Behavior Query Discovery in System-Generated Temporal Graphs

TL;DR

This paper presents TGMiner, a method for efficiently mining discriminative temporal graph patterns from system logs to facilitate query formulation, enabling better detection of system anomalies and malicious activities.

Contribution

Introduces TGMiner, a novel temporal graph pattern mining approach that improves query discovery in system logs by leveraging temporal information for pruning.

Findings

TGMiner is 6-32 times faster than baseline methods.

Discovered patterns achieved 97% precision and 91% recall.

Patterns help system experts identify abnormal activities effectively.

Abstract

Computer system monitoring generates huge amounts of logs that record the interaction of system entities. How to query such data to better understand system behaviors and identify potential system risks and malicious behaviors becomes a challenging task for system administrators due to the dynamics and heterogeneity of the data. System monitoring data are essentially heterogeneous temporal graphs with nodes being system entities and edges being their interactions over time. Given the complexity of such graphs, it becomes time-consuming for system administrators to manually formulate useful queries in order to examine abnormal activities, attacks, and vulnerabilities in computer systems. In this work, we investigate how to query temporal graphs and treat query formulation as a discriminative temporal graph pattern mining problem. We introduce TGMiner to mine discriminative patterns from system logs, and these patterns can be taken as templates for building more complex queries. TGMiner leverages temporal information in graphs to prune graph patterns that share similar growth trend without compromising pattern quality. Experimental results on real system data show that TGMiner is 6-32 times faster than baseline methods. The discovered patterns were verified by system experts; they achieved high precision (97%) and recall (91%).