信息安全学报2024,Vol.9Issue(6) :17-27.DOI:10.19363/J.cnki.cn10-1380/tn.2024.11.02

基于大语言模型的小样本日志异常检测

Few-Shot Log Anomaly Detection via Large Language Models

袁紫依 张昊星 张媛媛 伍高飞 张玉清
信息安全学报2024,Vol.9Issue(6) :17-27.DOI:10.19363/J.cnki.cn10-1380/tn.2024.11.02
  • 维普
  • 万方数据

基于大语言模型的小样本日志异常检测

Few-Shot Log Anomaly Detection via Large Language Models

袁紫依 1张昊星 2张媛媛 2伍高飞 1张玉清3
扫码查看

作者信息

  • 1. 西安电子科技大学 广州研究院 广州 中国 510555;中国科学院大学国家计算机网络入侵防范中心 北京 中国 101408
  • 2. 中国信息通信研究院安全研究所 北京 中国 100191
  • 3. 西安电子科技大学 广州研究院 广州 中国 510555;中国科学院大学国家计算机网络入侵防范中心 北京 中国 101408;海南大学网络空间安全学院 海口 中国 570228
  • 折叠

摘要

随着系统复杂性的增加,日志规模也越发庞大,人工对其分析已经变得不切实际.许多研究者提出了深度学习方法与日志异常检测相结合.然而,这些方法也面临着一些挑战,现有的基于深度学习的日志异常检测方法通常存在训练开销大、依赖于高质量训练数据以及需要定期重新训练等问题.最近,大语言模型在许多领域如机器翻译、语言理解等领域展现出了强大的实力.因此本文将大语言模型与日志异常检测相结合,通过利用大语言模型丰富的预训练知识,提出了一种高效且无需微调的小样本场景下的日志异常检测方法.该方法首先采用分层次聚类,从大量的正常日志中,提取出一个小的、多样的、具有代表性的正常日志消息合集作为候选集,可以反映出正常日志的广泛模式.同时采用基于解释的提示学习,解释候选集中的每一条正常日志被判定为正常的原因,增强模型对正常日志模式的理解.同时,依据不同日志数据集的特征,采用基于思维链的提示策略,为不同的数据集构建了特定的提示模版.此外,本文设计的提示模版在零样本场景下也能有效地进行日志异常检测.与现有日志异常检测方法相比,该方法只需要极少量的训练数据,就可以达到较高的准确度,极大地减少了模型训练的开销,且当日志进行大规模更新时,也无需重新训练模型.为了评估该方法的性能,使用两个公共数据集验证模型的有效性,本文提出的方法在BGL、Spirit数据集上的F1分数分别为81.54%和96.55%,且在两个数据集上的召回率分别为95.00%和97.77%,本文提出的方法在2种数据集上都有着较高的召回率和F1值.实验表明,只需要极少量训练数据的情况下,本文提出的方法可以有效实现日志异常检测.

Abstract

With the increase of system complexity,the scale of log grows larger,making it impractical to analyze them manually.Some researchers have proposed deep learning methods combined with log anomaly detection.However,these methods face several challenges,existing log anomaly detection methods based on deep learning often have issues such as high training cost.Additionally,they rely heavily on high-quality training data and need to be retrained regularly.Recently,Large Language Models have shown promising results in various domains such as machine translation,language under-standing and so on.In our work,we combine Large Language Models with log anomaly detection.By leveraging the rich pre-training knowledge of Large Language Models,we propose an efficient log anomaly detection method in few-shot scenarios without fine-tuning.The method employs hierarchical clustering to extract a small,diverse,and representative collection of normal log messages as a candidate set,which can reflect a wide range of normal log patterns.Additionally,we propose explanation-based prompt learning,which is used to explain each normal log in the candidate set,this method can enhance the model's understanding of normal log patterns.According to the characteristics of log datasets,a specific prompt template for different log datasets is constructed by using the chain of thought strategy.Therefore,the specific prompt template proposed in this paper can also effectively detect log anomalies in zero-shot scenarios.Compared with the existing log anomaly detection methods,the method only requires a very small amount of training data and can achieve high accuracy,which greatly reduces the cost of model training.When the log is updated on a large scale,there is no need to retrain the model.To evaluate the performance of the method,we use two public datasets to verify the effectiveness of the model.The F1 scores of the proposed method on BGL and Spirit datasets reach 81.54%and 96.55%respectively,and the recall scores on two datasets reach 95.00%and 97.77%respectively.The proposed method has high recall scores and F1 scores on two datasets.The results demonstrate that the proposed method is able to effectively achieve log anomaly detection with only a very small amount of training data.

关键词

异常检测/深度学习/大语言模型/ChatGPT

Key words

anomaly detection/deep learning/large language model/ChatGPT

引用本文复制引用

出版年

2024
信息安全学报

信息安全学报

CSTPCDCSCD
ISSN:
段落导航相关论文