对网络设备进行异常检测，是保证数据中心稳定的重要手段，对于保障国家行政、金融、电力、电信、互联网等方面的安全与稳定至关重要。申请人前期研究发现，基于日志的网络设备异常检测可为进一步的异常定位和根因分析奠定坚实的基础。鉴于此，本项目致力于提出一种基于日志的网络设备异常检测机制，以准确、高效、通用地解析日志并检测单条异常日志和异常日志序列。提出可动态添加分支的频繁项前缀树结构构建模板集合，实现准确提取事件、支持增量式学习模板、快速匹配模板的日志解析。针对不同型号设备日志的语法语义存在较大差异，综合考虑词频和位置，使用词袋模型构建特征向量，并使用PU learning基于部分标记的单条异常日志学习异常模式。此外，提出面向日志噪声和样本失衡的通用异常日志序列检测方法，使用词嵌入方法基于单词语义对消息模板聚类。本项目的实施，将提高数据中心网络设备异常检测的效率和准确性，有利于异常定位和根因分析。

Detecting anomalies of network devices is an important aspect to keep datacenters stable, which is of vital importance to the safety and stability of a nation’s administration, finance, telecommunication, and Internet. Based on our previous investigations, we find that log-based anomaly detection for network devices can greatly improve the performance of further anomaly localization and root cause analysis. Consequently, in this project we try to propose a log-based anomaly detection mechanism for network devices, in order to accurately, efficiently and universally parse logs and detect anomalous single logs and log sequences. We propose a frequent-item based prefix-tree which dynamically adds branches to construct template sets, so as to accurately extract the events, incrementally learn templates, and quickly match logs to templates. Because the logs of different models of network devices are very different in syntax and semantics, we weight words based on both frequency and location in constructing feature vectors for the bag-of-words model. In addition, we use the PU learning model to learn anomalous patterns from partially labelled single anomalous logs. Moreover, we propose a universal anomaly detection method for log sequences, which aims to address the challenges of noisy signals and sample imbalance. Based on the semantics of words, we leverage the word embedding method to cluster message templates. This project will improve the efficiency and accuracy of anomaly detection for network devices in datacenter networks, and is helpful to further anomaly localization and root cause analysis.