Anomaly Detection from Web Log Data Using

Machine Learning Model

2023 7th International Conference on Computer Applications in Electrical Engineering-Recent Advances (CERA) | 979-8-3503-0500-5/23/$31.00 ©2023 IEEE | DOI: 10.1109/CERA59325.2023.10455153

Amit Kumar Mishra Piyush Bagla Ravi Sharma

Dept. of Computer Science & Department of Computer Science & Department of Computer Science &
Engineering, Engineering, Engineering,
Graphic Era Hill University, National Institute of Technology, National Institute of Technology,
Dehradun, (India) Jalandhar, India Jalandhar, (India)
[email protected] [email protected] [email protected]

Neeraj Kumar Pandey Neha Tripathi

Department of Computer Science & Department of Computer Science &
Engineering, Engineering,
Graphic Era (Deemed to be Graphic Era (Deemed to be
University), Dehradun, India University), Dehradun, India
[email protected] [email protected]

Abstract— The information in the logs produced by the
servers, devices, and applications can be utilized to assess the
system's health. It's crucial to manually review logs, for
instance, during upgrades, to verify whether the update and
data movement went smoothly. Manual testing is insufficiently
trustworthy, and manual log examination takes much time and
effort. In this paper, we propose to search log files for
anomalous sequences using the machine learning methods
K­Means and DBSCAN. The two data representation
approaches examined in this study were feature vector
representation and IDF representation. The effectiveness of the
deployed machine learning algorithms was examined using
evaluation measures like F1 score, recall, and precision. The
study found considerable differences in the algorithms'
capacities to spot anomalies, with some algorithms being better
at seeing various types of abnormal arrangements than their
overall prevalence. By using the study's findings, the user
might be able to spot strange arrangements after manually
sifting through the log file.
Keywords— Clustering, Anomaly detection, Web logs,
Machine Learning.
I. INTRODUCTION
The complexity and size of modern IT systems make it
difficult to debug and identify system failures. In some
circumstances, the only approach to pinpoint the underlying
cause of a system failure is to analyse the log files.
Enormous systems generate a huge amount of data; as the
volume of data increases, it becomes increasingly difficult
and time-consuming to detect errors and flaws manually. A
system bug, human error, or device fault are all potential
causes of an unhealthy system. Anomaly detection is a
popular technique for investigating a system breakdown.
Finding anomaly data can be crucial in identifying system
faults or the system's state [1]. Anomaly data may also point
to anything intriguing occurring in the system.
Log analysis is a crucial step in assessing the system's
health and identifying the root of issues. The logs that are
activated by servers, equipment, and applications are
necessary to record the system information. Upgrades and
data migration can fail, and it is standard procedure to
analyse the logs manually—an unpleasant and time-
consuming operation for the end user. Manually inspecting
the log files frequently necessitates expert knowledge of the
979-8-3503-0500-5/23/$31.00 ©2023 IEEE
system, which is not always feasible. Different developers
produce various services, and these services are subject to
change over time. The log data can be manually analysed
using a few standard methods. These methods' precision and
potency, however, are constrained. Searching for log entries
using keywords is a standard technique for analysing huge
log files [2].
Outliers, which differ from the majority of the data and
may indicate anything wrong or abnormal with the system,
are also known as anomaly data. By identifying anomalous
data in the log files, we will examine in this paper the
potential uses of machine learning for analysing the log files
at Mobilaris. Different machine learning techniques will be
tested and assessed because there is no one machine learning
approach that is known to be the best effective for
recognising unusual sequences at Mobilaris log files. This
study will be used to investigate various data illustration
techniques that are essential in locating unusual data
structures. Mobilaris can provide actual data from the actual
world to do the log analysis in this project. We can evaluate
the data in available log files to locate aberrant log
arrangements, detect problems by the system administrator,
and system breakdown without manually going through
available log files.
Fig. 1. Log Analyzer
A web log analyzer is a tool or software that processes
and analyzes web server log files to extract valuable
information and generate insights about website usage,
visitor behavior, and performance. It helps understand how
users interact with a website, identify trends, detect

