| 摘要 |
Contextual graph matching based anomaly detection may include evaluating computer-generated log file data to create a master directed graph that specifies known events and transitions between the known events. The master directed graph may be processed to determine a plurality of decomposed master graph walks. Incoming computer-generated log file data may be evaluated to create an incoming directed graph that specifies unknown events and transitions between the unknown events. The incoming directed graph may be processed to determine a decomposed incoming walk. Overlap, distance difference, and correlation scores may be determined for each walk pair of a plurality of walk pairs including each of the plurality of decomposed master graph walks and the decomposed incoming walk. One of the decomposed master graph walks may be selected based on the overlap score, the difference score, and the correlation score, to detect an anomaly. |
| 主权项 |
1. A contextual graph matching based anomaly detection system comprising:
at least one processor; a master directed graph generation module, executed by the at least one processor, to evaluate computer-generated log file data to create, in a computer memory, a master directed graph that specifies known events and transitions between the known events; a master directed graph decomposition module, executed by the at least one processor, to process the master directed graph to identify a plurality of unique walks through the master directed graph, and to decompose the plurality of unique walks into their probability distributions as a plurality of decomposed master graph walks; an incoming directed graph generation module, executed by the at least one processor, to evaluate incoming computer-generated log file data to create an incoming directed graph that specifies unknown events and transitions between the unknown events; an incoming directed graph decomposition module, executed by the at least one processor, to process the incoming directed graph to identify an incoming walk through the incoming directed graph, and to decompose the incoming walk into its probability distribution as a decomposed incoming walk; a graph matching module, executed by the at least one processor, to:
determine an overlap score for each walk pair of a plurality of walk pairs including each of the plurality of decomposed master graph walks and the decomposed incoming walk,determine a distance difference score for each walk pair of the plurality of walk pairs, anddetermine a correlation score for each walk pair of the plurality of walk pairs; and an anomaly detection module, executed by the at least one processor, to select one of the plurality of decomposed master graph walks based on the overlap score, the difference score, and the correlation score, and to detect an anomaly based on the selected one of the plurality of decomposed master graph walks. |
