 Method for detecting abnormal operating conditions
专利摘要:
The invention relates to a method for detecting abnormal operating conditions, in particular caused by manipulation, in a computer network (1) comprising a plurality of computers (1a, 1b, 1c), wherein - of the computers (1a, 1b, 1c) of the computer network ( 1) or processes (2a, 2b, 2c) running on these computers (1a, 1b, 1c) respectively, protocols are created by the computers (1a, 1b, 1c) or the processes (2a, 2b, 2c) Occurrence of predetermined events for each of these events respectively a log record in the form of a log line (s1, ..., sn) is created, a) time window (T1, T2, T3) are given, the time windows (T1, T2, T3) in particular b) the log lines (s1, ..., sn) are each assigned to a predetermined time window (T1, T2, T3) according to the time of their creation or processing, c) the log lines (s1, ..., sn), in terms of their similarity d) log lines (s1, ..., sn) of a respectively considered time window (T1, T2, T3) into groups using the metric used in step c), and d) log lines (s1, ..., sn) are summarized on the basis of their similarity according to a given metric; if appropriate, the similarity threshold used in step c), e) an overlap key is formed which, on the basis of the assignments made in step d), gives a measure of the degree of correspondence between the log lines of two or more groups in different time slots, f g) a number of directed paths are created, comprising as node groups and as edge assignments, and the groups associated with one another via a grouping of temporally adjacent time windows (T1, T2, T3) describe the predefined number of chronologically preceding time windows and h) wherein for each path a time course of an indicator for the respective group over a predetermined number of time windows is formed, and i) the progress of the indicators on the individual paths are used for the determination of whether an abnormal state exists. 公开号:AT520746A4 申请号:T50156/2018 申请日:2018-02-20 公开日:2019-07-15 发明作者: 申请人:Ait Austrian Institute Tech Gmbh; IPC主号:
专利说明:
Summary The invention relates to a method for detecting abnormal operating states, in particular caused by manipulation, in a computer network (1) which comprises a plurality of computers (1a, 1b, 1c), wherein - protocols are generated by the computers (1a, 1b, 1c) of the computer network (1) or by processes (2a, 2b, 2c) running on these computers (1a, 1b, 1c), - The computers (1a, 1b, 1c) or the processes (2a, 2b, 2c), when predetermined events occur, create a log data record in the form of a log line (s 1; ..., s n ) for each of these events and wherein each log line (s 1; ..., s n ) comprises a description data record (32a, 32b, 32c) for the respective logged event, wherein a) time windows (T 1 , T 2 , T 3 ) are predetermined, the time windows (T 1 , T 2 , T 3 ) in particular bordering each other seamlessly and preferably being of the same length, b) the protocol lines (s 1; ..., s n ) are assigned to a given time window (T 1 , T 2 , T 3 ) according to the time of their creation or processing, c) those protocol lines (s 1; ..., s n ) which are assigned to a respective time window (T 1 , T 2 , T 3 ) are analyzed with regard to their similarity and based on their similarity according to a predetermined metric and by default a similarity threshold to individual groups (C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c ), whereby each line of protocol ( s 1; ..., s n ) is only assigned to one group at a time, d) protocol lines (s 1; ..., s n ) of a respective time window (T 1 , T 2 , T 3 ) to groups which are assigned to adjacent time windows (T 1 , T 2 , T 3 ), using the the metric used in step c) and, if appropriate, the similarity threshold value used in step c), e) an overlap indicator is formed which, based on the assignments made in step d), gives a measure of the degree of agreement between the log lines of two or more groups in different time windows, f) groups of temporally adjacent time windows (T 1 , T 2 , T 3 ) are assigned to one another by evaluating the overlap index formed - Finding groups, in particular a predecessor group and a successor group, whose overlap indicator exceeds a predetermined first threshold value (Θ) and / or 1/52 - Finding a number of successor groups in a subsequent time window for a predecessor group, the overlap indicator between each of the successor groups with the predecessor group exceeding a predetermined second threshold value (0 par t) and the sum of the overlap indicators determined in this way exceeds the first predetermined threshold value (Θ), and / or - Find a number of predecessor groups in a previous one Time window (T 1 , T 2 , T 3 ) for a successor group, the Overlap index between each of the predecessor groups with the successor group exceeds a predetermined second threshold value (0 pa r t ) and the sum of the overlap indicators determined in this way exceeds a predetermined first threshold value (Θ), and / or - Finding groups to which no predecessor group or successor group can be assigned, and g) a number of directed paths is created, which comprise groups as nodes and assignments as edges and which describe the groups assigned to one another over a predetermined number of temporally preceding time windows, the individual paths describing the course of groups assigned to one another in chronologically successive time windows in the Specify graphs, and h) a time course of an indicator for the respective group is formed over a predetermined number of time windows for the individual paths, and i) the courses of the indicators along the individual paths are used to determine whether there is an abnormal condition. 2/52 The invention relates to a method for the detection of abnormal conditions in a computer network according to claim 1. It is known from the prior art to examine log files that are created by different processes to determine whether the processes described in the log files represent an abnormal state of the processes or of the computer network in which these processes run. In the above-mentioned methods, there are significant problems in analyzing log files, which are usually written in human-readable form, for specific patterns, in order to identify operating states which are unusual or unique and which indicate abnormal operating states. Concrete methods are known from the prior art that connect different lines of log files that belong together and to detect typical patterns or groups of log lines with a similar structure. In particular, such a procedure is known from the Austrian patent 514215. Such procedures for pattern recognition fundamentally make it possible to find anomalous states in a computer network, but they are relatively complex and require, in particular, several protocol lines, which are sometimes far apart, to be combined with one another, which leads overall to an increased resource requirement for the protocol data analysis. With known grouping methods for finding abnormal states, however, it is difficult to predict the development of identified groups of protocol times, so that change processes that individual groups undergo over time are not recognized as anomalies. The present invention has for its object to provide a method for the detection of abnormal conditions in a computer network, which quickly and easily detects critical or abnormal conditions in the computer network or in the course of individual processes carried out in the computer network. The invention solves this problem with the method according to the invention for detecting abnormal operating states as shown in claim 1, 3/52 in particular caused by manipulation, in a computer network, which comprises several computers, whereby - protocols are generated by the computers of the computer network or by processes running on these computers, - A log data record in the form of a log line is created for each of these events by the computers or the processes when predetermined events occur, and each log line comprises a description data record for the respective logged event. According to the invention it is provided that a) time windows are specified, the time windows in particular adjoining one another seamlessly and preferably having the same length, b) the log lines are assigned to a given time window in accordance with the time of their creation or processing, c) those protocol lines which are assigned to a respective time window are analyzed with regard to their similarity and are combined into individual groups based on their similarity according to a predetermined metric and by specifying a similarity threshold value, each protocol line preferably being assigned to only one group, d) protocol lines of a respective time window considered are assigned to groups which are respectively assigned to adjacent time windows, using the metric used in step c) and, if appropriate, the similarity threshold value used in step c), e) an overlap indicator is formed which, based on the assignments made in step d), gives a measure of the degree of agreement between the log lines of two or more groups in different time windows, f) groups of temporally adjacent time windows are assigned to one another by evaluating the overlap index formed, - Finding groups, in particular a predecessor group and a successor group, whose overlap indicator exceeds a predetermined first threshold value and / or Finding a number of successor groups in a subsequent time window for a predecessor group, the overlap figure between each of the successor groups with the predecessor group exceeding a predetermined second threshold value and the sum of the overlap figures determined in this way exceeding a first predetermined threshold value, and or 4/52 Finding a number of predecessor groups in a previous time window for a successor group, the overlap figure between each of the predecessor groups with the successor group exceeding a predetermined second threshold value and the sum of the overlap figures determined in this way exceeding a predetermined first threshold value, and or - Finding groups to which no predecessor group or successor group can be assigned, and g) a number of directed paths is created, which comprise groups as nodes and assignments as edges and which describe the groups assigned to one another over a predetermined number of temporally preceding time windows, the individual paths describing the course of groups assigned to one another in chronologically successive time windows in the Specify graphs, and h) a time course of an indicator for the respective group is formed over a predetermined number of time windows for the individual paths, and i) the courses of the indicators along the individual paths are used to determine whether there is an abnormal condition. An advantageous definition of the time window, which allows the protocol lines to be distributed evenly over the individual time windows in normal operation, provides for the length of the time window - Adaptively adapted to the frequency of the occurrence of the predetermined events for which a log line is created, or - Rule-based is changed according to a predetermined metric, which provides an indicator of the number of expected events in the computer network, in particular is adapted to the time of day and / or the day of the week and / or the load on the computer network and / or the number of registered users. An embodiment variant of the invention, which enables processing of the protocol lines in real-time operation, provides that individual time windows are defined in succession during operation in order to assign the individual protocol lines to the time windows in step b), one of the time windows being current at each time and the log lines are assigned to the current time window immediately after their creation. An embodiment variant of the invention, which enables a later evaluation of the protocol lines, provides for the assignment of the individual protocol lines to the 5/52 Time windows in step b), the log lines are provided with a time stamp of their creation or the event assigned to them, the log lines being assigned to the respective time window on the basis of the time stamp assigned to them. An embodiment variant of the invention, which allows a simple and efficient assignment of groups, provides that in step d) protocol lines of a time window considered in each case are assigned to groups which are assigned to a time window, preferably immediately, before or after the time window. A numerically efficient calculation rule for the overlap indicator provides that in step e) the overlap indicator indicates how many protocol lines