This document describes ADEM, an auto defense mechanism based on machine learning. It performs routine checks by hashing files and directories to detect any modifications. If issues are found, it can auto recover or delete suspected files. It also analyzes logs with machine learning by extracting features from raw log data like IP addresses, request paths, and user agents. It then classifies the log entries to detect any abnormal activity and generate reports. The document provides examples of simple and more complex classification techniques that could be used to determine if IP addresses, request paths, user agents, or HTTP response codes are allowed or general. It aims to demonstrate machine learning classification of logs and detecting threats.