{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,3]],"date-time":"2026-07-03T17:04:59Z","timestamp":1783098299775,"version":"3.54.6"},"reference-count":30,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2023,3,31]],"date-time":"2023-03-31T00:00:00Z","timestamp":1680220800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"CAIS","award":["832345"],"award-info":[{"award-number":["832345"]}]},{"name":"CIIS","award":["840842"],"award-info":[{"award-number":["840842"]}]},{"DOI":"10.13039\/100009904","name":"CISA","doi-asserted-by":"crossref","award":["850199"],"award-info":[{"award-number":["850199"]}],"id":[{"id":"10.13039\/100009904","id-type":"DOI","asserted-by":"crossref"}]},{"name":"synERGY","award":["855457"],"award-info":[{"award-number":["855457"]}]},{"name":"DECEPT","award":["873980"],"award-info":[{"award-number":["873980"]}]},{"name":"PANDORA","award":["SI2.835928"],"award-info":[{"award-number":["SI2.835928"]}]},{"name":"ECOSSIAN","award":["607577"],"award-info":[{"award-number":["607577"]}]},{"name":"GUARD","award":["833456"],"award-info":[{"award-number":["833456"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,3,31]]},"abstract":"<jats:p>Cyber attacks are omnipresent and their rapid detection is crucial for system security. Signature-based intrusion detection monitors systems for attack indicators and plays an important role in recognizing and preventing such attacks. Unfortunately, it is unable to detect new attack vectors and may be evaded by attack variants. As a solution, anomaly detection employs techniques from machine learning to detect suspicious log events without relying on predefined signatures. While visibility of attacks in network traffic is limited due to encryption of network packets, system log data is available in raw format and thus allows fine-granular analysis. However, system log processing is difficult as it involves different formats and heterogeneous events. To ease log-based anomaly detection, we present the AMiner, an open-source tool in the AECID toolbox that enables fast log parsing, analysis, and alerting. In this article, we outline the AMiner\u2019s modular architecture and demonstrate its applicability in three use-cases.<\/jats:p>","DOI":"10.1145\/3567675","type":"journal-article","created":{"date-parts":[[2022,10,10]],"date-time":"2022-10-10T12:03:09Z","timestamp":1665403389000},"page":"1-16","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":11,"title":["AMiner: A Modular Log Data Analysis Pipeline for Anomaly-based Intrusion Detection"],"prefix":"10.1145","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3813-3151","authenticated-orcid":false,"given":"Max","family":"Landauer","sequence":"first","affiliation":[{"name":"Austrian Institute of Technology, Giefinggasse, Vienna, Austria"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3259-6972","authenticated-orcid":false,"given":"Markus","family":"Wurzenberger","sequence":"additional","affiliation":[{"name":"Austrian Institute of Technology, Giefinggasse, Vienna, Austria"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1922-7892","authenticated-orcid":false,"given":"Florian","family":"Skopik","sequence":"additional","affiliation":[{"name":"Austrian Institute of Technology, Giefinggasse, Vienna, Austria"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2127-4997","authenticated-orcid":false,"given":"Wolfgang","family":"Hotwagner","sequence":"additional","affiliation":[{"name":"Austrian Institute of Technology, Giefinggasse, Vienna, Austria"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5350-8543","authenticated-orcid":false,"given":"Georg","family":"H\u00f6ld","sequence":"additional","affiliation":[{"name":"Austrian Institute of Technology, Giefinggasse, Vienna, Austria"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2023,3,31]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2015.11.016"},{"issue":"6","key":"e_1_3_2_3_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3344382","article-title":"A survey of intrusion detection systems leveraging host data","volume":"52","author":"Bridges Robert A.","year":"2019","unstructured":"Robert A. Bridges, Tarrah R. Glass-Vanderlan, Michael D. Iannacone, Maria S. Vincent, and Qian Chen. 2019. A survey of intrusion detection systems leveraging host data. ACM Comput. Surv. 52, 6 (2019), 1\u201335.","journal-title":"ACM Comput. Surv."},{"key":"e_1_3_2_4_2","article-title":"Anomaly detection: A survey","volume":"41","author":"Chandola Varun","year":"2009","unstructured":"Varun Chandola, Arindam Banerjee, and Vipin Kumar. 2009. Anomaly detection: A survey. ACM Comput. Surv. 41 (72009).","journal-title":"ACM Comput. Surv."},{"key":"e_1_3_2_5_2","volume-title":"Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management","author":"Chuvakin Anton","year":"2012","unstructured":"Anton Chuvakin, Kevin Schmidt, and Chris Phillips. 2012. Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management. Newnes."},{"key":"e_1_3_2_6_2","unstructured":"CrowdStrike. 2021. Global Threat Report. Retrieved from https:\/\/www.crowdstrike.com\/resources\/reports\/global-threat-report\/."},{"key":"e_1_3_2_7_2","unstructured":"Min Du Ruoxi Jia and Dawn Song. 2019. Robust anomaly detection and backdoor attack detection via differential privacy. Retrieved from https:\/\/arXiv:1911.07116."