assigned to a group could be assigned to one or more other groups from temporally adjacent, in particular immediately successive, time windows in step d). In order to better take into account overlaps between groups, it can be provided that the overlap indicator for two groups is given in different time windows as the ratio of the mutual assignments of protocol lines of one group to the other group to the total existing assignments of protocol lines of these groups. In order to be able to better take into account overlaps between a plurality of groups over several time steps and to achieve more stable statements about the matches of groups, it can be provided that the overlap indicator for several selected groups in different time windows as the ratio between i) the mutual assignments of protocol lines of one of the selected groups to a respectively other selected group and ii) the total existing assignments of protocol lines of these selected groups is specified. In order to enable an advantageous follow-up of the path in the course of finding paths in the event of the union of paths, it can be provided that in step f) if there are several predecessor groups available for a group and several paths to one be united, for the further course of the path that path is used as the predecessor path and is continued, 6/52 whose groups, in particular its last group, have the greatest overlap coefficient with the common subsequent group, whose groups, in particular its last group, has the most log lines, - which is the longest and / or the longest in the past predecessor paths. In order to enable an advantageous follow-up of the path in the course of finding paths in the event of the division of paths, it can be provided that in step f) in the event that several successor groups have been found for a group and one path in several paths is divided, that path is used as the successor path and / or the path is continued with that successor path, i) whose groups, in particular its first group, has the greatest overlap coefficient with the common group, ii) whose groups, in particular its first group, has the most protocol lines, iii) which is the longest of the predecessor paths in question and / or most far into the past. In order to be able to provide a meaningful assessment of the behavior of the individual groups in the paths, it can be provided that one of the following indicator measures is used as an indicator in step h): - the size of the respective group, a measure of the average similarity of the individual protocol lines in the respective group, a measure of the distance between the log lines of the group and the log lines of other groups, an indicator which is characteristic of the increase and / or decrease in the size of the respective group along the respective path, an indicator which is characteristic of the number of log lines for which there are no similar groups in the groups assigned to one another, in particular - The number of log lines of a group for which there are no correspondences in the subsequent or previous group. 7/52 A preferred method for determining abnormal states provides that, based on the course of indicators determined in step h) or the sum of selected indicators formed in time slots, in step i) a time series prediction is formed and a prediction interval for the probable course of the measure of change is determined after the latest time window, and - The further temporal course of the indicator or the sum of selected indicators formed over time after the respective time window is examined to determine whether it corresponds to the prediction and / or lies in the determined prediction interval, and if this is not the case, an abnormal condition is found in the computer network becomes. In particular, it can be provided that the time series prediction is determined using an autoregressive integrated moving average model. A preferred method for determining abnormal states provides for correlations to be looked for between the individual courses of indicators and for an abnormal state to be found in the computer network in the event that new correlations occur or that previously existing correlations no longer exist. A program for carrying out a method according to the invention can advantageously be stored on a data carrier. Particularly advantageous, but not restrictive, exemplary embodiments of the invention are shown schematically below with reference to the accompanying drawings and described by way of example with reference to the drawings. Show below: 1 is a schematic representation of a computer network, 2 shows a schematic representation of protocol lines of three time windows and their assignment to groups, 3 schematically the assignment of protocol lines of two time windows to groups or group cards, 4 shows a schematic example of the development of groups over several time windows, 5 schematically shows the development of the group size of three groups over time, 6 schematically shows the development of two time series over time, 8/52 7 schematically shows the detection of anomalies for a time series by means of a prediction interval, 8a schematically the detection of anomalies by means of a prediction interval for a path A, 8b schematically the detection of anomalies by means of a prediction interval for a path B, 8c schematically the detection of anomalies by means of a prediction interval for a path C and 9 schematically shows the anomaly score plotted against time. 1 shows a computer network 1, consisting of computers 1a, 1b, 1c, in which several processes 2a, 2b, 2c run. Processes 2a, 2b, 2c generate log messages in the form of log lines s 1; s 2 , s 3 designated strings. In the exemplary embodiment shown, three protocol lines s 1; s 2 , s 3 created. The protocol lines s 1; s 2 , s 3 each include a description data record 32a, 32b, 32c and optionally a time stamp 31a, 31b, 31c. Pre-processing of the protocol lines s 1; s 2 , s 3 possible. In this case, protocol lines s 1; s 2 , s 3 from different sources brought into a uniform format. For this purpose, s 1; s 2 , s 3, for example, removed non-displayable special characters that do not correspond to a defined standard format, such as the standard syslog format defined in RFC3164. In this preprocessing of the protocol lines s 1; s 2 , s 3 , it is optionally also possible to set the time stamps 31a, 31b, 31c of the protocol lines s 1; Extract s 2 , s 3 and, for example, remove them from the string. The extracted time stamps 31a, 31b, 31c are stored, for example, for later evaluations such as a time series analysis. In a first variant of the invention, the individual log lines Si, s 2 , s 3 are each forwarded in real time and arranged in a central log file 4 according to the time of their creation or, if available, according to the time coded in the timestamps 31a, 31b, 31c written and / or further processed. In an alternative variant of the invention, the log lines Si, s 2 , s 3 can each be stored in a log file 4a, 4b, 4c associated with the computer 1a, 1b, 1c or process 2a, 2b, 2c. In this case, the individual protocol lines Si, s 2 , s 3 are usually in the order in which they are received, ie according to their arrival 9/52 Creation time or, if available, the time stamp 31a, 31b, 31c, written in the log files 4a, 4b, 4c. At a later point in time, the individual log data records of the log files 4a, 4b, 4c can be written into a common central log file 4. The following Table 1 shows a schematic section of one Log file 4 whose individual entries represent log lines Si, s 2 , s 3 . ID log line 0 Oct 13 00:00:01 192.168.2.20 - - GET / image_version_1 .png HTTP / 1.0 200 3395 1 Oct 13 00:00:05 192.168.5.33 - - GET / image_version_1 .png HTTP / 1.0 200 3395 2 Oct 13 00:00:14 [error] [serves 1.2.3.4] user test: authentication failure for 7 ~ dcid / test1: Passwordmismatch 3 Oct 13 00:00:26 192.168.2.20 - - GET /image_version_2.png HTTP / 1.0 200 3395 4 Oct 13 00:00:33 192.168.2.20 - - GET / image_version_1 .png HTTP / 1.0 200 3395 5 Oct 13 00:00:35 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test2: Passwordmismatch 6 Oct 13 00:00:41 192.168.2.20 - - GET /image_version_2.png HTTP / 1.0 200 3395 7 Oct 13 00:00:54 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test3: Passwordmismatch 8th Oct 13 00:00:56 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test2: Passwordmismatch 9 Oct 13 00:01:05 192.168.2.20 - - GET /image_version_2_temp.png HTTP / 1.0 200 3395 10 Oct 13 00:01:12 192.168.5.33 - - GET /image_version_2.png HTTP / 1.0 200 3395 11 Oct 13 00:01:18 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test1: Passwordmismatch 12 Oct 13 00:01:22 192.168.2.20 - - GET /image_version_2.png HTTP / 1.0 200 3395 13 Oct 13 00:01:25 192.168.5.33 - - GET /image_version_3.png HTTP / 1.0 200 3395 14 Oct 13 00:01:36 192.168.5.20 - - GET /image_version_2_temp.png HTTP / 1.0 200 3395 15 Oct 13 00:01:44 192.168.2.20 - - GET /image_version_2.png HTTP / 1.0 200 3395 16 Oct 13 00:01:49 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test3: Passwordmismatch 17 Oct 13 00:01:55 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test3: Passwordmismatch 18 Oct 13 00:02:09 192.168.2.20 - - GET /image_version_2.png HTTP / 1.0 200 3395 19 Oct 13 00:02:11 192.168.2.20 - - GET /image_version_3.png HTTP / 1.0 200 3395 20 Oct 13 00:02:24 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test1: Passwordmismatch 21 Oct 13 00:02:26 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test1: Passwordmismatch 22 Oct 13 00:02:34 192.168.2.20 - - GET /image_version_3_temp.png HTTP / 1.0 200 3395 23 Oct 13 00:02:46 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test3: Passwordmismatch 24 Oct 13 00:02:52 192.168.5.33 - - GET /image_version_2.png HTTP / 1.0 200 3395 10/52 25 Oct 13 00:02:57 192.168.5.33 - - GET /image_version_3.png HTTP / 1.0 200 3395 26 Oct 13 00:02:58 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test2: Passwordmismatch 27 Oct 13 00:03:09 192.168.2.20 - - GET /image_version_3.png HTTP / 1.0 200 3395 28 Oct 13 00:03:13 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test2: Passwordmismatch 29 Oct 13 00:03:14 192.168.2.20 - - GET /image_version_4.png HTTP / 1.0 200 3395 30 Oct 13 00:03:20 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test2: Passwordmismatch 31 Oct 13 00:03:24 192.168.2.20 - - GET /image_version_4.png HTTP / 1.0 200 3395 32 Oct 13 00:03:26 [error] [client 1.2.3.4] Client sent malformed Host header 33 Oct 13 00:03:27 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test3: Passwordmismatch 34 Oct 13 00:03:29 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test1: Passwordmismatch 35 Oct 13 00:03:34 [error] [client 1.2.3.4] Client sent malformed Host header 36 Oct 13 00:03:36 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test2: Passwordmismatch 37 Oct 13 00:03:38 192.168.2.20 - - GET /image_version_4.png HTTP / 1.0 200 3395 38 Oct 13 00:03:44 192.168.5.33 - - GET /image_version_4.png HTTP / 1.0 200 3395 39 Oct 13 00:03:46 192.168.2.20 - - GET /image_version_5.png HTTP / 1.0 200 3395 40 Oct 13 00:03:50 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test1: Passwordmismatch 41 Oct 13 00:03:52 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test1: Passwordmismatch 42 Oct 13 00:03:57 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test1: Passwordmismatch 43 Oct 13 00:04:05 192.168.2.20 - - GET /image_version_5_new.png HTTP / 1.0 200 3395 44 Oct 13 00:04:07 [error] [client 1.2.3.4] Client sent malformed Host header 45 Oct 13 00:04:10 192.0.0.20 - - GET /image_version_4.png HTTP / 1.0 200 3395 46 Oct 13 00:04:16 192.168.2.20 - - GET /image_version_4_new.png HTTP / 1.0 200 3395 47 Oct 13 00:04:19 [error] [client 1.2.3.4] Client sent malformed Host header 48 Oct 13 00:04:23 [error] [client 1.2.3.4] Client sent malformed Host header 49 Oct 13 00:04:27 192.0.0.20 - - GET /image_version_5.png HTTP / 1.0 200 3395 50 Oct 13 00:04:28 [error] [client 1.2.3.4] Client sent malformed Host header 51 Oct 13 00:04:33 [error] [client 1.2.3.4] user test: authentication failure for 7 ~ dcid / test3: Passwordmismatch 52 Oct 13 00:04:46 [error] [client 1.2.3.4] Client sent malformed Host header 53 Oct 13 00:04:48 192.168.2.20 - - GET /image_version_5_renew.png HTTP / 1.0 200 3395 54 Oct 13 00:04:51 192.0.0.20 - - GET /image_version_4_copy.png HTTP / 1.0 200 3395 55 Oct 13 00:04:53 192.168.2.20 - - GET /image_version_5_renew.png HTTP / 1.0 200 3395 56 Oct 13 00:04:54 192.168.2.20 - - GET /image_version_6_new.png HTTP / 1.0 200 3395 57 Oct 13 00:04:55 192.0.0.20 - - GET /image_version_5_copy.png HTTP / 1.0 200 3395 58 Oct 13 00:05:03 192.168.2.20 - - GET /image_version_6_new.png HTTP / 1.0 200 3395 11/52 59 Oct 13 00:05:04 127.0.0.20 - - GET /image_version_6.png HTTP / 1.0 200 3395 60 Oct 13 00:05:06 [error] [serves 1.2.3.4] Client sent malformed Host header 61 Oct 13 00:05:09 192.168.2.20 - - GET /image_version_6_new.png HTTP / 1.0 200 3395 62 Oct 13 00:05:12 127.0.0.20 - - GET /image_version_6.png HTTP / 1.0 200 3395 63 Oct 13 00:05:15 127.0.0.20 - - GET /image_version_5.png HTTP / 1.0 200 3395 64 Oct 13 00:05:20 [error] [client 1.2.3.4] Client sent malformed Host header 65 Oct 13 00:05:22 127.0.0.20 - - GET /image_version_5.png HTTP / 1.0 200 3395 66 Oct 13 00:05:24 192.168.2.20 - - GET /image_version_6_new.png HTTP / 1.0 200 3395 67 Oct 13 00:05:27 [error] [client 1.2.3.4] Client sent malformed Host header 68 Oct 13 00:05:33 127.0.0.20 - - GET /image_version_6.png HTTP / 1.0 200 3395 69 Oct 13 00:05:36 127.0.0.20 - - GET /image_version_5.png HTTP / 1.0 200 3395 70 Oct 13 00:05:39 [error] [client 1.2.3.4] Client sent malformed Host header 71 Oct 13 00:05:42 192.168.2.20 - - GET /image_version_6_new.png HTTP / 1.0 200 3395 72 Oct 13 00:05:46 [error] [client 1.2.3.4] Client sent malformed Host header 73 Oct 13 00:05:51 192.168.2.20 - - GET /image_version_6_new.png HTTP / 1.0 200 3395 74 Oct 13 00:05:53 127.0.0.20 - - GET /image_version_6.png HTTP / 1.0 200 3395 Assignment of log lines to time windows For further processing of the protocol lines, time windows T 1 , T 2 , T 3 are specified in a first step a), which in particular adjoin one another seamlessly and are preferably of equal length. In a further assignment step b), the determined protocol lines Si, s 2 , s 3 , which are located, for example, in the central log file 4, are each assigned to a predetermined time window T 1 , T 2 , T 3 . The respective time of creation of a protocol line Si, s 2 , s 3 , or, if available, its time stamp 31a, 31b, 31c, is used for this assignment, and all protocol lines Si, s 2 , s 3 corresponding to a respective time window T 1 are used in this way , T 2 , T 3 are assigned, summarized. If the individual log data records are forwarded to the central log file 4 in real time, as is the case with the first variant described above, it is not necessary to provide them with a time stamp 31a, 31b, 31c, since the grouping of the log lines s 1; s 2 , s 3 after time windows T 1 , T 2 , T 3 can be carried out in real time due to the arrival of the log data records in the central log file 4. If, on the other hand, as is the case with the alternative variant described above, individual log files 4a, 4b, 4c of individual computers are to be subsequently examined for the presence of abnormal states, the assignment of the log lines is carried out 12/52 s 1; s 2 , s 3 for time windows T 1 , T 2 , T 3 on the basis of the time stamp 31a, 31b, 31c assigned to them. The time windows T 1 , T 2 , T 3 are assigned a predetermined length, which determines the granularity of the method. This length depends on the average frequency of the creation of protocol lines Si, s2, s3, in particular the length of the time window can be specified such that the same number of protocol lines Si, s2, in each case in the individual time windows T 1 , T 2 , T 3 , s 3 falls. In addition, the length of the individual time windows can be determined by the period of the expected or determined periodically occurring events. The number of protocol lines Si, s 2 , s 3 per time window T 1 , T 2 , T 3 can be determined in adaptation to the application. construction step Then in a construction step c) the individual protocol lines s 1; s 2 , s 3 , which are assigned to a respective time window T 1 , T 2 , T 3 , analyzed for their similarity and based on their similarity according to a predetermined metric and by specifying a similarity threshold to groups C 1 a, C 1 b , C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c summarized (Fig. 2). Each protocol line Si, s2, s3 of a respective time window T 1 , T 2 , T 3 is only assigned to a single group C 1 a, C 1 b , C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c assigned. Depending on the type of grouping or clustering method selected, it is possible that individual protocol lines are assigned to several groups or that the individual protocol lines s 1; s 2 , s 3 to clusters or groups is prevented. Using this assignment, a group card C 1 , C 2 , C 3 of groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b is selected for selected, in particular all, time windows T 1 , T 2 , T 3 , C 2 c, C 3 a, C 3 b, C 3 c , the respective similar protocol lines s 1; s 2 , s 3 included. As a result, a sequence of such group cards C 1 , C 2 , C 3 is obtained. In a preferred implementation of a method according to the invention, it can be assumed that all protocol lines Si, s 2 , s 3 or protocol data records 3a, 3b, 3c each belong to one of the groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c can be assigned. Within the respective group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c one for the group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c representative protocol data record 3a, 3b, 3c. This is already determined in particular when creating the group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c , namely by first 13/52 / 2 Protocol data record 3a, 3b, 3c, which is added to the relevant group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c . This representative protocol data record 3a, 3b, 3c is also advantageously used to determine the similarity to the respective group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b , C 3 c as well as the assignment of protocol lines to the respective group. This representative log data record of a group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c is also referred to as a group representative. The creation of the individual group cards for the individual time windows T 1 , T 2 , T 3 is usually accomplished by an incremental clustering algorithm. An advantageous incremental clustering algorithm is, for example, in Μ. Wurzenberger, F. Skopik, R. Fiedler, Μ. Landauer, P. Greitbauer, W. Kastner, '' Incremental Clustering for Semi-Supervised Anomaly Detection applied on Log Data, International Conference on Availability, Reliability and Security Proceedings, 2017. For the protocol lines s 1; s 2 , s 3 of a considered time window Τ 1 , Τ 2 , Τ 3 , the grouping takes place as follows: The first protocol line s 1; s 2 , s 3 , the time window T 1; T 2 , T 3 is assigned, always creates a new group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c . For each additional protocol line s 1; s 2 , s 3 of the considered time window Τ 1 , Τ 2 , T 3 becomes the group C 1 a, C 1 b by comparing the group representatives with the protocol line Si, s 2 , s 3 currently being processed and assigned to a group , C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c , each of the most similar protocol lines s 1; s 2 , s 3 are assigned. The processed protocol line s 1; s 2 , s 3 either assigned to this group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c or the edited protocol line s 1 ; s 2 , s 3 forms if the similarity of the processed protocol line s 1; s 2 , s 3 to the protocol lines s 1; s 2 , s 3 or the group representative of the identified group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c a given Threshold value does not exceed a new group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c , for which the processed protocol line s 1 ; s 2 , s 3 serves as a group representative. This process step is repeated for the protocol lines Si, s 2 , s 3 of selected, in particular all, time windows Τ 1 , Τ 2 , T 3 . The methods used in the context of the invention to determine the similarity between protocol lines Si, s 2 , s 3 are preferably based on the use of a distance function which specifies the similarity between two protocol lines Si, s 2 , s 3 . For example, the Levenshtein distance between two character strings can be selected as the distance function. This distance function is suitable for comparing character strings, ie protocol lines Si, s 2 , s 3 of different lengths, and 14/52 thus enables simple quantification of the difference or similarity between two protocol lines Si, s 2 , s 3 . The grouping method is particularly preferably based on a sequence alignment, the sequence alignment of these protocol lines Si, s 2 , s 3 being calculated to determine how similar or dissimilar two protocol lines Si, s 2 , s 3 are. To determine the similarity in terms of numbers, the Levenshtein distance between the two protocol lines Si, s 2 , s 3 under consideration is calculated based on their sequence alignment. The value determined in this way is then normalized by the length of the sequence alignment, as a result of which a similarity measure value of the protocol lines Si, s 2 , s 3 is determined, which has values on a scale from 0 to 1 due to this standardization. Two log lines are then considered to be similar and assigned to the same group if the similarity measure of two log lines s 1; s 2 , s 3 exceeds a predetermined threshold. Depending on how exact the desired result should be, the threshold can be selected higher or lower. A large number of grouping methods are known from the prior art, which are based on the use of a distance function and a combination of individual protocol lines into groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c or groups of mutually similar protocol lines. Such grouping methods are, for example, CLIQUE (Agrawal, R., Gehrke, J., Gunopulos, D., & Raghavan, P. (1998). Automatic subspace clustering of high dimensional data for data mining applications (Vol. 27, No. 2, pp. 94-105). ACM.), MAFIA (Goil, S., Nagesh, H., & Choudhary, A. (1999, June). MAFIA: Efficient and scalable subspace clustering for very large data sets. In Proceedings of the 5th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (pp. 443-452). ACM.), CACTUS (Ganti, V., Gehrke, J., & Ramakrishnan, R. (1999, August). CACTUS —Clustering categorical data using summaries. In Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining (pp. 73-83). ACM.), PROCULUS (Aggarwal, CC, Wolf, JL, Yu, PS, Procopiuc, C., & Park, JS (1999, June). Fast algorithms for projected clustering. In ACM SIGMoD Record (Vol. 28, No. 2, pp. 61-72). ACM.) And SLCT (Vaarandi, R. ( 2003, October) A data clustering algorithm for minin g patterns from event logs. In Proceedings of the 2003 IEEE Workshop on IP Operations and Management (IPOM) (pp. 119-126)). A method according to the invention provides the result of the assignment of the protocol lines Si, s 2 , s 3 of several time windows T 1 , T 2 , T 3 to groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, 15/52 C 3 c , in the manner described above, an ordered sequence of independent group cards C 1 , C 2 , C 3 . 2 shows an example of the assignment of protocol lines s 1; s n to groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c and the group cards C 1 , C 2 obtained as a result , C 3 for three time windows T 1 , T 2 , T 3 A continuous time scale is shown in FIG. 2, along which four times t0, ti, t 2 , t 3 are marked as limitation times of three time windows T 1 , T 2 , T 3 are. The time window T 1 includes the period from t0 to ti, time window T 2 the period from ti to t2 and time window T 3 the period from t 2 to t 3 . These time windows T 1 , T 2 , T 3 are protocol lines s 1; ..., s n associated with three types of events. The three types of events in FIG. 2 are symbolically identified with circles, triangles and squares. 