Chen Han,Dingyu Li,Xuanyin Wang

DOI: https://doi.org/10.1142/s0218001422540076

IF: 1.261

2022-01-01

International Journal of Pattern Recognition and Artificial Intelligence

Abstract:Edge detection is one of the most fundamental fields in computer vision. With the rapid development of the combination of Convolutional Neural Network and Multi-Scale Representation of image, significant progress has been made in this field. However, most of them have a huge size, which makes it hard to apply in reality, and a huge number of parameters may lead to waste of computing resources. In this paper, we focus on qualitative analysis of the role of each part in the network, and propose a modified light-weight architecture based on our result and the study of former works. Our new architecture is composed of residual-blocks, max-pooling layers and batch normalization layers. Compared with the previous models, the new architecture performs better in memory, convergence and computation efficiency with similar model size. Moreover, the new architecture can achieve better accuracy with smaller model size. When evaluating our model on the well-known BSDS500 benchmark, we achieve ODS F-measure of 0.769 with parameters less than 0.3[Formula: see text]M, which shows a better property than the state-of-the-art result 0.766 at this level.

Beibei Li,Shang Ma,Ruilong Deng,Kim-Kwang Raymond Choo,Jin Yang

DOI: https://doi.org/10.1109/tnsm.2022.3152620

2022-01-01

IEEE Transactions on Network and Service Management

Abstract:Runtime log-based anomaly detection is one of several key building blocks in ensuring system security, as well as post-incident forensic investigations. However, existing log-based anomaly detection approaches that are implemented on large-scale Internet of Things (IoT) systems generally upload local data from edge devices to a centralized (cloud) server for processing and analysis. Such a workflow incurs significant communication and computation overheads, with potential privacy implications. Hence, in this paper, we propose a customizable and communication-efficient federated anomaly detection scheme (hereafter referred to as FedLog), designed to facilitate the identification of abnormal log patterns in large-scale IoT systems. Specifically, we first craft a Temporal Convolutional Network-Attention Mechanism-based Convolutional Neural Network (TCN-ACNN) model, to effectively extract fine-grained features from system logs. Second, we develop a new federated learning framework to support IoT devices in establishing a comprehensive anomaly detection model in a collaborative and privacy-preserving manner. Third, a lottery ticket hypothesis based masking strategy is designed to achieve customizable and communication-efficient federated learning in handling non-Independent and Identically Distributed (non-IID) log datasets. We then evaluate the performance of our proposed scheme with those of DeepLog (published in CCS, 2017) and Loganomaly (published in IJCAI, 2019) in both centralized learning and federated learning settings, using two publicly available and widely used real-world datasets (i.e., HDFS and BGL). The findings demonstrate the utility of the proposed FedLog scheme, in terms of log-based anomaly detection.

computer science, information systems

Zhuo Lv,Jiahao Li,Cen Chen

DOI: https://doi.org/10.1117/12.3024645

2024-04-03

Abstract:Timely detection of abnormal behavior in power monitoring systems is crucial for system stability. Traditional log anomaly analysis methods have limitations, especially in handling multi-source or multi-dimensional log data. This paper introduces a method named CLSTMlog, which combines Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM) networks, making the most of CNN's ability to extract local features and LSTM's capability to handle temporal relationships. Experimental results demonstrate that CLSTMlog exhibits a significant improvement in performance on the HDFS and IoT-23 datasets, including higher accuracy and reliability. This method has the potential to enhance the efficiency of log anomaly detection in power monitoring systems and overall system performance.

Computer Science,Engineering

Shayan Hashemi,Mika Mäntylä

DOI: https://doi.org/10.48550/arXiv.2104.07324

2021-04-15

Software Engineering

Abstract:In recent years, with the growth of online services and IoT devices, software log anomaly detection has become a significant concern for both academia and industry. However, at the time of writing this paper, almost all contributions to the log anomaly detection task, follow the same traditional architecture based on parsing, vectorizing, and classifying. This paper proposes OneLog, a new approach that uses a large deep model based on instead of multiple small components. OneLog utilizes a character-based convolutional neural network (CNN) originating from traditional NLP tasks. This allows the model to take advantage of multiple datasets at once and take advantage of numbers and punctuations, which were removed in previous architectures. We evaluate OneLog using four open data sets Hadoop Distributed File System (HDFS), BlueGene/L (BGL), Hadoop, and OpenStack. We evaluate our model with single and multi-project datasets. Additionally, we evaluate robustness with synthetically evolved datasets and ahead-of-time anomaly detection test that indicates capabilities to predict anomalies before occurring. To the best of our knowledge, our multi-project model outperforms state-of-the-art methods in HDFS, Hadoop, and BGL datasets, respectively setting getting F1 scores of 99.99, 99.99, and 99.98. However, OneLog's performance on the Openstack is unsatisfying with F1 score of only 21.18. Furthermore, Onelogs performance suffers very little from noise showing F1 scores of 99.95, 99.92, and 99.98 in HDFS, Hadoop, and BGL.