Authorized licensed use limited to: National Institute of Technology. Downloaded on July 29,2024 at 10:02:25 UTC from IEEE Xplore. Restrictions apply.
anomalies, and optimize various aspects of web operations
(Figure 1). To analyze log files and detect anomalous logs,
we follow some commonly used steps:
Data Preprocessing: Begin by preprocessing the log files.
This could entail preparing the data for analysis, dealing with
missing numbers, and structuring the logs. Depending on the
format of the log files, you may need to extract pertinent
elements from them, such as timestamps, IP addresses,
request types, or response codes.
Feature Extraction: Identify key features that will be
utilized to distinguish anomalies in the log data. This can
involve extracting statistics, patterns, or unique
characteristics from the log entries. For example, you might
extract information about the frequency of certain events,
time intervals between events, or unusual combinations of
events.
Define a Baseline: Establish a baseline or normal
behavior profile for the log data. This baseline represents the
expected patterns and characteristics of the logs under
normal operating conditions. You can compute statistical
measures (e.g., mean, standard deviation) or use historical
data as a reference to define the baseline.
Anomaly Detection Techniques: Apply appropriate
anomaly detection techniques to identify deviations from the
established baseline. There are various methods you can use,
such as:
• Statistical Methods: Statistical techniques like z-
score, percentile-based methods, or clustering
can help identify data points that significantly
deviate from the expected behaviour.
• Machine Learning Approaches: Supervised or
unsupervised algorithms like clustering, random
forest or neural networks based on machine
learning can be trained on labelled or unlabelled
data to detect anomalies in the log files.
• Time-Series Analysis: If the log files contain
temporal information, time-series analysis
techniques like ARIMA (Autoregressive
Integrated Moving Average) or LSTM (Long
Short-Term Memory) networks can be applied
to capture patterns and detect anomalies.
• Rule-based Methods: The Rule-based
approaches comprise some tricks or thresholds
based on expert knowledge or domain-specific
requirements. Any log entry that violates these
rules is flagged as an anomaly.
Alert Generation and Response: To inform the relevant
parties, an alarm is generated to identify abnormal behaviour.
Establish appropriate response procedures to investigate and
address potential security threats or system irregularities.
Continuous Monitoring and Feedback: Implement
continuous monitoring of the log files and regularly update
and refine the anomaly detection models. Monitor the
performance of the detection techniques in real-world
scenarios, adapt to evolving patterns, and incorporate
feedback to improve the effective process and specific
approach for anomaly detection.
Authorized licensed use limited to: National Institute of Technology. Downloaded on July 29,2024 at 10:02:25 UTC from IEEE Xplore. Restrictions apply.
The major contribution of this research is to:
• To prepare the data from the received file by parsing it.
• To give the machine learning algorithms a
representation of the log entries as numerical values.
• Use algorithms based on machine learning to search the
Mobilaris log file for abnormal log sequences.
The remaining paper is formulated as follows: Section II
focuses on the literature review based on the distinguished
machine learning algorithms. Section III defines the
proposed methodology for finding anomalies from the log
files. Section IV defines the outcomes and analysis retrieved
from the analytics. Finally, the article concludes the results
and explores the future scope.
II. LITERATURE REVIEW
Textual data is occasionally seen as meaningful information
and can be crucial to machine learning algorithms [3].
Several natural language processing techniques can be used
for logs that contain textual data. One of the more well-liked
natural language processing methods is frequency-inverse
Document[3]. The textual data appears by using data
frequency, and TF-IDF is another popular technique for
expressing data in anomaly detection. [3].
Word2vec, a method for natural language processing, has
proven to be highly successful and efficient at representing
textual data in small dimensions in paper [4].
A lot of studies also employ log vectorization approaches
to describe the log data [5][6], employing log abstraction
techniques that make use of the constant portion of the log
messages, log arrangement are converted into logs and
vectors are transformed into log events. The code's logprint
statement generates generic log messages as placeholders for
log events. The paper's sequences [7] contain a lot of log
events, and the events based on the log are packed in two
different ways—weighting based on IDF that has been
adjusted and contrast-based weighting. According to the
study, the significance of each log event varies according to
how frequently it looks in various log classifications. The
weighting technique was suggested as a consequence to the
employee.
The journal [8] also discussed the tree structure diagram, also
called the decision tree algorithm. The SVM, another
classification-based technique, was also examined in the
paper. Each of the three supervised algorithms combined the
labels and training examples to create an event count vector.
The decision tree selections proved to be more reasonable for
the developer in picking anomalies compared to two
different algorithms when discovering abnormalities in the
data. Although all of the algorithms were effective at finding
anomalies, SVM had the highest overall accuracy. The
LogCluster algorithm was chosen by the publication [9]. A
data clustering algorithm called LogCluster uses log files to
find patterns. In 92 days, LogCluster was utilised to measure
performance. 1,879,209 of the 296,699,550 log messages
that were processed by the implementation were identified as
anomalies. They also found that not all anomalies were
anomaly log messages but standard log messages. The
paper[10] used the DBSCAN algorithm, a density-based
clustering approach. It was suggested that DBSCAN be used
to spot anomalies in monthly temperature data. According to
the report, it offers several advantages over statistical
strategies for spotting irregularities.
III. PROPOSED METHODOLOGY
K-means and DBSCAN, two distinct unsupervised
machine learning methods, will be employed in this study to
find aberrant sequences in Mobilaris log files. Unsupervised
learning is preferred because it can derive knowledge from
data structures without labels and because log sequences can
reveal hidden issues [11]. The process of finding anomalies
in a data file is broken down into various parts, as shown in
Figure 2. With the assistance of the Mobilaris staff,
anomalies in the log file were labelled.
The log file from Tag Vibration Service (TVS), one of
Mobilaris' services, was what we obtained from them. TVS
counts the intervals between blinks to detect the validity of a
tag[12]. The constant and variable data in log entries from
Fig. 2. Proposed Methodology
IV. RESULTS AND DISCUSSION
There are 41294 log entries in the data file that Mobilaris
sent, and there are 29 different types of log entries. 1176
aberrant sequences of varied sizes are present among the
41294 total. Precision, recall, and F1-score will be used as
three different performance indicators in this paper. In this
study, we'll use the three performance indicators in two
different evaluation examinations. The total number of
aberrant log sequences found will be counted in the first and
in the second, The variety of anomalous log sequences that
we discovered will be counted. A total of 174 different types
of anomalous sequences, each occurring at a different
Authorized licensed use limited to: National Institute of Technology. Downloaded on July 29,2024 at 10:02:25 UTC from IEEE Xplore. Restrictions apply.
the file are represented by textual or numerical data. It is
crucial to gather and prepare the relevant data before utilising
the machine learning algorithms. Finding patterns in data
requires a fundamental step called data representation.
Finding patterns in data requires a fundamental step called
data representation[13]. The distance between sets of data
that are comparable to one another should be kept to a
minimum, while the distance between sets of data that aren't
should be kept at a maximum. After processing and applying
the log abstraction technique, a new log file with log ids
representing the log entries will be produced[14]. Textual log
entries can be represented in the log arrangement as numbers
thanks to the feature vector encoding. As there are distinct
log entries in the whole log file, the vector will have the
same number of dimensions. Every log will have a
designated place. Each log item's frequency of appearance in
the sliding window is counted using the feature vector
representation[15].
frequency, make up the 1176 anomalous sequences in the
TVS dataset.
A. K-Means with Feature Vector Approach
Here we are representing the work with k-means approach
including feature vector representation. All
anomalous log sequence results are shown in Table
5.1, and only the unique ones are shown in Table I.
The three distinct thresholds were 99, 98, and 97.5,
and the metrics recall, F1, and precision are
displayed. Figures 3, 4, and 5 are used to represent
the K-means algorithm plots with the applied
thresholds. To decrease the dimensions from 29 to
 2, PCA was used. Three clusters as well as the blue
stars which are exist in each plot indicates the
centre of each cluster. The algorithmic identified
abnormalities are indicated by red circles
surrounding the data points.