2 shows the occurrence of these events on the continuous time scale, which is represented by the times t 0 , t 1; t 2 , t 3 is divided into three time windows T 1 , T 2 , T 3 . According to the procedure described above, the protocol lines s 1; ..., s n in each of the time windows T 1 , T 2 , T 3 to groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c summarized. In the time window T 1, the protocol lines 3a, 3b, 3c are assigned to three groups C 1 a, C 1 b, C 1 c, since in the time period t 0 to ti events of all three types of events have occurred and from the computers 1a, 1b , 1c, or the processes 2a, 2b, 2c corresponding protocol lines s 1; ..., s n were created. The group card C 1 of the time window T 1 thus comprises three groups C 1 a , C 1 b, C 1 c. In the time window T 2 , the protocol lines s 1; ..., s n also assigned to three groups C 2 a, C 2 b, C 2 c , since three types of events occurred in the time period L to t 2 and the group card C 2 of the time window T 2 comprises three groups C 2 a , C 2 b, C 2 c. All three types of events also occurred in the time period t 2 to t 3 . However, two subspecies can be distinguished for the events marked with circles, so that the log lines si, ..., s n in the time window T 3 four groups C 3 a , C 3 b, i, C 3 b, 2, C 3 c can be assigned. The two groups C 3 bi, C 3 b, 2 each include events of one of the two subspecies of the events marked with circles. The group card C 3 of the time window T 3 thus comprises four groups C 3 a , C3 r 3 / 3 b, 1, b, 2j c. An example of a construction step c) is shown in FIG. 3: FIG. 3 shows the construction two group cards of temporally successive time windows T 1 , T 2 . there 16/52 are the time window T 1 five protocol lines s1; s5 and the time window T 2 assigned six protocol lines s6,, Sn. The solid lines represent the construction of the group card C 1 , C 2 . The protocol lines s1; ..., s3 allocated to the time slot T 1, the group C 1 a and the group C 1 a as assignments and references R 1 a, curr stored. The protocol lines s 4 , s 5 are assigned to group C 1 b and stored for group C 1 b as assignments R 1 b, curr. The two groups C 1 a and C 1 b finally form the group card C 1 of the time window T 1 . When the time window T 2 log lines s6, s9 the group C 2 a are assigned and stored as curr for the group C 2 a and R 2 a Assignments or references. The protocol lines s 10 , Sn are assigned to group C 2 b and stored for group C 2 b as assignments R 2 b, curr. The two groups C 2 a and C 2 b form the group card C 2 of the time window T 2 . assigning step After the isolated generation of the individual group cards C 1 , C 2 , C 3 in the construction step c), in an assignment step d) compounds that develop a group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c beyond a time window. While the sequence of group card C 1 , C 2 , C 3 itself represents a dynamic view of the data, each group card C 1 , C 2 , C 3 , which is created for a respective time window T 1 , T 2 , T 3 , static information about the protocol lines s 1; ..., s n , which are assigned to this time window T 1 , T 2 , T 3 . The sequence of these static recordings is a time series that provides information about the development of the group cards C 1 , C 2 , C 3 , z. B. about how the total number of groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c in each group card C 1 , C 2 , C 3 developed. However, no possibility is known from the prior art for specific groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c Extract information that can be used for dynamic anomaly detection. When considering the groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c of two time windows T 1 , T 2, it is not easy to determine whether a group C 1 a , C 1 b, C 1 c of the group card C 1 of the time window T 1 was transformed into a group C 2 a , C 2 b, C 2 c of the group card C 2 of the time window T 2 , since a number of protocol lines si, ..., sn , which are assigned to the time window T 2 , was used to form the resulting group C 2 a, C 2 b, C 2 c Generate 17/52. This is because protocol lines s 1; ..., s n are observed only once at a specific point in time t 0 , ti, t 2 , t 3 . In order to eliminate this problem, an approach to the dynamic analysis of protocol lines Si, ..., s n is used, which shows the temporal development of groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c included by means of time series analysis. To find the assignments, assignments of protocol lines Si, ..., s n of a respective time window T 1 , T 2 , T 3 to groups C 1 a, C 1 b, C 1 c, C 2 a are therefore carried out in assignment step d) , C 2 b, C 2 c, C 3 a, C 3 b, C 3 c are assigned to the respectively adjacent time windows T 1 , T 2 , T 3 . The assignments are determined on the basis of a considered time window T 1 , T 2 , T 3, preferably to a temporally, in particular immediately, preceding and / or a temporally, in particular immediately following time window T 1 , T 2 , T 3 . The same metric is preferably used here as that used to summarize the individual protocol lines s1; ..., s n , of each time window T 1 , T 2 , T 3 to groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c can be used in construction step c). In principle, the same threshold value can be used as in construction step c), but if necessary, a similarity threshold value can also be used that is lower than the similarity threshold value used in construction step c). In order to solve the problem of a missing connection between the group cards C 1 , C 2 , C 3 , the procedure is as follows: Each protocol line s 1; ..., s n is not only assigned to a group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c , in order to to generate the group card C 1 , C 2 , C 3 of the respective time window T 1 , T 2 , T 3 to which it is assigned. The same protocol line Si, ..., s n is also assigned to a group card C 1 , C 2 , C 3 , which are created for the neighboring time window T 1 , T 2 , T 3 , in particular the time preceding and the time following. The protocol lines Si, ..., s n are those groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c assigned to the neighboring group card C 1 , C 2 , C 3 , which contain the protocol lines Si, ..., s n most similar to the processed protocol line Si, ..., sn. The mapping step is also performed using the incremental clustering algorithm mentioned above. However, no new groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c are generated and no existing groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c changed, but only additional assignments to the groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c assigned protocol lines Si, ..., s n saved. 18/52 / 7 Subsequently, starting from the groups created in the construction step and shown in FIG. 3, assignments of protocol lines Si, ..., s 5 of the time window T 1 to the groups C 2 a, C 2 b of the group card C 2 of the time window T 2 determines and vice versa assignments of the protocol lines s6,, Sn of the time window T 2 to the groups C 1 a, C 1 b of the group card C 1 of the time window T 1 . These assignments to groups C 1 a, C 1 b, C 2 a, C 2 b of the respectively temporally adjacent time window T 1 , T 2 are indicated in FIG. 3 by dashed lines. For group C 1 a of group card C 1 of time window T 1 , assignments or references R 1 a, nex1 are stored on it due to their similarity, protocol lines s 6 , s 7 , s 8 from time slot T 2 following in time. In this way, assignments R 1 b, next are also stored for the group C 1 b of the group card C 1 of the time window T 1 , log lines s 10 , Sn from the time window T 2 following them. In the same way, assignments R 2 a, prev are assigned to group C 2 a of group card C 2 of time window T 2, R 2 a, prev on it protocol lines s 1; s 2 from the time period T 1 stored in time and for the group C 2 b of the group card C 2 assignments R 2 b, prev stored on its associated protocol lines s 3 , s 4 from the time window T 1 preceding the time. A protocol line s 1; ..., s n , which was created when an event occurred, also groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C in temporally adjacent time windows T 1 , T 2 , T 3 2 c, C 3 a, C 3 b, C 3 c is assigned, the respective protocol lines s 1; ..., s n , which were created for different types of events, or it can be used for a log line s 1; ..., s n no assignment to a group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c of a temporally adjacent time window T 1 , T 2 , T 3 can be found. In the exemplary embodiment shown, the protocol line s 3 of group C 1 a is assigned to group card C 1 of time window Tj and group C 2 b to group card C 2 of time window T 2 . No assignments to the groups C 2 a, C 2 b of the time window T 2 are found for the protocol line s 5 and no assignments to the groups C 1 a, C 1 b of the time window T are found for the protocol line s 9 , so that these protocol lines s 5 , s 9 each represent outliers for the group cards C 1 , C 2 of the respectively adjacent time window T 1 , T 2 . The exact content of a respective protocol line Si, ..., s n is not necessarily clear. Therefore, a running identification number (ID) is preferably used 19/52 unique identification for storing assignments or references to the protocol line s 1; ..., s n used. Furthermore, the generation of the group card C 1 , C 2 , C 3 in a method according to the invention is carried out one step in advance for the subsequent time window T 1 , T 2 , T 3 , since the group card C 1 , C 2 , C 3 of the subsequent time window T 1 , T 2 , T 3 otherwise does not yet exist. allocation step After assignments from the individual protocol lines Si, ..., s n to the respective groups of subsequent time segments have been found in the assignment step d), individual groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c assigned to one another over several time windows T 1 , T 2 , T 3 . It is assumed that the groups in question each have protocol lines with a similar content, and in this way the temporal development or the temporal course of the groups can be recorded. In the allocation step, assignments between groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c of a group card C 1 , C 2 , C 3 of a respective time window T 1 , T 2 , T 3 and the groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c of a group card C 1 , C 2 , C 3 , which were created during a temporally, in particular immediately, preceding or, in particular immediately, subsequent time window T 1 , T 2 , T 3 . In the exemplary embodiment shown, for tracking individual groups C 1 a, C 1 b, C 2 a, C 2 b over the time windows T 1 , T 2 for each group C 1 a, C 1 b of the group card C 1 and each group C 2 a, C 2 b of the group card C 2 requires a metric that describes the probability of a conversion of groups C 1 a, C 1 b of the group card C 1 to groups C 2 a, C 2 b of the group card C 2 . This metric indicates whether the respective groups C 1 a, C 1 b, C 2 a, C 2 b of the group cards C 1 , C 2 by similar events or similar protocol lines Si, ..., generated on the basis of these events, s n were generated. An intuitive metric, which describes the relationship of the respective groups C 1 a, C 1 b, C 2 a, C 2 b of the group cards C 1 , C 2 , is determined in a method according to the invention by the proportion of the respective groups C 1 a, C 1 b, C 2 a, C 2 b of the two group cards C 1 , C 2 common elements or protocol lines Si, ..., s n provided. Since it is not possible to use identical protocol lines Si, ..., s n of each group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b To identify C 3 c , the previously introduced 20/52 Group model, which assignments or references to the protocol lines s 1; ..., s n contains temporally adjacent time windows T 1 , T 2 , T 3 . In step e) an overlap indicator is formed. Overlap based on the Jaccard coefficient for binary sets. The Jaccard coefficient is described, for example, in D. Greene, D. Doyle, P. Cunningham, Tracking the Evolution of Communities in Dynamic Social Networks, International Conference on Advances in Social Networks Analysis and Mining, pages 176-183, 2010. For that Group model according to the invention, the Jaccard coefficient was adapted by the following formulation: , > <»/ ° - Lö ..................... .................... .il The set R 1 a, curr shown in FIG. 3 comprises the protocol lines s1; s2, s3, which were assigned to group C 1 a at time window T in construction step c). The quantity R 1 b, curr comprises the protocol lines s4, s5, which were assigned to the group C 1 b in the construction step c) for the time window T 1 . The quantity R 2 a, curr comprises the protocol lines s6, s7, s8, s9, which were assigned to the group C 2 a for the time window T 2 in construction step c). The set R 2 b, Curr comprises the protocol lines s10, Sn, which were assigned to the group C 2 b in the construction step c) for the time window T 2 . The quantity R 2 a, Prev comprises the protocol lines Si, s2 for the time window T 1 , which were assigned to the group C 2 a of the time window T 2 in the assignment step. The set R 2 b, prev comprises the protocol lines s3, s4 for the time window T 1 , which were assigned to the group C 2 b of the time window T 2 in the assignment step. The set R 1 a, next comprises the protocol lines s6, s7, s8 for the time window T 2 , which were assigned to the group C 1 a of the time window T 1 in the assignment step. The set R 1 b, next comprises the protocol lines Sw, Sn, for the time window T 2 , which were assigned to the group C 1 b of the time window T 1 in the assignment step. The following calculation is carried out to determine the overlap overlap (C 1 a, C 2 a) of the two groups C 1 a, C 2 a: 21/52 Correspondingly, the