Spatio-Temporal Decomposition, Clustering and Identification for Alert Detection in System Logs

Authors: 

Adetokunbo Makanju
A. Nur Zincir-Heywood
Evangelos E. Milios
Markus Latzel

Author Addresses: 

Faculty of Computer Science
Dalhousie University
6050 University Ave.
PO Box 15000
Halifax, Nova Scotia, Canada
B3H 4R2

Phone: +1-902-494-2093
Email: {makanju, zincir, eem}@cs.dal.ca

Palomino System Innovations Inc.
Toronto, Ontario
M6G 1A8
Canada

Email: markus@palominosys.com

Abstract: 

In this work, we describe our research efforts at detecting alerts in event logs by analyzing the spatio-temporal partitions of a system log. Our research shows that these spatio-temporal partitions produce clus- ters, which can separate normal activity from anomalous activity, with a high accuracy. Therefore, a system, which can accurately identify these clusters into classes would provide an effective alert detection mechanism. While the steps of the framework described in this paper utilizes an en- tropy based approach for the clustering of the spatio-temporal partitions and heuristics for the identification of the resultant clusters, it is general enough to allow flexibility in the choice of methods used at each step of the framework.

Tech Report Number: 
CS-2011-04
Report Date: 
July 27, 2011
AttachmentSize
PDF icon CS-2011-04.pdf728.02 KB