TABLE I. TIME TAKEN FOR DATA ENCRYPTION AND DECRYPTION

Metrics K - means with K - means K - means with
threshold with threshold threshold
percentile 99 percentile 98 percentile 97.5
Recall 0.34 0.61 0.87
F1- score 0.51 0.75 0.93
Precision 1 1 1

The suggested method achieves a memory storage Fig. 4. Total evaluation time
quantity of 13,598,247.75 bits by altering the number of
bullets. The optimization strategies' combined execution time
is 21,008 milliseconds. Figure 3 shows how the system
performs using the suggested technique when the number of
repeats is changed. Figure 4. Represents the fitness value of
the suggested approach. The message with the highest fitness
value in the MPSO had the lowest mistake frequency. As the
number of observations rises in this case, the efficiency score
falls. Table II displays the proposed MANNs-based back
propagation technique's thorough classification validity. The
proposed MANN provides 91.25 percent accuracy in this
case.

PERFORMACE PARAMETERS OF THE MODEL

K - means with K - means with K - means with
threshold threshold threshold
Metrics percentile 99 percentile 98 percentile 97.5
Recall 0.78 0.79 0.83
F1- Fig. 5. Model Threshold Values
score 0.88 0.88 0.91
B. K-Means with IDF Representation
Precisio
n 1 1 1 We will display the K-means approach using the outcome of
IDF data representation in this subsection. Result from all
anomalous Log arrangements is shown by Table III. While
table IV indicates the singular ones only. The three
thresholds were 99, 98, and 97.5, and the metrics recall, F1,
and precision are displayed. Figures 6, 7, and 8 show the
graph that the K-means algorithm produces when the
specified threshold is used. The dimensions were also
decreased from 29 to 2 using PCA. Every plot consists three
different clusters and the location of centroid of every cluster
is represented by blue star. The algorithm's expected
anomalies are indicated by red circles surrounding the data
points.