overlap indicators for the other combinations of groups from adjacent time windows T 1 , T 2 can be determined as follows: overlap (C 1 b, C 2 a) = 0 overlap (C 1 a, C 2 b) = 1/9 = 0.111 overlap (C 1 b, C 2 b) = 3/5 = 0.6 The overlap index lies in any case in the interval [0,1], where 1 means that all protocol lines s 1; ..., s n , which were assigned to one of the two respective groups C 1 a, C 1 b, C 2 a, C 2 b, also to the other group C 1 a, C 1 b, C 2 a, C 2 b were assigned, which corresponds to a perfect match. On the other hand, 0 means that none of the protocol lines s 1; ..., s n , which were assigned to one of the two respective groups C 1 a, C 1 b, C 2 a, C 2 b, also to the other of the groups C 1 a, C 1 b, C 2 a , C 2 b was assigned, which indicates a mismatch. Subsequent to the formation of the overlap index, the development of individual groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c is now carried out over several Time window T 1 , T 2 , T 3 examined. In a simplified representation (Fig. 4), in the groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c over a remain very stable for a long period of time, this procedure is suitable for all groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c individually follow. In realistic scenarios with changing environments, however, groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c often undergo changes or transitions how ζ. B. Divisions or mergers that negatively affect the overlap ratio and identify anomalies. Therefore, in a method according to the invention, the tracking or tracking of groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c by one Mechanism for handling transitions expanded. The structure and composition of groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c can change over time. On the one hand, these changes are indicators of anomalous system behavior and thus relevant for the detection of anomalies. On the other hand, there are difficulties in tracking groups C 1 a, C 1 b, 22/52 C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c , as these changes typically change the overlap index between the groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c affect. In a further method step f), individual groups are assigned to one another in adjacent time windows. These assignments form the basis for the later tracking of groups with log lines with similar content over longer periods of time. In order to create an association between neighboring groups, a first threshold value θ for the overlap indicator and a second threshold value for partial overlaps 0 part , which is relevant for partitions and mergers, are defined below. In general, the overlap ratio for divisions and mergers becomes smaller because there is only partial overlap with the newly created groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c comes. Therefore, 0 part <θ is selected according to the invention. Typical values for θ and 0 part are: 0.5 <θ <0.8 0.1 <0 par t <0.4 The assignments can be made in different ways, whereby the following typical scenarios can occur: Survival: A group C 1 a survives and turns into a group C 2 a if c) '· »(i and there is no other group B 1 € C' ! Or e C 2 , so or Division (Fig. 4): A group C 4 b divides into p groups C 5 b, i C 5 b, 2 if these have a minimum of similarity to the original group C 4 b, ie 'Buy · < Ä, f · ' unc | '<>'<'Λ(,,> · unc | the union of all parts with the original group C 4 b has a minimum of similarity, ie>& | n in this case there is no other group C 5 a, C 5 c, which has an overlap index greater than 0 part with one of the groups involved. Fusion (FIG. 4): The set of groups C 2 bi, C 2 b, 2 unites to form a larger group C 3 b if all subgroups have minimal similarity to the resulting group C 3 b, ie M u > x / · ^ ' And d 23/52 f ; >, ( f ( l> unc | the union of all parts with the resulting group C 3 b has a minimum of similarity, ie (>> ^ 't <r. f Also there is no other group C 3 in this case a which has an overlap greater than 0 part with one of the groups C 2 bi, C 2 b, 2 involved . Disappearance or Appearance: A group C 5 a disappears or a group C 4 c appears if none of the above cases applies. With this procedure it is not possible for a connection between groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c of two group cards C 1 , C 2 to be established if their overlap code indicates the second threshold does not exceed 0 part . This prevents subgroups whose overlap index does not exceed this second threshold value 0 part in the event of a division or a split or a merger into the aggregated group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b , C 2 c contribute. In this way, the individual groups are connected to one another via assignments in a path formation step g). In this way, individual directed paths A, B, C are created, as the nodes of which the respective groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a are assigned , C 3 b, C 3 c act and act as the edges of the assignments described above. The paths allow the occurrence and change in the appearance of certain types of log lines to be tracked over time. In order to track individual groups C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c over time, it can be advantageous the path in question, which indicates the development of a group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c , continue to pursue even if there is a division or merger. Paths based on their overlap index achieved, the group size, and the time span that a group under consideration C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C become advantageous 3 b, C 3 c already exists, or a combination of these factors. embodiment The method presented is explained step by step on the basis of the exemplary embodiment shown in FIG. 4. The exemplary log file 4 with log lines s 1; ..., s n is shown in Table 1. 4 shows six time windows T 1 , ..., 24/52 T 6 is shown, in which the development of groups C 1 a, C 1 b, C 2 a, C 2 bJ, C 2 b , 2 , C 3 a, C 3 b, C 4 a , C 4 b, C 4 c, C 5 a, C 5 bi, C 5 b, 2 C 5 c, C 6 bi, C 6 b, 2 C 6 c is traceable. In the following, the protocol lines s 0 to s 74 are referenced by a protocol line identification number. The log lines Si, ..., s 74 are examples of typical Apache log lines. In the example, three types of protocol lines Si, ..., s n are used, which are identified by symbols: O: Successful file access via HTTP. A: An error message that was caused by an authentication error. A; An error message caused by a deformed host header. The log file 4 extends over a period of six minutes. A time window length of one minute is selected for the following calculations. Within each time window T 1 , ..., T 6 , the protocol lines s 1; ..., p 74 grouped according to the similarity of their strings or strings. The Levenshtein distance AV is used to calculate the distance between any strings a and b. The distance is normalized by dividing it by the length of the longer character string, i.e. by Ap. The normalized similarity of two strings is thus calculated by: The similarity achieved is then compared to a predefined threshold value, which was set at 0.9 in the exemplary embodiment shown. For example, the log line s 0 achieves a high similarity value of 0.98 to the similar log line Si, but only a low similarity value of 0.15 to the log line s 2 . Fig. 4 gives an overview of the group cards C 1 , ..., C 6 which were formed in each time window T 1 , ..., T 6 . In the first time window T 1 between t 0 and ti, two groups C 1 a, C 1 b, which correspond to the event types Δ and Q, are formed by the protocol lines s 0> .... s 8 . The group C 1 a contains unc | Group C 1 b contains 25/52 For the next time window T 2 , a group card C 2 a is created based on lines s9, ... s17. Here there are two groups C 2 b of event type U. The reason for this is that the similarity of lines s 9 and s 10 is only 0.88 and two separate groups C 2 b, i, C 2 b, 2 were thereby generated , All groups on group card C 1 and their referenced protocol lines or elements are accordingly: C 2 a with Uh-ζ c 2 b1 with 6, {,,,, j 'b ”>) and C 2 b, 2 with These assignments or assignments are in the Construction step c) made. In the assignment phase d) the protocol lines Si, ..., s 74 , which the groups C 2 a, C 2 b, i, C 2 b , 2 of the group card C 2 have generated, are now also the groups C 1 a, C 1 b assigned to the group card C 1 . This results in the following additional assignments or references: Group C 1 a receives ~ bn-Ne-'N } Unc | Group C 1 b receives / 4: s {··%; Ü} A IS - t 1 The assignment is also carried out in the opposite direction, so that the protocol lines of the group card C 1 are assigned to individual groups in the group card C 2 . This results in the following additional references: Group C 2 a receives · »- '> - l ·' / - - /. --- .--- 4, a group C 2 b, i receives 5 I * - '· - -, -, ---.: - 4 and the other group C 2 bt2 With these values it is possible to determine the transitions between groups C 1 a, C 1 b of group card C 1 according to groups C 2 a, C 2 bi, C 2 b , 2 of group card C 2 . For this purpose, the overlap indicator is calculated for all possible connections between the groups C 1 a, C 1 b C 2 a, C 2 bi, C 2 b , 2 . The overlap ratio between the groups C 1 a and C 2 a is According to the algorithm for the detection of transitions, the overlap index between two groups is at least 0 part , so that the transition as 26/52 Candidate for a split, split, or merger, and the aggregate overlap ratio is at least Θ so that it is finally added to the set of transitions. In the exemplary embodiment shown, 0 part = 0.2 and θ = 0.7 are fixed. The groups C 1 a and C 2 a achieve the highest possible overlap index of 1, ie all protocol lines that were assigned to group C 1 a were also assigned to group C 2 a and vice versa. The connection between the two groups C 1 a and C 2 a is thus established immediately. All other combinations of groups from two neighboring group cards are calculated analogously. In the exemplary embodiment shown, there is, for example, no perfect overlap for the C 1 b and C 2 b1: Again, the overlap index is high enough that the connection between the groups C 1 b and C 2 b, i is established immediately. The reason why a perfect overlap of 1 was not achieved in this case is that the protocol line s 9 was assigned to group C 2 b, 2 instead of group C 2 b, i and is therefore missing in the intersection. The last relevant overlap between group C 1 b and group C 2 b, 2 is and therefore not high enough to be considered as a candidate for a transition because the overlap ratio does not exceed 0 part . There are two reasons for this: First, the protocol line Su, which is contained in group C 2 b , 2 , was not allocated in because it was not sufficiently similar to the group representatives and therefore formed an outlier, ie was not assigned to a group. Second, none of the 27/52 Protocol lines assigned to group C 1 b in. All other combinations of groups result in an overlap index of 0. Analogously, these calculations are also carried out between the group cards C 2 , C 3 . The overlap ratio between C 2 a and C 3 a is again 1. The transitions from C 2 b, i and C 2 b, 2 to C 3 b determined here represent a fusion. This can be explained as follows: First, ( t pC 0 .. o '9 θ | η θ connection between the two groups C 2 b, i and C 3 b. However,' Λί / ί'ί ; <.) < Soc | ass group C 2 b , 2 contributes a sufficiently large proportion to the resulting group C 3 b and therefore a transition between the two is added. Accordingly, there are two connections to group C 3 b. However, such constellations make it difficult to determine the course of a single group type. This is due to the fact that divisions and mergers enable any number of branches between the groups. A decision rule can therefore advantageously be used, which determines which path is followed when tracking or tracking a group or a path. It can be provided, for example, that the path Bt with the largest calculated overlap index and not path B 2 is preferred. In the case of group C 3 b, C 2 b1 and not C 2 b , 2 are therefore selected as predecessors. To clarify this, the connections with lower overlap indicators are shown in Fig. 4 as dashed lines. In addition to the appearance of a new group C 4 c and path C in time window T 4 and the disappearance of group C 5 a or the end of path A in time window T 5 , another event occurs between time windows T 4 and T 5 : group C 4 b is divided into two paths B / and B2 ', each of which contains one of the groups C 5 b1 C 5 b , 2 . Otherwise exceeds than the overlapping ratios of the fusions discussed above, in which one of the overlap ratios the first threshold value θ, are here both (></ «pj V <> / 3 <i <f U nd 7 '*''' This means that neither of the two overlap metrics alone would be high enough to connect. However, both overlap metrics exceed the first threshold 0 part and are therefore treated as candidates for division. In addition, the sum of the overlap indicators exceeds Θ. Therefore, both connections are added to the set of transitions. Again, the path with the higher overlap metrics, that is, is shown 28/52 Embodiment selected the connection between the groups C 4 b and C 5 b1 or paths B /, B 2 'if the group that corresponds to the event type O is followed. A more complex clustering model, which not only classifies the log lines of a certain time window into the group cards of its directly adjacent time window, but also into the subsequent time window, is able to calculate an aggregated overlap or an aggregated overlap indicator over several time windows. This means that the overlap of a certain group, eg C 1 £ C 3 , over another group C 2 £ C 2 to a third group ¢ 7 3 · «C ' 3 is calculated using not only the already known references and between e 1 and c 2 and and between c * and but also the references between c 3 and c 3 are used. These references are referred to as and, the second index indicating the temporal distance, calculated in time windows between the two groups or group cards, ie the group card ¢ 7 was skipped. Following this terminology, the already known references between two directly adjacent group cards are called. Analogously, the references between groups c and which are m steps apart and called 'k <. The overlap index between a number of N groups i ÜC ', ..