Adetokunbo Makanju

Clustering event logs using iterative partitioning

The importance of event logs, as a source of information in systems and network management cannot be overemphasized. With the ever increasing size and complexity of todays event logs, the task of analyzing event logs has become cumbersome to carry out manually. For this reason recent research has focused on the automatic analysis of these log files. In this paper we present IPLoM (Iterative Partitioning Log Mining), a novel algorithm for the mining of clusters from event logs. Through a 3-Step hierarchical partitioning process IPLoM partitions log data into its respective clusters. In its 4th and final stage IPLoM produces cluster descriptions or line formats for each of the clusters produced. Unlike other similar algorithms IPLoM is not based on the Apriori algorithm and it is able to find clusters in data whether or not its instances appear frequently. Evaluations show that IPLoM outperforms the other algorithms statistically significantly, and it is also able to achieve an average F-Measure performance 78% when the closest other algorithm achieves an F-Measure performance of 10%.

LogView: Visualizing Event Log Clusters

Event logs or log files form an essential part of any network management and administration setup. While log files are invaluable to a network administrator, the vast amount of data they sometimes contain can be overwhelming and can sometimes hinder rather than facilitate the tasks of a network administrator. For this reason several event clustering algorithms for log files have been proposed, one of which is the event clustering algorithm proposed by Risto Vaarandi, on which his simple log file clustering tool (SLCT) is based. The aim of this work is to develop a visualization tool that can be used to view log files based on the clusters produced by SLCT. The proposed visualization tool, which is called LogView, utilizes treemaps to visualize the hierarchical structure of the clusters produced by SLCT. Our results based on different application log files show that LogView can ease the summarization of vast amount of data contained in the log files. This in turn can help to speed up the analysis of event data in order to detect any security issues on a given application.

A Lightweight Algorithm for Message Type Extraction in System Application Logs

Message type or message cluster extraction is an important task in the analysis of system logs in computer networks. Defining these message types automatically facilitates the automatic analysis of system logs. When the message types that exist in a log file are represented explicitly, they can form the basis for carrying out other automatic application log analysis tasks. In this paper, we introduce a novel algorithm for carrying out message type extraction from event log files. IPLoM, which stands for Iterative Partitioning Log Mining, works through a 4-step process. The first three steps hierarchically partition the event log into groups of event log messages or event clusters. In its fourth and final stage, IPLoM produces a message type description or line format for each of the message clusters. IPLoM is able to find clusters in data irrespective of the frequency of its instances in the data, it scales gracefully in the case of long message type patterns and produces message type descriptions at a level of abstraction, which is preferred by a human observer. Evaluations show that IPLoM outperforms similar algorithms statistically significantly.

An Evaluation of Entropy Based Approaches to Alert Detection in High Performance Cluster Logs

Manual alert detection on modern high performance clusters (HPC) is cumbersome given their increasing complexity and size of their logs. The ability to automatically detect such alerts quickly and accurately with little or no human intervention is therefore desirable. The entropy-based approach of the Nodeinfo framework, which is in production use at Sandia National Laboratories, is one approach to automatic alert detection in HPC logs. In this work, we perform a comparative evaluation of three entropy based techniques, which are modifications to Nodeinfo. We evaluate these systems using three performance metrics, namely (i) Computational cost, (ii) detection accuracy, and (iii) false positive rate. Our results show that there is still room for improvement in entropy based approaches to the task of alert detection. We also show experimentally that it is possible to detect 100% of all alerts while maintaining an effective false positive rate of 0% using an entropy based approach. Our work suggests that entropy based approaches are viable for automatic alert detection in HPC and can improve the dependability of such systems if applied.

