Xu Zhang,Yong Xu,Qingwei Lin,Bo Qiao,Hongyu Zhang,Yingnong Dang,Chunyu Xie,Xinsheng Yang,Qian Cheng,Ze Li,Junjie Chen,Xiaoting He,Randolph Yao,Jian-Guang Lou,Murali Chintalapati,Furao Shen,Dongmei Zhang

DOI: https://doi.org/10.1145/3338906.3338931

2019-01-01

Abstract:Logs are widely used by large and complex software-intensive systems for troubleshooting. There have been a lot of studies on log-based anomaly detection. To detect the anomalies, the existing methods mainly construct a detection model using log event data extracted from historical logs. However, we find that the existing methods do not work well in practice. These methods have the close-world assumption, which assumes that the log data is stable over time and the set of distinct log events is known. However, our empirical study shows that in practice, log data often contains previously unseen log events or log sequences. The instability of log data comes from two sources: 1) the evolution of logging statements, and 2) the processing noise in log data. In this paper, we propose a new log-based anomaly detection approach, called LogRobust. LogRobust extracts semantic information of log events and represents them as semantic vectors. It then detects anomalies by utilizing an attention-based Bi-LSTM model, which has the ability to capture the contextual information in the log sequences and automatically learn the importance of different log events. In this way, LogRobust is able to identify and handle unstable log events and sequences. We have evaluated LogRobust using logs collected from the Hadoop system and an actual online service system of Microsoft. The experimental results show that the proposed approach can well address the problem of log instability and achieve accurate and robust results on real-world, ever-changing log data.

Xuheng Wang,Jiaxing Song,Xu Zhang,Junshu Tang,Weihe Gao,Qingwei Lin

DOI: https://doi.org/10.1109/ase56229.2023.00043

2024-01-01

Abstract:Logs are prevalent in modern cloud systems and serve as a valuable source of information for system maintenance. Over the years, a lot of research and industrial efforts have been devoted to the field of log-based anomaly detection. Through analyzing the limitations of existing approaches, we find that most of them still suffer from practical issues and are thus hard to be applied in real-world scenarios. For example, supervised approaches are dependent on a large amount of labeled log data for training, which can require much manual labeling effort. Besides, log instability, which is a pervasive issue in real-world systems, poses great challenge to existing methods, especially under the presence of many dissimilar new log events. To overcome these problems, we propose LogOnline, which is a semi supervised anomaly detector aided with online learning mechanism. The semi-supervised nature of LogOnline makes it able to get rid of the erroneous and time-consuming manual labeling of log data. Based on our proposed online learning mechanism, LogOnline can learn the normal sequence patterns continuously as new log sequences emerge, thus staying robust to unstable log data. Unlike previous works, the proposed online learning mechanism requires no labeled log data nor human intervention in the process. We have evaluated LogOnline on two widely used public datasets, and the experimental results demonstrate the effectiveness of LogOnline. In particular, LogOnline achieves a comparable result with the studied supervised approaches, outperforming all semi-supervised counterparts. When the log instability issue is more common, LogOnline exhibits the best performance over all compared approaches, further confirming its practicability.

Peng Jia,Shaofeng Cai,Beng Chin Ooi,Pinghui Wang,Yiyuan Xiong

DOI: https://doi.org/10.1145/3588918

2023-01-01

Abstract:Log messages provide a valuable source of runtime information for ensuring the safety and consistency of systems. Recently, many machine learning and deep learning methods have been proposed to automatically detect anomalous log messages, obviating the need for manual detection by experts. However, we find that in practice, the effectiveness of existing learning-based methods is severely affected by incomplete information and distribution shift. Specifically, each log message can actually be parsed into a fixed number of key information fields, while existing methods analyze log messages using only the log event information and ignore other useful information fields that can be critical to anomaly detection. Further, the distribution of real-world log messages changes continuously due to the dynamic nature of the runtime environment and thus, a detection model conventionally trained based on the unrealistic i.i.d. assumption may not provide the expected and consistent performance. In this paper, we present a robust and transferable anomaly detection framework RT-Log to address the above problems. To perform a comprehensive analysis of log messages, we introduce an adaptive relation modeling technique, which captures feature interactions among log information fields selectively and dynamically for effective and interpretable log representations. To establish its robustness and transferability, we propose a general environment generalization technique for learning the environment invariant representations that can generalize across different runtime environments. We evaluate the anomaly detection performance of RT-Log on large real-world datasets. Extensive experimental results demonstrate that RT-Log consistently outperforms state-of-the-art methods by a significant margin under different settings.

