212 research outputs found
LogBERT: Log Anomaly Detection via BERT
When systems break down, administrators usually check the produced logs to diagnose the failures. Nowadays, systems grow larger and more complicated. It is labor-intensive to manually detect abnormal behaviors in logs. Therefore, it is necessary to develop an automated anomaly detection on system logs. Automated anomaly detection not only identifies malicious patterns promptly but also requires no prior domain knowledge. Many existing log anomaly detection approaches apply natural language models such as Recurrent Neural Network (RNN) to log analysis since both are based on sequential data. The proposed model, LogBERT, a BERT-based neural network, can capture the contextual information in log sequences.
LogBERT is trained on normal log data considering the scarcity of labeled abnormal data in reality. Intuitively, LogBERT learns normal patterns in training data and flags test data that are deviated from prediction as anomalies. We compare LogBERT with four traditional machine learning models and two deep learning models in terms of precision, recall, and F1 score on three public datasets, HDFS, BGL, and Thunderbird. Overall, LogBERT outperforms the state-of-art models for log anomaly detection
Deep Contrastive One-Class Time Series Anomaly Detection
The accumulation of time-series data and the absence of labels make
time-series Anomaly Detection (AD) a self-supervised deep learning task.
Single-normality-assumption-based methods, which reveal only a certain aspect
of the whole normality, are incapable of tasks involved with a large number of
anomalies. Specifically, Contrastive Learning (CL) methods distance negative
pairs, many of which consist of both normal samples, thus reducing the AD
performance. Existing multi-normality-assumption-based methods are usually
two-staged, firstly pre-training through certain tasks whose target may differ
from AD, limiting their performance. To overcome the shortcomings, a deep
Contrastive One-Class Anomaly detection method of time series (COCA) is
proposed by authors, following the normality assumptions of CL and one-class
classification. It treats the origin and reconstructed representations as the
positive pair of negative-samples-free CL, namely "sequence contrast". Next,
invariance terms and variance terms compose a contrastive one-class loss
function in which the loss of the assumptions is optimized by invariance terms
simultaneously and the ``hypersphere collapse'' is prevented by variance terms.
In addition, extensive experiments on two real-world time-series datasets show
the superior performance of the proposed method achieves state-of-the-art
Utilising Deep Learning techniques for effective zero-day attack detection
Machine Learning (ML) and Deep Learning (DL) have been used for building Intrusion Detection Systems (IDS). The increase in both the number and sheer variety of new cyber-attacks poses a tremendous challenge for IDS solutions that rely on a database of historical attack signatures. Therefore, the industrial pull for robust IDS capable of flagging zero-day attacks is growing. Current outlier-based zero-day detection research suffers from high false-negative rates, thus limiting their practical use and performance. This paper proposes an autoencoder implementation to detect zero-day attacks. The aim is to build an IDS model with high recall while keeping the miss rate (false-negatives) to an acceptable minimum. Two well-known IDS datasets are used for evaluation—CICIDS2017 and NSL-KDD. To demonstrate the efficacy of our model, we compare its results against a One-Class Support Vector Machine (SVM). The manuscript highlights the performance of a One-Class SVM when zero-day attacks are distinctive from normal behaviour. The proposed model benefits greatly from autoencoders encoding-decoding capabilities. The results show that autoencoders are well-suited at detecting complex zero-day attacks. The results demonstrate a zero-day detection accuracy of [89% - 99%] for the NSL-KDD dataset and [75% - 98%] for the CICIDS2017 dataset. Finally, the paper outlines the observed trade-off between recall and fallout
Adversarial Autoencoders with Constant-Curvature Latent Manifolds
Constant-curvature Riemannian manifolds (CCMs) have been shown to be ideal
embedding spaces in many application domains, as their non-Euclidean geometry
can naturally account for some relevant properties of data, like hierarchy and
circularity. In this work, we introduce the CCM adversarial autoencoder
(CCM-AAE), a probabilistic generative model trained to represent a data
distribution on a CCM. Our method works by matching the aggregated posterior of
the CCM-AAE with a probability distribution defined on a CCM, so that the
encoder implicitly learns to represent data on the CCM to fool the
discriminator network. The geometric constraint is also explicitly imposed by
jointly training the CCM-AAE to maximise the membership degree of the
embeddings to the CCM. While a few works in recent literature make use of
either hyperspherical or hyperbolic manifolds for different learning tasks,
ours is the first unified framework to seamlessly deal with CCMs of different
curvatures. We show the effectiveness of our model on three different datasets
characterised by non-trivial geometry: semi-supervised classification on MNIST,
link prediction on two popular citation datasets, and graph-based molecule
generation using the QM9 chemical database. Results show that our method
improves upon other autoencoders based on Euclidean and non-Euclidean
geometries on all tasks taken into account.Comment: Submitted to Applied Soft Computin
Zero-shot domain adaptation of anomalous samples for semi-supervised anomaly detection
Semi-supervised anomaly detection~(SSAD) is a task where normal data and a
limited number of anomalous data are available for training. In practical
situations, SSAD methods suffer adapting to domain shifts, since anomalous data
are unlikely to be available for the target domain in the training phase. To
solve this problem, we propose a domain adaptation method for SSAD where no
anomalous data are available for the target domain. First, we introduce a
domain-adversarial network to a variational auto-encoder-based SSAD model to
obtain domain-invariant latent variables. Since the decoder cannot reconstruct
the original data solely from domain-invariant latent variables, we conditioned
the decoder on the domain label. To compensate for the missing anomalous data
of the target domain, we introduce an importance sampling-based weighted loss
function that approximates the ideal loss function. Experimental results
indicate that the proposed method helps adapt SSAD models to the target domain
when no anomalous data are available for the target domain
A Normalized Autoencoder for LHC Triggers
Autoencoders are an effective analysis tool for the LHC, as they represent
one of its main goal of finding physics beyond the Standard Model. The key
challenge is that out-of-distribution anomaly searches based on the
compressibility of features do not apply to the LHC, while existing
density-based searches lack performance. We present the first autoencoder which
identifies anomalous jets symmetrically in the directions of higher and lower
complexity. The normalized autoencoder combines a standard bottleneck
architecture with a well-defined probabilistic description. It works better
than all available autoencoders for top vs QCD jets and reliably identifies
different dark-jet signals.Comment: 26 pages, 11 figures; update based on referees repor
- …