Γ Λ ' is then defined as Indicators and measures of change The "tracking" of a path of groups is illustrated below: All groups that exist in at least three consecutive time slots are tracked individually. An indicator is formed across the determined paths, the change over time of which is a measure of the change in the group behavior of the system of the program or computer that creates the protocol lines. To characterize the change in individual groups, the following indicators can be used, the changes of which each indicate changes in the group. In the following give | C ' a | the number of log lines, each of a group C ' a and | C l + 1 a | the number of log lines, which are each assigned to a further group C l + 1 a in a subsequent time window. The following internal transitions are taken into account: 29/52 Group size or number of elements or protocol lines Si, ..., s n in a group: A group grows from one time step to another if | C l + 1 a | > | C'a |, the group shrinks when | C l + 1 a | <| C ' a |, and otherwise remains constant. Compactness: The standard deviation σ indicates the spread of the distance from the group elements to the group representatives. A group becomes more diffuse if o l + 1 a>o'a, more compact if o l + 1 a <o ' a and does not change its compactness otherwise. Location: Since groups do not have an absolute position, but only distances between their group representatives can be determined, changes in the location only take place relative to other groups. Skewness: Skewness γ measures the asymmetry of the individual group elements, ie the deviation from an even distribution of the group elements within a group. The skewness of a group increases if y l + 1 a>Y'a, decreases if γ ι + ζ <Y'a and otherwise remains constant. Your group sizes g are divided in time steps z, i.e. after each time window. 5 shows the development for three groups, which are assigned to the above-described three types of events (J, Δ and □, schematically. The time steps z are on the x-axis and the group size g on the y-axis Group sizes of 0 are not shown in FIG. 5, since the corresponding groups were not present in the respective time windows. Evolutions metrics In addition to the indicators described here, knowledge of the dependencies and evolutionary relationships between the groups from several, in particular at least two, time slots T 1 ,... T 6 in succession enables detailed information about individual groups and interactions between groups to be derived and more advantageous indicators to be determined of a measure of change. Certain features, such as the group size, the frequency of the log lines s 1; ... s 74 within a time window T 1 , ... T 6 are relevant metrics for the detection of anomalies. However, such metrics do not necessarily have 30/52 Anomalies in the shifting of protocol lines s 1; ... s 74 or elements from one group to another. Therefore, metrics and indicators are also calculated that also take into account the effects of transitions between groups, as is the case, for example, in Μ. Toyoda, Μ. Kitsuregawa, Extracting Evolution of Web Communities from a Series of Web Archives, Proceedings of the Fourteenth ACM Conference on Hypertext and Hypermedia, pages 28-37, 2003. They also use inter-cluster metrics in cluster and group evolution analysis. The following list shows a selection of these metrics, which can advantageously be adopted for the model according to the invention. The metrics are only calculated for any two groups C 1 and C 2 if they are within the same path or if they are connected to one another by one of the aforementioned external transitions. The metrics are relevant and express properties for two groups that are on the same path: Awake rate: Indicates whether the number of log lines s 1; ... s n was increased or decreased by subtracting the group size of the later time window T 1 , T 2 , T 3 from the previous group size. In order to change the number of log lines s1; ... sn within a time window T 1 , T 2 , T 3 , the metric is determined by the total number of assigned protocol lines s1; ... s n divided. Rate of change: Unlike the growth rate, only the assignments of protocol lines s 1; ... s n from a certain time window T 1 , T 2 , T 3 are taken into account, but are grouped into two different group cards C 1 , C 2 , C 3 . This key figure is therefore a measure of the change in the group in the respective group cards C 1 , C 2 , C 3 . Again, the metric is relative to the total number of log lines s 1; ... s n calculated. It should be noted that it is also possible to use ÄiX-r and analog to calculate the metric based on the protocol lines si, ... s n from the group card C 2 in all subsequent metrics. 31/52 ... W ::, //,..,/ ; .........; ; : ; .......... yeu Stability rate: Uses set operations to calculate the number of log lines s-ι, s n that have changed in the respective sets. In this form, the value is normalized in the range of [0.1], where 0 indicates an absolutely stable group, ie that all protocol lines Si, ..., s n that belong to this group in a time window T 1 , T 2 , T 3 were assigned, T 1 , T 2 , T 3 were also assigned in the other time window. Novelty rate: This rate measures whether protocol lines Si, ... s n of a time window T 1 , T 2 , T 3 were assigned to the later group card C 1 , C 2 , C 3 , but not to the group card C 1 , C 2 , C 3 to which they belong. A possible reason for a high novelty rate is a change in the group representatives in the later time window T 1 , T 2 , T 3 . However, as a rule it does not mean that the later group card C 1 , C 2 , C 3 would be better for the protocol lines s 1; ..., s n fits, since only the added but not the removed protocol lines Si, ..., s n are counted. Accordingly, increasing the group size does not necessarily mean that the novelty rate deviates from 0. Note that this metric is transformed into a measure of the disappearance of log lines Si, ..., s n from a group when the terms in the counter are reversed. In one embodiment of the invention, for easy anomaly detection, the metrics are used by comparing them to some predefined thresholds and triggering alarms when one or more of these thresholds are exceeded. These metrics, especially the group size, form time series even more effectively and are therefore suitable for time series-based anomaly detection. For the example illustrated in Fig. 4 embodiment, the relative growth rate is exemplified for the C 3 A of the log lines of type Λ between the time windows 32/52 T 3 and Τ 4 calculated below. If the total number of log lines that occur in the time window T 3 indicates the equation is In this way, a relative growth rate of 0.44 is determined for the group C 3 a under consideration in the time window T 4 . Time series analysis (TSA) model Time series are sequences of values that are assigned to specific times. A time step therefore describes the state of the internal and external transitions as well as the corresponding metrics of each group at the end of a time window T 1 , T 2 , T 3 . These sequences are with suitable methods, such as. B. Autoregressive Integrated Moving Average (ARIMA) processes. ARIMA is a well-researched and widely used modeling technique for TSA that is able to incorporate the effects of trends and seasonal behavior in its approximations, as described in J. Cryer, K. Chan, Time Series Analysis: With Applications in R ”, Springer Texts in Statistics, 2008. The length of the time series is determined by the constant processing of protocol lines s 1; ..., s n is getting bigger and becomes problematic at some point, either due to a lack of memory or an excessively long runtime, which is necessary to adapt an ARIMA model. As a solution, therefore, only the last P values are saved and used for the model, since older values are of less relevance. forecast Once estimates for the parameters of an ARIMA model have been calculated, the model can be extrapolated into the future. This corresponds to a forecast for the data point that immediately follows the last known value. By using this method recursively, it is advantageously possible to predict any horizons far into the future. An ARIMA model is preferably created in each time step z, so that it is sufficient to predict only one time step. 33/52 The smoothness of the curve that is followed by a time series can be very different. Neither a threshold for the absolute nor the relative deviation between the prediction and the actually measured value is therefore suitable for anomaly detection. Assuming independent and normally distributed errors, a prediction interval is therefore generated from the measured variance of previous values, which contains the future value with a given probability. The equation for anomaly detection by this interval is given below in the "Anomaly Detection" section. correlation Some types of log lines s 1; ..., s n often appear at identical intervals, either because the processes they generate are technically linked to one another so that a protocol line s 1; ..., s n always a different protocol line s 1; ..., s n must follow, or because the processes involved in this protocol line s 1; ..., generate s n , randomly overlap in their periodic cycles. Regardless of this, the time series of groups follow those protocol lines s 1; ..., s n are assigned a similar pattern and it is expected that they will continue this consistent behavior in the future. This relationship is estimated by the cross-correlation function CCF k , which is described in J. Cryer, K. Chan, Time Series Analysis: With Applications in R ”, Springer Texts in Statistics, 2008. Between two time series y t , z t and any k, the cross-correlation function CCF k is defined as: Using the correlation as a measure of similarity enables similar time series to be grouped. While the prediction must be carried out with the help of an ARIMA model in every time step z, this is advantageously advantageously not necessary for the correlation analysis. The reason for this is that when calculating the correlation between two time series, all points are weighted equally and adding a data point to the series changes the correlation only slightly. 34/52 Groups that correlate with each other in normal system operation over a longer period of time are expected to continue to do so in the future. The event that some of these groups permanently stop the correlation indicates that a certain event has occurred that should be detected as an anomaly. The same reasoning can be applied to groups that were not similar but suddenly have a correlation. This correlation analysis should be performed several times to ensure that the groups found really correlate with each other and that it is not just a random and temporary phenomenon. Only then does it make sense to report groups that fall out of these known sets of correlating groups or join the sets as anomalies. The correlation is explained below using the two time series shown in FIG. 6. 