Jiyu Tian,Mingchu Li,Zumin Wang,Liming Chen,Jing Qin,Runfa Zhang

2024-10-22

Abstract:Log anomaly detection (LAD) is essential to ensure safe and stable operation of software systems. Although current LAD methods exhibit significant potential in addressing challenges posed by unstable log events and temporal sequence patterns, their limitations in detection efficiency and generalization ability present a formidable challenge when dealing with evolving systems. To construct a real-time and reliable online log anomaly detection model, we propose OMLog, a semi-supervised online meta-learning method, to effectively tackle the distribution shift issue caused by changes in log event types and frequencies. Specifically, we introduce a maximum mean discrepancy-based distribution shift detection method to identify distribution changes in unseen log sequences. Depending on the identified distribution gap, the method can automatically trigger online fine-grained detection or offline fast inference. Furthermore, we design an online learning mechanism based on meta-learning, which can effectively learn the highly repetitive patterns of log sequences in the feature space, thereby enhancing the generalization ability of the model to evolving data. Extensive experiments conducted on two publicly available log datasets, HDFS and BGL, validate the effectiveness of the OMLog approach. When trained using only normal log sequences, the proposed approach achieves the F1-Score of 93.7\% and 64.9\%, respectively, surpassing the performance of the state-of-the-art (SOTA) LAD methods and demonstrating superior detection efficiency.

Software Engineering,Cryptography and Security

Jinyang Liu,Junjie Huang,Yintong Huo,Zhihan Jiang,Jiazhen Gu,Zhuangbin Chen,Cong Feng,Minzhi Yan,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.2306.05032

2023-09-30

Abstract:System logs play a critical role in maintaining the reliability of software systems. Fruitful studies have explored automatic log-based anomaly detection and achieved notable accuracy on benchmark datasets. However, when applied to large-scale cloud systems, these solutions face limitations due to high resource consumption and lack of adaptability to evolving logs. In this paper, we present an accurate, lightweight, and adaptive log-based anomaly detection framework, referred to as SeaLog. Our method introduces a Trie-based Detection Agent (TDA) that employs a lightweight, dynamically-growing trie structure for real-time anomaly detection. To enhance TDA's accuracy in response to evolving log data, we enable it to receive feedback from experts. Interestingly, our findings suggest that contemporary large language models, such as ChatGPT, can provide feedback with a level of consistency comparable to human experts, which can potentially reduce manual verification efforts. We extensively evaluate SeaLog on two public datasets and an industrial dataset. The results show that SeaLog outperforms all baseline methods in terms of effectiveness, runs 2X to 10X faster and only consumes 5% to 41% of the memory resource.

Software Engineering,Machine Learning

Weina Niu,Xuhan Liao,Shiping Huang,Yudong Li,Xiaosong Zhang,Beibei Li

DOI: https://doi.org/10.1016/j.asoc.2024.111314

IF: 8.7

2024-01-01

Applied Soft Computing

Abstract:Log-based anomaly detections have shown huge commercial potential in system maintenance. However, existing methods encounter two practical challenges. Firstly, they struggle to maintain consistent performance when dealing with evolving logs over time. Secondly, they face difficulties in effectively detecting frequency anomalies, such as abnormal system resource usage and abnormal system operating frequencies. In this paper, we propose a robust log-based anomaly detection framework using Wide & Deep learning called WDLog. Particularly, we enhance the processing of template semantic information by building upon the Drain algorithm, then we introduce invariant features and statistical features and propose a multi-feature anomaly detection method based on the Wide & Deep framework. The experimental results on HDFS and BGL datasets demonstrate the promising performance of WDLog compared to state-of-the-art methods in terms of anomaly detection effectiveness. Furthermore, WDLog exhibits robustness to evolving logs, achieving F1-scores of over 90% under different degrees of log variation.

