Abstract Log files give insight into the state of a computer system and enable the detection of anomalous events relevant to cyber security. However, automatically analyzing log data is difficult since it contains massive amounts of unstructured and diverse messages collected from heterogeneous sources. Therefore, several approaches that condense or summarize log data by means of clustering techniques have been proposed. Picking the right approach for a particular application domain is, however, non-trivial, since algorithms are designed towards specific objectives and requirements. This paper therefore surveys existing approaches. It thereby groups approaches by their clustering techniques, reviews their applicability and limitations, discusses trends and identifies gaps. The survey reveals that approaches usually pursue one or more of four major objectives: overview and filtering, parsing and signature extraction, static outlier detection, and sequences and dynamic anomaly detection. Finally, this paper also outlines a concept and tool that support the selection of appropriate approaches based on user-defined requirements.

中文翻译：

---

网络安全应用的系统日志聚类方法：调查

摘要日志文件可以洞察计算机系统的状态，并能够检测与网络安全相关的异常事件。然而，自动分析日志数据很困难，因为它包含从异构来源收集的大量非结构化和多样化的消息。因此，已经提出了几种通过聚类技术来压缩或汇总日志数据的方法。然而，为特定应用领域选择正确的方法并非易事，因为算法是针对特定目标和要求而设计的。因此，本文调查了现有方法。因此，它通过聚类技术对方法进行分组，审查其适用性和局限性，讨论趋势并确定差距。调查显示，这些方法通常追求四个主要目标中的一个或多个：概览和过滤、解析和签名提取、静态异常值检测以及序列和动态异常检测。最后，本文还概述了支持根据用户定义的要求选择适当方法的概念和工具。