Ronit Das,Tie Luo

2023-05-21

Abstract:Anomaly detection is widely used in a broad range of domains from cybersecurity to manufacturing, finance, and so on. Deep learning based anomaly detection has recently drawn much attention because of its superior capability of recognizing complex data patterns and identifying outliers accurately. However, deep learning models are typically iteratively optimized in a central server with input data gathered from edge devices, and such data transfer between edge devices and the central server impose substantial overhead on the network and incur additional latency and energy consumption. To overcome this problem, we propose a fully-automated, lightweight, statistical learning based anomaly detection framework called LightESD. It is an on-device learning method without the need for data transfer between edge and server, and is extremely lightweight that most low-end edge devices can easily afford with negligible delay, CPU/memory utilization, and power consumption. Yet, it achieves highly competitive detection accuracy. Another salient feature is that it can auto-adapt to probably any dataset without manually setting or configuring model parameters or hyperparameters, which is a drawback of most existing methods. We focus on time series data due to its pervasiveness in edge applications such as IoT. Our evaluation demonstrates that LightESD outperforms other SOTA methods on detection accuracy, efficiency, and resource consumption. Additionally, its fully automated feature gives it another competitive advantage in terms of practical usability and generalizability.

Machine Learning,Cryptography and Security

Zezhou Li,Jing Zhang,Xianbo Zhang,Feng Lin,Chao Wang,Xingye Cai

DOI: https://doi.org/10.1109/seai55746.2022.9832400

2022-01-01

Abstract:Logs are widely used in IT industry and the anomaly detection of logs is essential to identify the running status of systems. Conventional methods solving this problem require sophisticated rule-based regulations and intensive labor input. In this paper, we propose a new model based on natural language processing techniques. In order to modify the feature extraction and to improve the vector quality of log templates, Part-of-Speech (PoS) and Named Entity Recognition (NER) are employed in our model, which leads to the less involvement of regulation-based rule and a modification of the template vector thanks to the weight vector by NER. The PoS property of each token in the template is firstly analyzed, which also reduces labor involvement and helps for better weight allocation. The weight investigation on tokens of the template is introduced to modify the template vector. And the final detection based on the modified vector of templates is realized by deep neural networks (DNNs). The effectiveness of our model is tested on three datasets, and compared with two state-of-the-art models. The evaluation results prove that our model achieves better log anomaly detection.

Qinglong Zhang,Rui Han,Gaofeng Xin,Chi Harold Liu,Guoren Wang,Lydia Y. Chen

DOI: https://doi.org/10.1109/tpds.2021.3137631

IF: 5.3

2021-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Deep neural networks (DNNs) have been showing significant success in various anomaly detection applications such as smart surveillance and industrial quality control. It is increasingly important to detect anomalies directly on edge devices, because of high responsiveness requirements and tight latency constraints. The accuracy of DNN-based solutions rely on large model capacity and thus long training and inference time, making them inapplicable on resource strenuous edge devices. It is hence imperative to scale DNN model sizes in correspondence to the run-time system requirements, i.e., meeting deadlines with minimal accuracy losses, which are highly dependent on the platforms and real-time system status. Existing scaling techniques either take long training time to pre-generate scaling options or disturb the unsteady training process of anomaly detection DNNs, lacking the adaptability to heterogeneous edge systems and incurring low inference accuracies. In this article, we present LightDNN to scale DNN models for anomaly detection applications at edge, featuring high detection accuracies with lightweight training and inference time. To this end, LightDNN quickly extracts and compresses blocks in a DNN, and provides large scaling space (e.g., 1 million options) by dynamically combining these compressed blocks online. At run-time, LightDNN predicts the DNN’s inference latency according to the monitored system status, and optimizes the combination of blocks to maximize its accuracy under deadline constraints. We implement and extensively evaluate LightDNN on both CPU and GPU edge platforms using 8 popular anomaly detection workloads. Comparative experiments with state-of-the-art methods show that our approach provides 145.8 to 0.56 trillion times more scaling options without increasing training and inference overheads, thus achieving as much as 15.05% increase in accuracy under the same deadlines.