Interactive learning of alert signatures in High Performance Cluster system logs

The ability to automatically discover error conditions with little human input is a feature lacking in most modern computer systems and networks. However, with the ever increasing size and complexity of modern systems, such a feature will become a necessity in the not too distant future. Our work proposes a hybrid framework that allows High Performance Clusters (HPC) to detect error conditions in their logs. Through the use of anomaly detection, the system is able to detect portions of the log that are likely to contain errors (anomalies). Via visualization, human administrators can inspect these anomalies and assign labels to clusters that correlate with error conditions. The system can then learn a signature from the confirmed anomalies, which it uses to detect future occurrences of the error condition. Our evaluations show the system is able to generate simple and accurate signatures using very little data.

Storage and retrieval of system log events using a structured schema based on message type transformation

Message types are semantic groupings of the free form messages in system log events. The message types that exist in a log file, if known, can be used in several log management and analysis tasks. In this work, we explore the use of message types as a schema definition for the storage and retrieval of messages in event logs. We show how message types can be used to impose structure on the unstructured content of event logs and how this structured representation can provide a usable index for searching the contents of the log file. As a side benefit, the structured representation that message types impose also leads to the removal of redundant information in the event logs that leads to space savings on disk.

Fast entropy based alert detection in super computer logs

The task of alert detection in event logs is very important in preventing or recovering from downtime events. The ability to do this automatically and accurately provides significant savings in the time and cost of downtime events. The Nodeinfo algorithm, which is currently in production use at Sandia National Laboratories, is an entropy based algorithm for alert detection in event logs. Automatic alert detection needs to be fast for it to be practical in a production environment. In this work we show that with Message Type Indexing (MTI) the computational effort required for alert detection can be reduced by up to 99%. This can be achieved without a drop in detection performance. Our proposed method has special significance because it provides a framework for alert detection which requires little or no human input, due to message type extraction required for MTI being carried out automatically using the Iterative Partitioning Log Mining (IPLoM) algorithm.

System State Discovery Via Information Content Clustering of System Logs

Self-awareness is an important attribute for any system to have before it is capable of self-management. A system needs to have a continuous stream of real-time data to analyze to allow it be aware of its internal state. To this end, previous approaches have utilized system performance metrics and system log data to characterize system internal state. In using system logs to characterize system internal state, the computation of strongly correlated message types is necessary. In this work, we show that strongly correlated message types can be easily discovered without much computation. Our work explores a natural behaviour of system logs where system log data partitioned using source and time information contain correlated message types. We demonstrate how the groups of partitions, which contain correlated message types, can be found by clustering the partitions based on their entropy-based information content. We evaluate our method using cluster cohesion, cluster separation and cluster conceptual purity as metrics. The results show that our proposed method not only produces well-formed clusters but also clusters that can be mapped to different alert states with a high degree of confidence.

Information Retrieval in Network Administration

Network administration is a task that requires experience in relating symptoms of network problems with possible causes and corrective actions. We describe the design of a system and more specifically its information retrieval component, which aims to retrieve articles relevant to a given problem case from a collection of articles describing previously solved problems and their associated solutions. An article is described by a term vector. We present a methodology for defining the vocabulary and preliminary results for assessing the quality of expert-proposed modifications to the vocabulary. We obtain vocabulary-derived document classes from a self- organising map and assess vocabulary quality using the quality of classification into these classes.

Robust learning intrusion detection for attacks on wireless networks

We address the problem of evaluating the robustness of machine learning based detectors for deployment in real life networks. To this end, we employ Genetic Programming for evolving classifiers and Artificial Neural Networks as our machine learning paradigms under three different Denial-of-Service attacks at the Data Link layer De-authentication, Authentication and Association attacks. We investigate their cross-platform robustness and cross-attack robustness. Cross-platform robustness is the ability to seamlessly port an Intrusion Detector trained on one network to another network with little or no change and without a drop in performance. Cross-attack robustness is the ability of a detector trained on one attack type to detect a different but similar attack on which it has not been trained. Our results show that the potential of a machine learning based detector can be significantly enhanced or limited by the representation of the training data for the learning algorithms.