},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134015"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.5555\/1947337.1947356"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.09.006"},{"key":"e_1_3_2_11_2","first-page":"149","volume-title":"Proceedings of the 9th IEEE International Conference on Data Mining","author":"Fu Qiang","year":"2009","unstructured":"Qiang Fu, Jian-Guang Lou, Yi Wang, and Jiang Li. 2009. Execution anomaly detection in distributed systems through unstructured log analysis. In Proceedings of the 9th IEEE International Conference on Data Mining. IEEE, 149\u2013158."},{"key":"e_1_3_2_12_2","first-page":"1","volume-title":"Proceedings of the 4th International Workshop on HPC User Support Tools","author":"Haque Abida","year":"2017","unstructured":"Abida Haque, Alexandra DeLucia, and Elisabeth Baseman. 2017. Markov chain modeling for anomaly detection in high performance computing system logs. In Proceedings of the 4th International Workshop on HPC User Support Tools. 1\u20138."},{"key":"e_1_3_2_13_2","first-page":"207","volume-title":"Proceedings of the IEEE 27th International Symposium on Software Reliability Engineering (ISSRE\u201916)","author":"He Shilin","year":"2016","unstructured":"Shilin He, Jieming Zhu, Pinjia He, and Michael R. Lyu. 2016. Experience report: System log analysis for anomaly detection. In Proceedings of the IEEE 27th International Symposium on Software Reliability Engineering (ISSRE\u201916). IEEE, 207\u2013218."},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2015.07.019"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2019.02.050"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-019-0038-7"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948144"},{"key":"e_1_3_2_18_2","first-page":"757","volume-title":"Proceedings of the European Symposium on Research in Computer Security","author":"Landauer Max","year":"2021","unstructured":"Max Landauer, Georg H\u00f6ld, Markus Wurzenberger, Florian Skopik, and Andreas Rauber. 2021. Iterative selection of categorical variables for log data anomaly detection. In Proceedings of the European Symposium on Research in Computer Security. Springer, 757\u2013777."},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101739"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510581"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2018.08.009"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2020.2975749"},{"key":"e_1_3_2_23_2","unstructured":"Agathoklis Prodromou. 2019. Using Logs to Investigate\u2014SQL Injection Attack Example. Retrieved from https:\/\/www.acunetix.com\/blog\/articles\/using-logs-to-investigate-a-web-application-attack\/."},{"key":"e_1_3_2_24_2","first-page":"1867","volume-title":"Proceedings of the IEEE International Conference on Big Data (Big Data\u201916)","author":"Shashanka Madhu","year":"2016","unstructured":"Madhu Shashanka, Min-Yi Shen, and Jisheng Wang. 2016. User and entity behavior analytics for enterprise security. In Proceedings of the IEEE International Conference on Big Data (Big Data\u201916). IEEE, 1867\u20131874."},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2020.102544"},{"key":"e_1_3_2_26_2","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-74450-2","volume-title":"Smart Log Data Analytics: Techniques for Advanced Security Analysis","author":"Skopik Florian","year":"2021","unstructured":"Florian Skopik, Markus Wurzenberger, and Max Landauer. 2021. Smart Log Data Analytics: Techniques for Advanced Security Analysis. Springer."},{"key":"e_1_3_2_27_2","first-page":"7","volume-title":"Proceedings of the IFIP\/IEEE Symposium on Integrated Network and Service Management (IM\u201919)","author":"Wurzenberger Markus","year":"2019","unstructured":"Markus Wurzenberger, Max Landauer, Florian Skopik, and Wolfgang Kastner. 2019. Aecid-pg: A tree-based log parser generator to enable log analysis. In Proceedings of the IFIP\/IEEE Symposium on Integrated Network and Service Management (IM\u201919). IEEE, 7\u201312."},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/3098954.3098973"},{"key":"e_1_3_2_29_2","first-page":"386","volume-title":"Proceedings of the International Conference on Information Systems Security and Privacy (ICISSP\u201918)","author":"Wurzenberger Markus","year":"2018","unstructured":"Markus Wurzenberger, Florian Skopik, Giuseppe Settanni, and Roman Fiedler. 2018. AECID: A self-learning anomaly detection approach based on light-weight log parser models. In Proceedings of the International Conference on Information Systems Security and Privacy (ICISSP\u201918). 386\u2013397."},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338931"},{"key":"e_1_3_2_31_2","first-page":"415","volume-title":"Proceedings of the IEEE\/ACM 37th IEEE International Conference on Software Engineering","volume":"1","author":"Zhu Jieming","year":"2015","unstructured":"Jieming Zhu, Pinjia He, Qiang Fu, Hongyu Zhang, Michael R. Lyu, and Dongmei Zhang. 2015. Learning to log: Helping developers make informed logging decisions. In Proceedings of the IEEE\/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 415\u2013425."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3567675","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3567675","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:51:12Z","timestamp":1750182672000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3567675"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,31]]},"references-count":30,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,3,31]]}},"alternative-id":["10.1145\/3567675"],"URL":"https:\/\/doi.org\/10.1145\/3567675","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,3,31]]},"assertion":[{"value":"2022-02-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-10-06","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-03-31","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}