Jin Wang,Yangning Tang,Shiming He,Changqing Zhao,Pradip Kumar Sharma,Osama Alfarraj,Amr Tolba

DOI: https://doi.org/10.3390/s20092451

IF: 3.9

2020-04-26

Sensors

Abstract:Log anomaly detection is an efficient method to manage modern large-scale Internet of Things (IoT) systems. More and more works start to apply natural language processing (NLP) methods, and in particular word2vec, in the log feature extraction. Word2vec can extract the relevance between words and vectorize the words. However, the computing cost of training word2vec is high. Anomalies in logs are dependent on not only an individual log message but also on the log message sequence. Therefore, the vector of words from word2vec can not be used directly, which needs to be transformed into the vector of log events and further transformed into the vector of log sequences. To reduce computational cost and avoid multiple transformations, in this paper, we propose an offline feature extraction model, named LogEvent2vec, which takes the log event as input of word2vec to extract the relevance between log events and vectorize log events directly. LogEvent2vec can work with any coordinate transformation methods and anomaly detection models. After getting the log event vector, we transform log event vector to log sequence vector by bary or tf-idf and three kinds of supervised models (Random Forests, Naive Bayes, and Neural Networks) are trained to detect the anomalies. We have conducted extensive experiments on a real public log dataset from BlueGene/L (BGL). The experimental results demonstrate that LogEvent2vec can significantly reduce computational time by 30 times and improve accuracy, comparing with word2vec. LogEvent2vec with bary and Random Forest can achieve the best F1-score and LogEvent2vec with tf-idf and Naive Bayes needs the least computational time.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Van-Hoang Le,Hongyu Zhang

DOI: https://doi.org/10.1109/ase51524.2021.9678773

2021-11-01

Abstract:Software systems often record important runtime information in system logs for troubleshooting purposes. There have been many studies that use log data to construct machine learning models for detecting system anomalies. Through our empirical study, we find that existing log-based anomaly detection approaches are significantly affected by log parsing errors that are introduced by 1) OOV (out-of-vocabulary) words, and 2) semantic misunderstandings. The log parsing errors could cause the loss of important information for anomaly detection. To address the limitations of existing methods, we propose NeuralLog, a novel log-based anomaly detection approach that does not require log parsing. NeuralLog extracts the semantic meaning of raw log messages and represents them as semantic vectors. These representation vectors are then used to detect anomalies through a Transformer-based classification model, which can capture the contextual information from log sequences. Our experimental results show that the proposed approach can effectively understand the semantic meaning of log messages and achieve accurate anomaly detection results. Overall, NeuralLog achieves F1-scores greater than 0.95 on four public datasets, outperforming the existing approaches.

Xuefei Chen,Shouxin Sun,Chao Chen,Xinlong Song,Qiulan Wu,Feng Zhang

DOI: https://doi.org/10.1186/s13677-023-00580-x

2024-01-01

Journal of Cloud Computing Advances Systems and Applications

Abstract:A small object Lentinus Edodes logs contamination detection method (SRW-YOLO) based on improved YOLOv7 in edge-cloud computing environment was proposed to address the problem of the difficulty in the detection of small object contaminated areas of Lentinula Edodes logs. First, the SPD (space-to-depth)-Conv was used to reconstruct the MP module to enhance the learning of effective features of Lentinula Edodes logs images and prevent the loss of small object contamination information, and improve the detection reliability of resource-limited edge devices. Meanwhile, RepVGG was introduced into the ELAN structure to improve the efficiency and accuracy of inference on the contaminated regions of Lentinula Edodes logs through structural reparameterization. This enables models to run more efficiently in mobile edge computing environments while reducing the burden on cloud computing servers. Finally, the boundary regression loss function was replaced with the WIoU (Wise-IoU) loss function, which focuses more on ordinary-quality anchor boxes and makes the model output results more accurate. In this study, the measures of Precision, Recall, and mAP@0.5 reached 97.63%, 96.43%, and 98.62%, respectively, which are 4.62%, 3.63%, and 2.31% higher compared to those for YOLOv7. Meanwhile, the SRW-YOLO model detects better compared with the current advanced one-stage object detection model, providing an efficient, accurate and practical small object detection solution in mobile edge computing environments and cloud computing scenarios.