Zilong Zhao,Robert Birke,Rui Han,Bogdan Robu,Sara Bouchenak,Sonia Ben Mokhtar,Lydia Y. Chen

DOI: https://doi.org/10.1109/TDSC.2021.3063947

2021-01-01

Abstract:Classification algorithms have been widely adopted to detect anomalies for various systems, e.g., IoT, cloud and face recognition, under the common assumption that the data source is clean, i.e., features and labels are correctly set. However, data collected from the wild can be unreliable due to careless annotations or malicious data transformation for incorrect anomaly detection. In this article, we extend a two-layer on-line data selection framework: Robust Anomaly Detector (RAD) with a newly designed ensemble prediction where both layers contribute to the final anomaly detection decision. To adapt to the on-line nature of anomaly detection, we consider additional features of conflicting opinions of classifiers, repetitive cleaning, and oracle knowledge. We on-line learn from incoming data streams and continuously cleanse the data, so as to adapt to the increasing learning capacity from the larger accumulated data set. Moreover, we explore the concept of oracle learning that provides additional information of true labels for difficult data points. We specifically focus on three use cases, (i) detecting 10 classes of IoT attacks, (ii) predicting 4 classes of task failures of big data jobs, and (iii) recognising 100 celebrities faces. Our evaluation results show that RAD can robustly improve the accuracy of anomaly detection, to reach up to 98.95 percent for IoT device attacks (i.e., +7%), up to 85.03 percent for cloud task failures (i.e., +14%) under 40 percent label noise, and for its extension, it can reach up to 77.51 percent for face recognition (i.e., +39%) under 30 percent label noise. The proposed RAD and its extensions are general and can be applied to different anomaly detection algorithms.

Stephen Wambura,Jianbin Huang,He Li

DOI: https://doi.org/10.1093/comjnl/bxaa174

2020-01-01

The Computer Journal

Abstract:This paper addresses the anomaly detection problem in feature-evolving systems such as server machines, cyber security, financial markets and so forth where in every millisecond, $N$-dimensional feature-evolving heterogeneous time series are generated. However, due to stochasticity and uncertainty in evolving heterogeneous time series coupled with temporal dependencies, their anomaly detection are extremely challenging. Furthermore, it is practically impossible to train an anomaly detection model per single time series across millions of metrics, leave alone memory space required to maintain the model and evolving data points in memory for timely processing in feature-evolving data streams. Thus, this paper proposes $\underline{o}$ne sketch $\underline{f}$its all $\underline{a}$lgorithm (OFA), which is a real-time stochastic recurrent deep neural network anomaly detector built on assumption-free probabilistic conditional quantile regression with well-calibrated predictive uncertainty estimates. The proposed framework is capable of detecting anomalies robustly, accurately and efficiently in real time while handling randomness and variabilities in feature-evolving heterogeneous time series. Extensive experiments and rigorous evaluation on large-scale real-world data sets showcase that OFA outperforms other competitive state-of-the-art anomaly detector methods.