Table III: Outcome from all log arrangements, IDF

Representation and K-means.

K - means with K - means with K - means with

threshold threshold threshold
Fig. 3. Frequency of distinct keys Metrics percentile 99 percentile 98 percentile 97.5
Recall 0.31 0.31 0.87
F1- score 0.48 0.48 0.93
Precision 1 1 1

Authorized licensed use limited to: National Institute of Technology. Downloaded on July 29,2024 at 10:02:25 UTC from IEEE Xplore. Restrictions apply.
 Fig. 8: Threshold at k=3, 97.5% accuracy with K-Means
C. DBSCAN with IDF
We will demonstrate the outcome of the DBSCAN technique
Table IV: Result from unique log sequences, Kmeans, IDF with IDF representation in this subsection. All anomalous
Representation log sequence results are shown in Table V, whereas only the
K - means with K - means with K - means with unique ones are shown in Table VI. Recall, F1, and precision
threshold threshold threshold
Metrics percentile 99 percentile 98 percentile 97.5 scores are displayed. The output from the DBSCAN
Recall 0.87 0.87 0.91 technique is shown in Figure 9. The dimensions were also
F1- decreased from 29 to 2 using PCA. Six clusters were
score 0.93 0.93 0.95 produced by DBSCAN. The expected anomalous sequences
Precisio from the DBSCAN are represented by the purple data points.
n 1 1 1
Table V: Performance parameters with DBSCAN

Metrics DBSCAN
Recall 0.35
F1- score 0.51
Precision 1

Table VI: Log sequences for IDF and DBSCAN

Metrics DBSCAN
Recall 0.78
F1- score 0.87

Fig. 6. Fitness Value of Proposed Model Precision 1

Fig. 7: Threshold at k=3, 98% accuracy with KMeans

Fig. 9: DBSCAN Accuracy
When the threshold percentile was 99, the model's
performance in detecting all anomalous arrangements by
involving the feature vector representation using the k-means
strategy was subpar. Recall and F1 scores increased when the
threshold was lowered to 97,5, as seen in Table 5.1. Recall
increased from 0.34 to 0.87 and F1 increased from 0.51 to
0.93. The F1 score and recall were on their peak (the score of
F1 was from 0.88 to 0.91 and the increment in recall was
from 0.78 to 0.83), and the k-means technique with feature
vector representation successfully identified different
anomalous sequences in all percentiles. When the threshold
percentile was 97.5, the algorithm likewise looks efficient
and better in terms of identifying the distinct arrangement.

Authorized licensed use limited to: National Institute of Technology. Downloaded on July 29,2024 at 10:02:25 UTC from IEEE Xplore. Restrictions apply.
 V. CONCLUSION
We looked into the potential of machine learning for
focusing on anomaly detection when analysing the log files
at Mobilaris. As a result, we discovered that both K-means
and DBSCAN were effective in identifying distinctive log
anomalies. The only algorithms that successfully discovered
the total number of log sequences were K-means techniques
with low percentile thresholds. According to our
investigation, the K-means strategy using IDF representation
and feature vector representation was equally good in finding
the total number of aberrant log arrangements with a
threshold of 97. We also thought about how the data
representation would affect the outcomes. The K-means with
IDF representation outperformed other techniques at
identifying separate log sequences when the threshold
percentile was 97. Experimenting with different window
widths could improve the research's findings even further.