Weibin Meng,Ying Liu,Yichen Zhu,Shenglin Zhang,Dan Pei,Yuqing Liu,Yihao Chen,Ruizhi Zhang,Shimin Tao,Pei Sun,Rong Zhou

DOI: https://doi.org/10.24963/ijcai.2019/658

2019-08-01

Abstract:Recording runtime status via logs is common for almost every computer system, and detecting anomalies in logs is crucial for timely identifying malfunctions of systems. However, manually detecting anomalies for logs is time-consuming, error-prone, and infeasible. Existing automatic log anomaly detection approaches, using indexes rather than semantics of log templates, tend to cause false alarms. In this work, we propose LogAnomaly, a framework to model unstructured a log stream as a natural language sequence. Empowered by template2vec, a novel, simple yet effective method to extract the semantic information hidden in log templates, LogAnomaly can detect both sequential and quantitive log anomalies simultaneously, which were not done by any previous work. Moreover, LogAnomaly can avoid the false alarms caused by the newly appearing log templates between periodic model retrainings. Our evaluation on two public production log datasets show that LogAnomaly outperforms existing log-based anomaly detection methods.

Caihong Wang,Du Xu,Zonghang Li

2024-09-18

Abstract:In the era of rapid Internet development, log data has become indispensable for recording the operations of computer devices and software. These data provide valuable insights into system behavior and necessitate thorough analysis. Recent advances in text analysis have enabled deep learning to achieve significant breakthroughs in log anomaly detection. However, the high cost of manual annotation and the dynamic nature of usage scenarios present major challenges to effective log analysis. This study proposes a novel log feature extraction model called DualGCN-LogAE, designed to adapt to various scenarios. It leverages the expressive power of large models for log content analysis and the capability of graph structures to encapsulate correlations between logs. It retains key log information while integrating the causal relationships between logs to achieve effective feature extraction. Additionally, we introduce Log2graphs, an unsupervised log anomaly detection method based on the feature extractor. By employing graph clustering algorithms for log anomaly detection, Log2graphs enables the identification of abnormal logs without the need for labeled data. We comprehensively evaluate the feature extraction capability of DualGCN-LogAE and the anomaly detection performance of Log2graphs using public log datasets across five different scenarios. Our evaluation metrics include detection accuracy and graph clustering quality scores. Experimental results demonstrate that the log features extracted by DualGCN-LogAE outperform those obtained by other methods on classic classifiers. Moreover, Log2graphs surpasses existing unsupervised log detection methods, providing a robust tool for advancing log anomaly detection research.

Cryptography and Security

Yuanyuan Fu,Kun Liang,Jian Xu

DOI: https://doi.org/10.1109/tsc.2023.3289488

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:Streaming logs provide valuable information for complex systems in diagnosing system faults or conducting security analysis. Although the log sequence anomaly detection has drawn more and more attention and achieved a satisfactory performance, it remains an extremely difficult task because of several intrinsic challenges including new event occurrences in a continuously evolving environment, making full use of rich dependency hidden in sequential events from the global and local view. To meet these challenges, in this paper, we propose MLog, a hybrid deep neural network for detecting anomalies in log sequences. Specifically, MLog leverages the transformer encoder and a novel event Inverse Document Frequency (IDF) weighted mechanism to obtain a semantic vector for an individual log template. Log sequences represented by sequential template semantic vectors are then fed into a deep neural network combing the Mogrifier Long Short Term Memory (LSTM) with Convolutional Neural Network (CNN) to capture global and local sequential patterns simultaneously. We implement MLog and evaluate it by conducting extensive experiments on two well-known benchmark datasets, HDFS and BGL, from the aspects of detection accuracy and robustness. The results show that MLog outperforms the state-of-the-art approaches and is robust to the evolving logs. To encourage reproducibility, we make the implementation of MLog available.