6 shows the time steps z on the x-axis and the group size g on the y-axis. In Fig. 6 it can be seen that the time series X correlates with the time series Y in time steps 1, ..., 10, even if there is an offset and the slopes do not match perfectly in most steps. For the sake of simplicity, only k = 0 is taken into account in this example. In the first 10 time steps, the respective mean values can easily be calculated by This gives P '- 1 -3S7.U for the time series Y and 1015 for the time series X. The correlation is then calculated by 35/52 The correlation is usually compared to a predefined threshold value, which determines whether two time series correlate with one another or not. Assuming that this threshold is 0.8, the two groups corresponding to the time series Y and X are marked as belonging together. The correlation between the time steps z 11; ..., z 2 o is calculated analogously. The mean values of the two time series X, Y must also be recalculated. The visualization already indicates that there is less correlation in this interval, and accordingly the calculated correlation is only around 0.34. This value is below the predefined threshold value, so that no correlation can be determined. This contradicts the previous knowledge about the correlation of the time series Y and X and is therefore reported as an anomaly. Optionally, in a method according to the invention, correlations over several time windows can be used in practical applications to ensure that the time series are actually correlated, which was neglected in the exemplary embodiment shown for reasons of simplicity. anomaly detection The anomaly detection algorithm checks for each developing group whether the actually retrieved value is within the predicted forecast interval limits. The calculation of this interval is based on the ARIMA estimate ίΛ and an error estimate e. With the help of the standard normal distribution Z, an anomaly with the confidence level (1-a) is recognized if the actual value y lies outside the prediction interval, i.e. yt £ yt ~~ ...... * · / l z ar (e), y t + Zi ..... V'Var (e) The application of this formula is illustrated by the embodiment shown in FIG. 7. A group size g that was measured over several time steps z is considered. 7 shows the actual group size g as a solid line and the calculated prediction limits as broken lines. Detected anomalies are marked as circles. First, the prediction interval is calculated. For example, the forecast limits for the time step z 17 , ie the group sizes g from the 36/52 Time steps z l5 ..., z 16 are taken into account in the forecast. An ARIMA model is adjusted according to either the AIC, AICc or BIC value. This is done with the "auto.arima" command from the "forecast" package. Depending on the data analyzed, certain parameters such as e.g. Seasonality adjusted to take account of periodic behavior. For the sake of simplicity, no such adjustments are made in the exemplary embodiment shown, since the curve has no period. The most suitable parameters found by the function are AR = 0, l = 0, MA = 0 and an average of 1591.375. In this simple setting, there are therefore no autoregressive (AR), integrated (I) or moving-average (MA) components that have to be taken into account, and the prediction consists only of the mean. We can also calculate the variance of the time series with "var", this is 169.7167. The AIC for this setting is 130.52. In the next step, the ARIMA model is used to predict the limits of the future group size g with a predefined prediction level of 0.99, ie α = 0.01. The forecast command returns not only the forecast for group size g, but also the lower and upper bounds that correspond to the forecast level. In our case, the lower prediction limit is 1557.818 and the upper limit is 1624.932. Since the prediction (the mean) and Z is the standard normal distribution, a non-anomalous measured group size g must lie within y t of this range: The measured group size g in time step z 17, however, turns out to be g = 1629 and thus exceeds the upper limit, so that an anomaly arises. The consideration of longer time series leads to more precise estimates for the model parameters. Analog calculations are performed for each point in the time series, which results in the tube-like interval that follows the behavior of the group size g. 37/52 Detections based on ARIMA and correlation are carried out for selected, in particular each, group that is considered stable, i.e. exists for a certain minimum number of time steps z. This ensures that the ARIMA model takes enough values into account to make an accurate prediction. As can be seen in FIG. 7, the forecast limits in the first magazines z do not adequately indicate the actual variance of the time series because there is insufficient data. Only after about five journals z does the model have enough historical values available to generate a reliable prediction interval. The more values there are, the better the prediction interval is adapted to the signal. This applies in particular to periodic signals in which at least one period of data points must be available in order to be able to correctly predict the effects of the period. At this point, it should also be noted that anomalies generally increase the variance, and further anomalies that may occur are therefore overlooked in the following journals. A large number of groups, magazines z and the statistical probability of random fluctuations regularly cause false alarms and often make it difficult to react to all detected anomalies. According to the invention, the anomalies identified for each group development are therefore combined into a single function. First, abnormal points below the prediction interval are passed through if y t > y t 4- 2 V ... y'Varie) ff yt <Ä. · ..... 4 / Var (e) mirrored on the page above the prediction interval and with time '<·. !, which describes the number of time steps in which a group C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c already exists and C A , t , the number of groups that contain anomalies in the journal t, we then define the anomaly score a t for each point in time The upper forecast limit in the numerator and the actual value in the denominator ensure that € ft H where 0 means that no anomaly has occurred and values close to 1 mean that a strong anomaly has been detected. By dividing by | C A , t | and 38/52 Inclusion of group existence time Rö ensures that anomalies are weighted higher if they are discovered in several or longer existing groups. 8a to 8c illustrate the calculation of this metric, three time series of three paths A, B, C being shown, which emphasize the relevant properties of this detection technique. Figures 8a through 8c each show one of the three time series of paths A, B, C, including the anomalies discovered in each developing group. The first anomaly that occurs in the second steps of each group development is ignored below because it is caused by the problems already mentioned (insufficient past values available). According to the invention, the following types of anomalies are distinguished: Single group, low level: Path A there is an anomaly that is only slightly above the upper limit in time step 6. This type of anomaly should be weighted lightly (Fig. 8a). Single group, large form: There is an anomaly in path C that lies far above the upper limit in time step 13. An anomaly should be weighted higher if it is far above the upper limit or far below the lower limit (Fig. 8c). Multiple groups, low level: There is an anomaly in time step 19 that is recognized by all groups. An anomaly should be weighted higher if it is recognized in several groups. Multiple groups, large form: This case is omitted in the simple example. As a combination of the two previous cases, this anomaly is clearly rated the highest. In addition, the time since a group has existed is taken into account when weighting anomalies. The forecast limits of a group are more trustworthy if the associated group has existed for a longer period of time. This applies to path C (FIG. 8c), which only arises at time step 6 and is therefore weighted less. The anomaly score is set to 0 if no anomalies occur in a certain time step. Time step 6 is considered first. Only path A (Fig. 8a) contains an anomaly at this time. The upper limit that is calculated in time step 5 at this time is 5.81, but the actual group size g is six (6). Moreover 39/52 the group exists for six time steps z. Therefore, the anomaly score As is calculated as follows 5.81 log) - 6 - logß) .1. - 0.07 - 0.03 As expected, this is a relatively low rating. Time step 13 is now considered. Again, there is only one group that has an anomaly. The upper limit in this case is 6.49 and the actual group size is 12. In addition, the group was created 8 time steps ago. The Anomaly Score As is therefore calculated as follows: , 6.49 * / 0 * 7 (81 i'l]> ~ 1 - --------------------------------- --- u 1 - 12 - / o </ (8) - 0.54 0.16 This is already a larger anomaly score, indicating that system behavior has changed a lot at this point. Finally, time step 19 is examined. Here, the size of the path A (FIG. 8a) is three and thus falls below the lower prediction limit of 3.81, i.e. the point must be mirrored on the top according to the equation given earlier. With the predicted value ~ θ, the new point is s ~ 2 · 6 - 3 ~ 9. The upper prediction limit is 8.19 and thus the distance to the closest prediction limit has remained the same, i.e. 3 3.89 "49 8. Wi ™ Ol. The upper forecast limits of paths B and C are 6.30 and 11.80, respectively, in contrast to their actual sizes, 7 and 12. While groups A and B (Fig. 8a, Fig 8b) since 19 time steps have existed, path C (FIG. 8c) has only existed for 14 time steps. This leads to the Anomaly Score As 8.19 </ o </ (19) 4- 6.30 · Zop (19) i 11.80 logt44) (9 · / <> </ (19) 4- 7 · / u </ (19) 4- · 12 - / o </ (14)) 73.81 ..... ...... i ..... o.31 - 0.69 <78.78 Due to the fact that the anomaly was recorded in three different groups, the anomaly score As is higher than the anomaly score As calculated in time step 13. The anomaly values are again represented in a single curve, which is shown in FIG. 9. 40/52 In the previous exemplary embodiment, only assignments between protocol lines or groups of two adjacent time windows were made in the assignment or allocation step. In principle, it is also possible to find assignments of the protocol lines si, ..., s n of a time window T 1 , T 2 , T 3 to a plurality of adjacent group cards C 1 , C 2 , C 3 to assign them over several time windows T 1 , T 2 , T 3 to produce. This enables the determination of transitions between groups which are assigned to different time windows T 1 , T 2 , T 3 . Such a transition between groups occurs, for example, when a group develops from a time window T 1 , T 2 , T 3 to a group from a temporally, in particular immediately following time window T 1 , T 2 , T 3 , since it unites high proportion of common protocol lines s 1; ..., share s n . A more sophisticated case analysis can also include complex transitions, such as group splits or mergers. 41/52
权利要求:
