JACoW is a publisher in Geneva, Switzerland that publishes the proceedings of accelerator conferences held around the world by an international collaboration of editors.
@inproceedings{sulc:icalepcs2023-th2ao01, author = {A. Sulc and A. Eichler and T. Wilksen}, title = {{Log Anomaly Detection on EuXFEL Nodes}}, % booktitle = {Proc. ICALEPCS'23}, booktitle = {Proc. 19th Int. Conf. Accel. Large Exp. Phys. Control Syst. (ICALEPCS'23)}, eventdate = {2023-10-09/2023-10-13}, pages = {1126--1133}, paper = {TH2AO01}, language = {english}, keywords = {FEL, network, embedded, GUI, monitoring}, venue = {Cape Town, South Africa}, series = {International Conference on Accelerator and Large Experimental Physics Control Systems}, number = {19}, publisher = {JACoW Publishing, Geneva, Switzerland}, month = {02}, year = {2024}, issn = {2226-0358}, isbn = {978-3-95450-238-7}, doi = {10.18429/JACoW-ICALEPCS2023-TH2AO01}, url = {https://jacow.org/icalepcs2023/papers/th2ao01.pdf}, abstract = {{This article introduces a method to detect anomalies in the log data generated by control system nodes at the European XFEL accelerator. The primary aim of this proposed method is to offer operators a comprehensive understanding of the availability, status, and problems specific to each node. This information is vital for ensuring the smooth operation. The sequential nature of logs and the absence of a rich text corpus that is specific to our nodes pose a significant limitation for traditional and learning-based approaches for anomaly detection. To overcome this limitation, we propose a method that uses word embedding and models individual nodes as a sequence of these vectors that commonly co-occur, using a Hidden Markov Model (HMM). We score individual log entries by computing a probability ratio between the probability of the full log sequence including the new entry and the probability of just the previous log entries, without the new entry. This ratio indicates how probable the sequence becomes when the new entry is added. The proposed approach can detect anomalies by scoring and ranking log entries from EuXFEL nodes where entries that receive high scores are potential anomalies that do not fit the routine of the node. This method provides a warning system to alert operators about these irregular log events that may indicate issues. }}, }