Nengwen Zhao,Honglin Wang,Zeyan Li,Xiao Peng,Gang Wang,Zhu Pan,Yong Wu,Zhen Feng,Xidao Wen,Wenchi Zhang,Kaixin Sui,Dan Pei

DOI: https://doi.org/10.1145/3468264.3473933

2021-01-01

Abstract:Log data is an essential and valuable resource of online service systems, which records detailed information of system running status and user behavior. Log anomaly detection is vital for service reliability engineering, which has been extensively studied. However, we find that existing approaches suffer from several limitations when deploying them into practice, including 1) inability to deal with various logs and complex log abnormal patterns; 2) poor interpretability; 3) lack of domain knowledge. To help understand these practical challenges and investigate the practical performance of existing work quantitatively, we conduct the first empirical study and an experimental study based on large-scale real-world data. We find that logs with rich information indeed exhibit diverse abnormal patterns (e.g., keywords, template count, template sequence, variable value, and variable distribution). However, existing approaches fail to tackle such complex abnormal patterns, producing unsatisfactory performance. Motivated by obtained findings, we propose a generic log anomaly detection system named LogAD based on ensemble learning, which integrates multiple anomaly detection approaches and domain knowledge, so as to handle complex situations in practice. About the effectiveness of LogAD, the average F1-score achieves 0.83, outperforming all baselines. Besides, we also share some success cases and lessons learned during our study. To our best knowledge, we are the first to investigate practical log anomaly detection in the real world deeply. Our work is helpful for practitioners and researchers to apply log anomaly detection to practice to enhance service reliability.

Zhao Zilong,Birke Robert,Han Rui,Robu Bogdan,Bouchenak Sara,Mokhtar Sonia Ben,Chen Lydia Y.

2019-01-01

Abstract: Classification algorithms have been widely adopted to detect anomalies for various systems, e.g., IoT, cloud and face recognition, under the common assumption that the data source is clean, i.e., features and labels are correctly set. However, data collected from the wild can be unreliable due to careless annotations or malicious data transformation for incorrect anomaly detection. In this paper, we present a two-layer on-line learning framework for robust anomaly detection (RAD) in the presence of unreliable anomaly labels, where the first layer is to filter out the suspicious data, and the second layer detects the anomaly patterns from the remaining data. To adapt to the on-line nature of anomaly detection, we extend RAD with additional features of repetitively cleaning, conflicting opinions of classifiers, and oracle knowledge. We on-line learn from the incoming data streams and continuously cleanse the data, so as to adapt to the increasing learning capacity from the larger accumulated data set. Moreover, we explore the concept of oracle learning that provides additional information of true labels for difficult data points. We specifically focus on three use cases, (i) detecting 10 classes of IoT attacks, (ii) predicting 4 classes of task failures of big data jobs, (iii) recognising 20 celebrities faces. Our evaluation results show that RAD can robustly improve the accuracy of anomaly detection, to reach up to 98% for IoT device attacks (i.e., +11%), up to 84% for cloud task failures (i.e., +20%) under 40% noise, and up to 74% for face recognition (i.e., +28%) under 30% noisy labels. The proposed RAD is general and can be applied to different anomaly detection algorithms.

Min Hu,Yi Wang,Xiaowei Feng,Shengchen Zhou,Zhaoyu Wu,Yuan Qin

DOI: https://doi.org/10.48550/arXiv.2202.02721

2022-02-06

Abstract:Time-series anomaly detection plays a vital role in monitoring complex operation conditions. However, the detection accuracy of existing approaches is heavily influenced by pattern distribution, existence of multiple normal patterns, dynamical features representation, and parameter settings. For the purpose of improving the robustness and guaranteeing the accuracy, this research combined the strengths of negative selection, unthresholded recurrence plots, and an extreme learning machine autoencoder and then proposed robust anomaly detection for time-series data (RADTD), which can automatically learn dynamical features in time series and recognize anomalies with low label dependency and high robustness. Yahoo benchmark datasets and three tunneling engineering simulation experiments were used to evaluate the performance of RADTD. The experiments showed that in benchmark datasets RADTD possessed higher accuracy and robustness than recurrence qualification analysis and extreme learning machine autoencoder, respectively, and that RADTD accurately detected the occurrence of tunneling settlement accidents, indicating its remarkable performance in accuracy and robustness.