Claims (12) [1] claims 1. A method for detecting abnormal operating states, in particular caused by manipulation, in a computer network (1) which comprises a plurality of computers (1a, 1b, 1c), wherein - protocols are generated by the computers (1a, 1b, 1c) of the computer network (1) or by processes (2a, 2b, 2c) running on these computers (1a, 1b, 1c), - The computers (1a, 1b, 1c) or the processes (2a, 2b, 2c) create a log data record in the form of a log line (s 1; ..., s n ) for each of these events when predetermined events occur and wherein each log line (s 1; ..., s n ) comprises a description data record (32a, 32b, 32c) for the respective logged event, characterized in that a) time windows (T 1 , T 2 , T 3 ) are predetermined, the time windows (T 1 , T 2 , T 3 ) in particular bordering each other seamlessly and preferably being of the same length, b) the protocol lines (s 1; ..., s n ) are assigned to a given time window (T 1 , T 2 , T 3 ) according to the time of their creation or processing, c) those protocol lines (s 1; ..., s n ) which are assigned to a respective time window (T 1 , T 2 , T 3 ) are analyzed with regard to their similarity and based on their similarity according to a predetermined metric and by default a similarity threshold to individual groups (C 1 a, C 1 b, C 1 c, C 2 a, C 2 b, C 2 c, C 3 a, C 3 b, C 3 c ), whereby each line of protocol ( s 1; ..., s n ) is only assigned to one group at a time, d) protocol lines (s 1; ..., s n ) of a respective time window (T 1 , T 2 , T 3 ) to groups which are assigned to adjacent time windows (T 1 , T 2 , T 3 ), using the the metric used in step c) and, if appropriate, the similarity threshold value used in step c), e) an overlap indicator is formed which, based on the assignments made in step d), gives a measure of the degree of agreement between the log lines of two or more groups in different time windows, f) groups of temporally adjacent time windows (T 1 , T 2 , T 3 ) are assigned to one another by evaluating the overlap index formed - Finding groups, in particular a predecessor group and a successor group, whose overlap indicator exceeds a predetermined first threshold value (Θ) and / or 42/52 - Finding a number of successor groups in a subsequent time window for a predecessor group, the overlap indicator between each of the successor groups with the predecessor group exceeding a predetermined second threshold value (0 part ) and the sum of the overlap indicators determined in this way a first predetermined threshold value (0) exceeds, and / or - Find a number of predecessor groups in a previous one Time window (T 1 , T 2 , T 3 ) for a successor group, the Overlap indicator between each of the predecessor groups with the successor group exceeds a predetermined second threshold value (0 part ) and the sum of the overlap indicators determined in this way exceeds a predetermined first threshold value (0), and / or - Finding groups to which no predecessor group or successor group can be assigned, and g) a number of directed paths is created, which comprise groups as nodes and assignments as edges and which describe the groups assigned to one another over a predetermined number of temporally preceding time windows, the individual paths describing the course of groups assigned to one another in chronologically successive time windows in the Specify graphs, and h) a time course of an indicator for the respective group is formed over a predetermined number of time windows for the individual paths, and i) the courses of the indicators along the individual paths are used to determine whether there is an abnormal condition. [2] 2. The method according to claim 1, characterized in that the length of the time window - Adaptively adapted to the frequency of the occurrence of the predetermined events for which a protocol line (s 1; ..., s n ) is created, or - Rule-based is changed according to a predetermined metric that provides an indicator of the number of expected events in the computer network (1), in particular according to the time of day and / or the day of the week and / or the load on the computer network (1) and / or the number registered user is adjusted. [3] 3. The method according to any one of claims 1 or 2, characterized in that for assigning the individual protocol lines to the time windows in step b) - Individual time windows (T 1 , T 2 , T 3 ) are defined in succession during operation, with one of the time windows and the protocol lines being current at each point in time 43/52 are assigned to the current time window immediately after their creation, and / or - The log lines are provided with a time stamp of their creation or the event assigned to them, the log lines being assigned to the respective time window on the basis of the time stamp assigned to them. [4] 4. The method according to any one of the preceding claims, characterized in that in step d) protocol lines (si, ..., s n ) of each time window considered (T 1 , T 2 , T 3 ) are assigned to groups each one temporally, preferably immediately, preceding or subsequent time windows (T 1 , T 2 , T 3 ) are assigned, [5] 5. The method according to any one of the preceding claims, characterized in that in step e) - The overlap indicator indicates how many protocol lines assigned to a group (s 1; ..., s n ) of one or more other groups from temporally adjacent, in particular immediately successive, time windows (T 1 , T 2 , T 3 ) in step d ) could be assigned, and / or - The overlap indicator for two groups in different time windows is given as the ratio of the mutual assignments of protocol lines of one group to the other group to the total existing assignments of protocol lines of these groups, and / or - The overlap indicator for several selected groups in different time windows as the ratio between i) the mutual assignments of protocol lines of one of the selected groups to a respectively other selected group and ii) the total existing assignments of protocol lines of these selected groups is specified. [6] 6. The method according to any one of the preceding claims, characterized in that in step f) in the event that several predecessor groups are available for a group and several paths are combined into one, that path as the predecessor for the further course of the path -Path is followed and continued, whose groups, in particular its last group, have the greatest overlap coefficient with the common subsequent group, whose groups, in particular its last group, has the most log lines, 44/52 - which is the longest and / or the longest in the past predecessor paths. [7] 7. The method according to any one of the preceding claims, characterized in that in step f) in the event that several successor groups have been found for a group and a path is divided into several paths, that path is used as the successor path and / or the path is continued with the successor path, i) whose groups, in particular its first group, has the greatest overlap coefficient with the common group, ii) whose groups, in particular its first group, has the most protocol lines, iii) which is the longest of the predecessor paths in question and / or most far into the past. [8] 8. The method according to any one of the preceding claims, characterized in that one of the following indicator dimensions is used as the indicator in step h): - the size of the respective group, a measure of the average similarity of the individual protocol lines in the respective group, a measure of the distance between the log lines of the group and the log lines of other groups, an indicator which is characteristic of the increase and / or decrease in the size of the respective group along the respective path, an indicator which is characteristic of the number of log lines for which there are no similar groups in the groups assigned to one another, in particular - The number of log lines of a group for which there are no correspondences in the subsequent or previous group. [9] 9. The method according to any one of the preceding claims, characterized in that starting from the courses of indicators determined in step h) or the sum of selected indicators formed in time slots in step i) a time series prediction is formed and a prediction interval for the probable course of the measure of change is determined after the latest time window, and the further course of the indicator over time or the sum of selected indicators formed over time windows is then examined after the respective time window, 45/52 whether it corresponds to the prediction and / or lies in the determined prediction interval, and if this is not the case, an abnormal condition is found in the computer network (1). [10] 10. The method according to claim 9, characterized in that the time series prediction is determined by means of an autoregressive integrated moving average model. [11] 11. The method according to any one of the preceding claims, characterized in that correlations are searched between the individual courses of indicators and in the event that new correlations occur or that previously existing correlations no longer exist, an abnormal state in the computer network (1) is detected. [12] 12. A data carrier on which a computer program for carrying out a method according to one of the preceding claims is stored. 46/52 1.6
类似技术:
公开号 | 公开日 | 专利标题 EP3528162B1|2020-06-10|Method for recognizing abnormal operational states DE112013007525T5|2016-07-21|Real-time risk prediction during drilling DE102005049055A1|2006-05-24|Method to sequence events in a system event log AT518805B1|2018-05-15|A method for detecting abnormal conditions in a computer network EP2800307B1|2016-06-08|Method for detecting deviations from a given standard state EP2854045B1|2016-04-06|Method and system for the evaluation of recorded measured values of a system EP3719651A1|2020-10-07|Method for characterizing the operating state of a computer system EP3812949A1|2021-04-28|Configurable digital twin DE102018221684A1|2020-06-18|Device and method for anomaly detection and for training a model for anomaly detection DE102006024233B4|2016-11-10|Method and apparatus for fault tolerance management of a software component DE202017107550U1|2018-03-20|System for automated pattern quantification AT523829B1|2021-12-15|Method for detecting abnormal operating states of a computer system EP3961447A1|2022-03-02|Method for detecting abnormal operating states of a computer system DE112018006856T5|2020-10-01|Fault detection device, supervisory control system and fault detection method WO2018141435A1|2018-08-09|Method and apparatus for allocating device resources WO2016071083A1|2016-05-12|Method for storage and selection of data EP3651413A1|2020-05-13|System and method for fault detection and root cause analysis in a network of network components EP3885861A1|2021-09-29|Method and system for diagnosing of messages DE102019003125A1|2020-01-16|Procedure for determining traffic light switching times EP3553616A1|2019-10-16|Determination of the causes of anomaly events DE112018007194T5|2020-12-10|DATA PROCESSING DEVICE DE10134093C2|2003-05-08|Method and arrangement for removing connections from a network with nodes and connections DE10120235A1|2002-10-31|Information loss-free connection of sensor for transmitting statistical data to evaluation system involves passing residual systematic measurement uncertainties to evaluation device DE102013010205A1|2014-12-24|Error detection and localization in network services EP1376363A2|2004-01-02|Method and device for monitoring/controlling of quality of service
同族专利:
公开号 | 公开日 EP3528162A1|2019-08-21| EP3528162B1|2020-06-10| AT520746B1|2019-07-15|
引用文献:
公开号 | 申请日 | 公开日 | 申请人 | 专利标题 US20030110398A1|2001-11-29|2003-06-12|International Business Machines Corporation|Method, computer program element and a system for processing alarms triggered by a monitoring system| JP2005038116A|2003-07-18|2005-02-10|Hitachi Ltd|Fraudulent intrusion analysis device| US20070300300A1|2006-06-27|2007-12-27|Matsushita Electric Industrial Co., Ltd.|Statistical instrusion detection using log files| AT514215A1|2013-04-29|2014-11-15|Ait Austrian Inst Technology|Method for detecting deviations from a predetermined normal state| US20170163669A1|2015-12-08|2017-06-08|Vmware, Inc.|Methods and systems to detect anomalies in computer system behavior based on log-file sampling| AT518805A1|2016-07-07|2018-01-15|Ait Austrian Institute Tech Gmbh|A method for detecting abnormal conditions in a computer network|AT522281A1|2019-04-02|2020-10-15|Ait Austrian Institute Tech Gmbh|Method for characterizing the operating status of a computer system| AT523948A1|2020-09-01|2022-01-15|Ait Austrian Inst Tech Gmbh|Method for detecting abnormal operating states of a computer system|US9560065B2|2012-03-22|2017-01-31|Los Alamos National Security, Llc|Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness| US9652354B2|2014-03-18|2017-05-16|Microsoft Technology Licensing, Llc.|Unsupervised anomaly detection for arbitrary time series| US9760426B2|2015-05-28|2017-09-12|Microsoft Technology Licensing, Llc|Detecting anomalous accounts using event logs|AT523829B1|2020-07-28|2021-12-15|Ait Austrian Inst Tech Gmbh|Method for detecting abnormal operating states of a computer system|
法律状态:
2020-02-15| HA| Change or addition of new inventor|Inventor name: MARKUS WURZENBERGER, AT Effective date: 20200114 Inventor name: MAX LANDAUER, AT Effective date: 20200114 Inventor name: FLORIAN SKOPIK, AT Effective date: 20200114 |
优先权:
[返回顶部]
申请号 | 申请日 | 专利标题 ATA50156/2018A|AT520746B1|2018-02-20|2018-02-20|Method for detecting abnormal operating conditions|ATA50156/2018A| AT520746B1|2018-02-20|2018-02-20|Method for detecting abnormal operating conditions| EP19153037.7A| EP3528162B1|2018-02-20|2019-01-22|Method for recognizing abnormal operational states| 相关专利
Sulfonates, polymers, resist compositions and patterning process
Washing machine
Washing machine
Device for fixture finishing and tension adjusting of membrane
Structure for Equipping Band in a Plane Cathode Ray Tube
Process for preparation of 7 alpha-carboxyl 9, 11-epoxy steroids and intermediates useful therein an
国家/地区
|