first threshold. An automatic system control action is performed if the likelihood of component failure exceeds a second threshold.

Abstract translation: 用于手机故障预测的移动电话和方法包括从一个或多个移动电话组件接收各个日志文件，所述移动电话组件包括至少一个用户应用程序。 日志文件具有不同的格式。 基于接收到的日志文件，通过根据结构化日志模式对多个日志文件进行群集并且基于日志群集来确定日志文件的特征表示来确定一个或多个移动电话部件的故障的可能性。 如果组件故障的可能性超过第一阈值，则用户被警告潜在的故障。 如果组件故障的可能性超过第二阈值，则执行自动系统控制动作。

公开(公告)号：WO2017165019A1

公开(公告)日：2017-09-28

申请号：PCT/US2017/017874

申请日：2017-02-15

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZONG, Bo ,  XU, Jianwu ,  JIANG, Guofei

IPC: G06F11/34 ,  G06F17/30

CPC classification number: G06F16/2477 ,  G06F11/3072 ,  G06F16/35 ,  G06N5/045

Abstract: A method is provided that is performed in a network having nodes that generate heterogeneous logs including performance logs and text logs. The method includes performing, during a heterogeneous log training stage, (i) a log-to-time sequence conversion process for transforming clustered ones of training logs, from among the heterogeneous logs, into a set of time sequences that are each formed as a plurality of data pairs of a first configuration and a second configuration based on cluster type, (ii) a time series generation process for synchronizing particular ones of the time sequences in the set based on a set of criteria to output a set of fused time series, and (iii) an invariant model generation process for building invariant models for each time series data pair in the set of fused time series. The method includes controlling an anomaly-initiating one of the plurality of nodes based on the invariant models.

Abstract translation: 提供一种在具有生成包括性能日志和文本日志的异构日志的节点的网络中执行的方法。 该方法包括在异构日志训练阶段期间执行（i）日志到时间序列转换过程，用于将群集中的多个训练日志从异构日志中转换成一组时间序列，每个时间序列形成为 （ii）时间序列生成过程，用于基于一组准则同步该组中的特定时间序列，以输出一组融合时间序列 （iii）不变模型生​​成过程，用于为该组融合时间序列中的每个时间序列数据对构建不变模型。 该方法包括基于不变模型控制多个节点中异常发起的一个节点。

公开(公告)号：WO2017087440A1

公开(公告)日：2017-05-26

申请号：PCT/US2016/062140

申请日：2016-11-16

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： ZHANG, Kai ,  ZHANG, Hui ,  XU, Jianwu ,  JIANG, Guofei

IPC: G06F11/32 ,  G06F11/30

CPC classification number: G06F11/0775 ,  G06F11/0709 ,  G06F11/0751 ,  G06F11/079 ,  G06F11/3452 ,  G06F2201/83 ,  G06F2201/86 ,  G06N5/04 ,  G06N7/00

Abstract: An exemplary method for detecting one or more anomalies in a system includes building a temporal causality graph describing functional relationship among local components in normal period; applying the causality graph as a propagation template to predict a system status by iteratively applying current system event signatures; and detecting the one or more anomalies of the system by examining related patterns on the template causality graph that specifies normal system behaviors. The system can aligning event patterns on the causality graph to determine an anomaly score.

Abstract translation: 用于检测系统中的一个或多个异常的示例性方法包括：建立描述正常时期中的局部分量之间的函数关系的时间因果关系图; 通过迭代地应用当前系统事件签名来应用因果图作为传播模板来预测系统状态; 以及通过检查指定正常系统行为的模板因果关系图上的相关模式来检测系统的一个或多个异常。 系统可以对因果关系图上的事件模式进行排列，以确定异常分数。

公开(公告)号：WO2017083149A1

公开(公告)日：2017-05-18

申请号：PCT/US2016/060139

申请日：2016-11-02

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： RHEE, Junghwan ,  XU, Jianwu ,  ZHANG, Hui ,  JIANG, Guofei

IPC: G01N21/17 ,  G01N21/39

CPC classification number: G06F17/30395 ,  G06F17/30076 ,  G06F17/30477

Abstract: Systems and methods are disclosed for analyzing logs generated by a machine by analyzing a log and identifying one or more abstract landmark delimiters (ALDs) representing delimiters for log tokenization; from the log and ALD, tokenizing the log and generating an increasingly tokenized format by separating the patterns with the ALD to form an intermediate tokenized log; iteratively repeating the tokenizing of the logs until a last intermediate tokenized log is processed as a final tokenized log; and applying the tokenized logs in applications.

Abstract translation: 公开了系统和方法，用于通过分析日志并识别表示用于日志标记化的分隔符的一个或多个抽象标志定界符（ALD）来分析由机器生成的日志; 从日志和ALD中，将日志标记化，并通过将模式与ALD分离以形成中间标记日志来生成日益标记化的格式; 迭代地重复日志的标记，直到最后的中间标记日志被处理为最终的标记日志; 并在应用程序中应用标记日志。