Machine Learning

Yali Yuan,Sripriya Srikant Adhatarao,Mingkai Lin,Yachao Yuan,Zheli Liu,Xiaoming Fu

DOI: https://doi.org/10.1109/infocom41043.2020.9155487

2020-07-01

Abstract:Large private and government networks are often subjected to attacks like data extrusion and service disruption. Existing anomaly detection systems use offline supervised learning and employ experts for labeling. Hence they cannot detect anomalies in real-time. Even though unsupervised algorithms are increasingly used nowadays, they cannot readily adapt to newer threats. Moreover, many such systems also suffer from high cost of storage and require extensive computational resources. In this paper, we propose ADA: Adaptive Deep Log Anomaly Detector, an unsupervised online deep neural network framework that leverages LSTM networks and regularly adapts to newer log patterns to ensure accurate anomaly detection. In ADA, an adaptive model selection strategy is designed to choose pareto-optimal configurations and thereby utilize resources efficiently. Further, a dynamic threshold algorithm is proposed to dictate the optimal threshold based on recently detected events to improve the detection accuracy. We also use the predictions to guide storage of abnormal data and effectively reduce the overall storage cost. We compare ADA with state-of-the-art approaches through leveraging the Los Alamos National Laboratory cyber security dataset and show that ADA accurately detects anomalies with high F1-score ~95% and it is 97 times faster than existing approaches and incurs very low storage cost.

Bo Wang,Qingyi Hua,Haoming Zhang,Xin Tan,Yahui Nan,Rui Chen,Xinfeng Shu

DOI: https://doi.org/10.1016/j.aej.2021.12.061

IF: 6.626

2022-09-01

Alexandria Engineering Journal

Abstract:With the development of software, massive information systems generate large-scale data resources involving a large amount of log information, which is of lots of meaningful contents. Accurate analysis and anomaly prediction based on logs are particularly important for building safe and reliable systems. It is evident that current anomaly prediction is not accurate enough, and there are few applications to the study of real-time reliability evaluation. Therefore, this paper uses ensemble learning model to analyze and predict anomaly of the massive system logs based on the complete procedures of log processing, including log analysis, feature extraction, anomaly detection, prediction evaluation, and real-time reliability evaluation. Compared with the traditional machine learning methods, the proposed model is able to improve the accuracy, recall rate and F1 value of anomaly prediction. The evaluation results are used to correct the real-time reliability in view of the low predicted recall rate, which greatly improves the accuracy of real-time reliability and thus provides accurate data basis and anomaly location basis for Artificial Intelligence for IT Operations. In this paper we have made the following innovations and contributions in anomaly detection and reliability measurement. The whole process was established from original log to real-time reliability measurement. New methods were adopted to improve the accuracy, recall and F1 value of anomaly detection. A real-time reliability measurement method is proposed.

engineering, multidisciplinary

Xinggan Peng,Hanhui Li,Feng Yuan,Sirajudeen Gulam Razul,Zhebin Chen,Zhiping Lin

DOI: https://doi.org/10.1016/j.neucom.2022.06.042

IF: 6

2022-01-01

Neurocomputing

Abstract:Unsupervised anomaly detection in time series remains challenging, due to the rare and complex patterns of anomalous data. Previous change point detection methods based on extreme learning machine and mutual information (ELM-MI) are potential solutions for this problem. However, the kernels in these methods are randomly initialized on test data, which imposes a constraint that these methods can only be used for offline inference. Moreover, these methods are limited in utilizing temporal contexts, and require the ensemble of multiple models to improve the robustness. To tackle these problems, we introduce a multivariate ELM-MI framework, and combine it with a dynamic kernel selection method, which performs a hierarchical clustering procedure on unlabeled training data and utilizes the clusters to determine the kernels in ELM-MI. In this way, our method can tackle the unsupervised online detection of various anomalous (e.g., point anomalies and group anomalies) and reduce the computational cost. Extensive experiments on three public datasets and our collection of real-life 4G Long-Term Evolution data demonstrate that the proposed method outperforms state-of-the-art methods in terms of effectiveness and efficiency. For demo, see this link: https://personal.ntu.edu.sg/ezplin/NC-demo.htm.