REFERENCES [9] P. Jain, M. Shankar Bajpai, and R. Pamula, “A Modified DBSCAN

Algorithm for Anomaly Detection in Time-series Data with
[1] Yin, Kun et al. “Improving Log-Based Anomaly Detection with Seasonality,” The International Arab Journal of Information
Component Aware Analysis”. In: 2020 IEEE International Technology, vol. 19, no. 1. Zarqa University, Jan. 01, 2022. doi:
Conference on Software Maintenance and Evolution (ICSME). 2020, 10.34028/iajit/19/1/3.
pp. 667–671. DOI: 10.1109/ ICSME46990.2020.00069. [10] F. Gerz, T. R. Basturk, J. Kirchhoff, J. Denker, L. Al-Shrouf, and M.
[2] Lin, Qingwei et al. “Log Clustering Based Problem Identification for Jelali, “A Comparative Study and a New Industrial Platform for
Online Service Systems”. In: 2016 IEEE/ACM 38th International Decentralized Anomaly Detection Using Machine Learning
Conference on Software Engineering Companion (ICSE-C). 2016, pp. Algorithms,” 2022 International Joint Conference on Neural
102–111. Networks (IJCNN). IEEE, Jul. 18, 2022. doi:
[3] Si, Yaqing, Zhou, Wendi, and Gai, Jiale. “Research and 10.1109/ijcnn55064.2022.9892939.
Implementation of Data Extraction Method Based on NLP”. In: 2020 [11] N. K. Pandey, A. K. Mishra, N. Tripathi, P. Bagla and R. Sharma,
IEEE 14th International Conference on Anti-counterfeiting, Security, "Implementation and Monitoring of Network Traffic Security using
and Identification (ASID). 2020, pp. 11–15. DOI: Machine Learning," 2023 2nd International Conference on Smart
10.1109/ASID50160.2020.9271745. Technologies and Systems for Next Generation Computing
[4] Wang, Mengying, Xu, Lele, and Guo, Lili. “Anomaly Detection of (ICSTSN), Villupuram, India, 2023, pp. 1-5, doi:
System Logs Based on Natural Language Processing and Deep 10.1109/ICSTSN57873.2023.10151471.
Learning”. In: 2018 4th International Conference on Frontiers of [12] A. K. Mishra, N. Tripathi, A. Gupta, D. Upadhyay and N. K. Pandey,
Signal Processing (ICFSP). 2018, pp. 140–144. DOI: "Prediction and detection of nutrition deficiency using machine
10.1109/ICFSP.2018.8552075. learning," 2023 International Conference on Device Intelligence,
[5] Xiao, Tong et al. “LPV: A Log Parser Based on Vectorization for Computing and Communication Technologies, (DICCT), Dehradun,
Offline and Online Log Parsing”. In: 2020 IEEE International India, 2023, pp. 1-5, doi:
Conference on Data Mining (ICDM). 2020, pp. 1346–1351. DOI: https://10.1109/DICCT56244.2023.10110072.
10.1109/ICDM50108.2020. [13] N. K. Pandey, K. Kumar, G. Saini, A. K. Mishra “Security Issues and
[6] N. K. Pandey, A. K. Mishra, V. Kumar, A. Kumar, M. Diwakar and Challenges in Cloud of Things-Based Applications for Industrial
N. Tripathi, "Machine Learning based Food Demand Estimation for Automation” Annals of Operations Research 2023.
Restaurants," 2023 6th International Conference on Information https://doi.org/10.1007/s10479-023-05285-7.
Systems and Computer Networks (ISCON), Mathura, India, 2023, pp. [14] A. K. Mishra, M. Wazid, D. P. Singh, A. K. Das, S. Roy and S.
1-5, doi: 10.1109/ISCON57294.2023.10112059. Shetty, "ACKS-IA: An Access Control and Key Agreement Scheme
[7] B. Zhang, H. Zhang, V.-H. Le, P. Moscato, and A. Zhang, “Semi- for Securing Industry 4.0 Applications," in IEEE Transactions on
supervised and unsupervised anomaly detection by mining numerical Network Science and Engineering, doi:
workflow relations from system logs,” Automated Software 10.1109/TNSE.2023.3296329.
Engineering, vol. 30, no. 1. Springer Science and Business Media [15] A. K. Mishra, M. Wazid, D. P. Singh, A. K. Das, J. Singh, and A. V.
LLC, Dec. 03, 2022. doi: 10.1007/s10515-022-00370-w. Vasilakos, “Secure Blockchain-Enabled Authentication Key
[8] Vaarandi, Risto, Blumbergs, Bernhards, and Kont, Markus. “An Management Framework with Big Data Analytics for Drones in
unsupervised framework for detecting anomalous messages from Networks Beyond 5G Applications,” Drones, vol. 7, no. 8, p. 508,
syslog log files”. In: NOMS 2018 - 2018 IEEE/IFIP Network Aug. 2023, doi: https://doi.org/10.3390/drones7080508.
Operations and Management Symposium. 2018, pp. 1–6. DOI:
10.1109/ NOMS.2018.8406283.

Authorized licensed use limited to: National Institute of Technology. Downloaded on July 29,2024 at 10:02:25 UTC from IEEE Xplore. Restrictions apply.