Jiaxing Qi,Zhongzhi Luan,Shaohan Huang,Carol Fung,Hailong Yang,Hanlu Li,Danfeng Zhu,Depei Qian

DOI: https://doi.org/10.1109/tnsm.2023.3239522

2023-01-01

IEEE Transactions on Network and Service Management

Abstract:In recent years, cloud computing centers have grown rapidly in size. Analyzing system logs is an important way for the quality of service monitoring. However, systems produce massive amounts of logs, and it is impractical to analyze them manually. Automatic and accurate log analysis to detect abnormal events in systems has become extremely important. However, due to the nature of the log analysis problem, such as discrete property, class imbalance, and quality of log, log-based anomaly detection remains a difficult problem. To address these challenges, we propose LogEncoder, a framework of log sequence encoding for semi-supervised anomaly detection. LogEncoder utilizes a pre-trained model to obtain a semantic vector for each log event. To separate normal and abnormal log event sequences and preserve their contextual information, we integrate one-class and contrastive learning objectives training into the representation model. Finally, we propose two methods, one for offline and one for online, to detect system anomalies. Compared to six state-of-the-art baselines on three benchmark datasets, LogEncoder outperforms five unsupervised and semi-supervised methods, and the performance is comparable to the supervised method LogRobust.

Harold Ott,Jasmin Bogatinovski,Alexander Acker,Sasho Nedelkoski,Odej Kao

DOI: https://doi.org/10.48550/arXiv.2102.11570

2021-02-23

Abstract:Anomalies or failures in large computer systems, such as the cloud, have an impact on a large number of users that communicate, compute, and store information. Therefore, timely and accurate anomaly detection is necessary for reliability, security, safe operation, and mitigation of losses in these increasingly important systems. Recently, the evolution of the software industry opens up several problems that need to be tackled including (1) addressing the software evolution due software upgrades, and (2) solving the cold-start problem, where data from the system of interest is not available. In this paper, we propose a framework for anomaly detection in log data, as a major troubleshooting source of system information. To that end, we utilize pre-trained general-purpose language models to preserve the semantics of log messages and map them into log vector embeddings. The key idea is that these representations for the logs are robust and less invariant to changes in the logs, and therefore, result in a better generalization of the anomaly detection models. We perform several experiments on a cloud dataset evaluating different language models for obtaining numerical log representations such as BERT, GPT-2, and XL. The robustness is evaluated by gradually altering log messages, to simulate a change in semantics. Our results show that the proposed approach achieves high performance and robustness, which opens up possibilities for future research in this direction.

Artificial Intelligence,Computation and Language,Software Engineering

Minghua Ma,Shenglin Zhang,Dan Pei,Xin Huang,Hongwei Dai

DOI: https://doi.org/10.1109/issre.2018.00013

2018-01-01

Abstract:Anomaly detection is critical for web-based software systems. Anecdotal evidence suggests that in these systems, the accuracy of a static anomaly detection method that was previously ensured is bound to degrade over time. It is due to the significant change of data distribution, namely concept drift, which is caused by software change or personal preferences evolving. Even though dozens of anomaly detectors have been proposed over the years in the context of software system, they have not tackled the problem of concept drift. In this paper, we present a framework, StepWise, which can detect concept drift without tuning detection threshold or per-KPI (Key Performance Indicator) model parameters in a large scale KPI streams, take external factors into account to distinguish the concept drift which under operators' expectations, and help any kind of anomaly detection algorithm to handle it rapidly. For the prototype deployed in Sogou, our empirical evaluation shows StepWise improve the average F-score by 206% for many widely-used anomaly detectors over a baseline without any concept drift detection.

Yifei Lin,Hanqiu Deng,Xingyu Li

2024-04-13

Abstract:Nowadays large computers extensively output logs to record the runtime status and it has become crucial to identify any suspicious or malicious activities from the information provided by the realtime logs. Thus, fast log anomaly detection is a necessary task to be implemented for automating the infeasible manual detection. Most of the existing unsupervised methods are trained only on normal log data, but they usually require either additional abnormal data for hyperparameter selection or auxiliary datasets for discriminative model optimization. In this paper, aiming for a highly effective discriminative model that enables rapid anomaly detection,we propose FastLogAD, a generator-discriminator framework trained to exhibit the capability of generating pseudo-abnormal logs through the Mask-Guided Anomaly Generation (MGAG) model and efficiently identifying the anomalous logs via the Discriminative Abnormality Separation (DAS) model. Particularly, pseudo-abnormal logs are generated by replacing randomly masked tokens in a normal sequence with unlikely candidates. During the discriminative stage, FastLogAD learns a distinct separation between normal and pseudoabnormal samples based on their embedding norms, allowing the selection of a threshold without exposure to any test data and achieving competitive performance. Extensive experiments on several common benchmarks show that our proposed FastLogAD outperforms existing anomaly detection approaches. Furthermore, compared to previous methods, FastLogAD achieves at least x10 speed increase in anomaly detection over prior work. Our implementation is available at

Machine Learning

Zhichao Hu,Xiangzhan Yu,Likun Liu,Yu Zhang,Haining Yu

DOI: https://doi.org/10.1186/s13677-024-00682-0

2024-01-01

Abstract:In the current era of information technology, blockchain is widely used in various fields, and the monitoring of the security and status of the blockchain system is of great concern. Online anomaly detection for the real-time stream data plays vital role in monitoring strategy to find abnormal events and status of blockchain system. However, as the high requirements of real-time and online scenario, online anomaly detection faces many problems such as limited training data, distribution drift, and limited update frequency. In this paper, we propose an adaptive stream outlier detection method (ASOD) to overcome the limitations. It first designs a K-nearest neighbor Gaussian mixture model (KNN-GMM) and utilizes online learning strategy. So, it is suitable for online scenarios and does not rely on large training data. The K-nearest neighbor optimization limits the influence of new data locally rather than globally, thus improving the stability. Then, ASOD applies the mechanism of dynamic maintenance of Gaussian components and the strategy of dynamic context control to achieve self-adaptation to the distribution drift. And finally, ASOD adopts a dimensionless distance metric based on Mahalanobis distance and proposes an automatic threshold method to accomplish anomaly detection. In addition, the KNN-GMM provides the life cycle and the anomaly index for continuous tracking and analysis, which facilities the cause analysis and further interpretation and traceability. From the experimental results, it can be seen that ASOD achieves near-optimal F1 and recall on the NAB dataset with an improvement of 6% and 20.3% over the average, compared to baselines with sufficient training data. ASOD has the lowest F1 variance among the five best methods, indicating that it is effective and stable for online anomaly detection on stream data.

Xiaoqing Zhao,Zhongyuan Jiang,Jianfeng Ma

DOI: https://doi.org/10.1109/IJCNN55064.2022.9892726

2022-01-01

Abstract:The modern system is becoming more and more complex in scale and structure. Mastering the operation status is crucial to ensure the stable and reliable operation of the system. Log anomaly detection is the critical means of system state monitoring and anomaly response. However, the characteristics of complex log data structure, large amount of data and hidden abnormal behavior patterns bring new challenges to efficient and automated log anomaly detection. This paper summarized the basic framework of log anomaly detection, including log collection and filtering, log parsing, feature extraction and anomaly detection. We have reviewed the relevant technologies and methods involved in each link. In particular, various deep learning detection models in recent years are analyzed, such as the use of recurrent neural network and convolutional neural network to capture the context information of log sequences, the use of generative adversarial network to make up for the deficiency of abnormal data, and the training of federated learning between different systems. We hope that our work can help beginners understand log anomaly detection and relevant experts keep abreast of the latest research trends.