computer science, information systems, software engineering

Shayan Hashemi,Mika Mäntylä

DOI: https://doi.org/10.1007/s10515-024-00428-x

IF: 1.677

2024-04-18

Automated Software Engineering

Abstract:With the growth of online services, IoT devices, and DevOps-oriented software development, software log anomaly detection is becoming increasingly important. Prior works mainly follow a traditional four-staged architecture (Preprocessor, Parser, Vectorizer, and Classifier). This paper proposes OneLog, which utilizes a single deep neural network instead of multiple separate components. OneLog harnesses convolutional neural network (CNN) at the character level to take digits, numbers, and punctuations, which were removed in prior works, into account alongside the main natural language text. We evaluate our approach in six message- and sequence-based data sets: HDFS, Hadoop, BGL, Thunderbird, Spirit, and Liberty. We experiment with Onelog with single-, multi-, and cross-project setups. Onelog offers state-of-the-art performance in our datasets. Onelog can utilize multi-project datasets simultaneously during training, which suggests our model can generalize between datasets. Multi-project training also improves Onelog performance making it ideal when limited training data is available for an individual project. We also found that cross-project anomaly detection is possible with a single project pair (Liberty and Spirit). Analysis of model internals shows that one log has multiple modes of detecting anomalies and that the model learns manually validated parsing rules for the log messages. We conclude that character-based CNNs are a promising approach toward end-to-end learning in log anomaly detection. They offer good performance and generalization over multiple datasets. We will make our scripts publicly available upon the acceptance of this paper.

computer science, software engineering

Yalan Guo,Yulei Wu,Yanchao Zhu,Bingqiang Yang,Chunjing Han

DOI: https://doi.org/10.1109/ijcnn52387.2021.9533294

2021-07-18

Abstract:Large-scale software systems are generally deployed on distributed machines. Logs are usually collected from those machines for comprehensive and accurate system fault analysis. However, there are potential challenges during log transmission from distributed machines to third-party data analytics services. First, uploading massive raw logs causes tremendous bandwidth consumption. Moreover, user privacy contained in logs is easy to get leaked during transmission. To address these issues, we introduce federated learning for anomaly detection using distributed log data. However, gradient updates of model parameters transmitted between the server (third-party data analytics services) and participants (distributed machines) in federated learning have been proved of possible recovery by attackers, so encryption of gradient updates is necessary for enhanced privacy protection. Considering that encryption time is proportional to the number of parameters, we propose a lightweight federated learning method for anomaly detection, named FLOGCNN, using distributed log data. The sever in FLOGCNN aggregates gradient updates according to the sample size of participants to generate an integrated model. For local training, participants apply an anomaly detection model based on one-dimensional convolution with much fewer parameters. Extensive experiments are conducted for FLOGCNN using open log datasets. Results demonstrate that FLOGCNN outperforms baseline methods on anomaly detection and reduces 97.08% parameters in comparison with one baseline method. Furthermore, we perform exploratory experiments on lightweight models and results manifest that logs with simple semantic information are suitable for lightweight anomaly detection models.

Jinyang Liu,Junjie Huang,Yintong Huo,Zhihan Jiang,Jiazhen Gu,Zhuangbin Chen,Cong Feng,Minzhi Yan,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.2306.05032

2023-09-30

Abstract:System logs play a critical role in maintaining the reliability of software systems. Fruitful studies have explored automatic log-based anomaly detection and achieved notable accuracy on benchmark datasets. However, when applied to large-scale cloud systems, these solutions face limitations due to high resource consumption and lack of adaptability to evolving logs. In this paper, we present an accurate, lightweight, and adaptive log-based anomaly detection framework, referred to as SeaLog. Our method introduces a Trie-based Detection Agent (TDA) that employs a lightweight, dynamically-growing trie structure for real-time anomaly detection. To enhance TDA's accuracy in response to evolving log data, we enable it to receive feedback from experts. Interestingly, our findings suggest that contemporary large language models, such as ChatGPT, can provide feedback with a level of consistency comparable to human experts, which can potentially reduce manual verification efforts. We extensively evaluate SeaLog on two public datasets and an industrial dataset. The results show that SeaLog outperforms all baseline methods in terms of effectiveness, runs 2X to 10X faster and only consumes 5% to 41% of the memory resource.

Software Engineering,Machine Learning

Yuyuan Chang,Nurbol Luktarhan,Jingru Liu,Qinglin Chen

DOI: https://doi.org/10.3390/electronics12081877

IF: 2.9

2023-04-17

Electronics

Abstract:The scale of the system and network applications is expanding, and higher requirements are being put forward for anomaly detection. The system log can record system states and significant operational events at different critical points. Therefore, using the system log for anomaly detection can help with system maintenance and avoid unnecessary loss. The system log has obvious timing characteristics, and the execution sequence of the system log has a certain dependency relationship. However, sometimes the length of sequence dependence is long. To handle the problem of longer sequence logs in anomaly detection, this paper proposes a system log anomaly detection method based on efficient channel attention and temporal convolutional network (ETCNLog). It builds a model by treating the system log as a natural language sequence. To handle longer sequence logs more effectively, ETCNLog uses the semantic and timing information of logs. It can automatically learn the importance of different log sequences and detect hidden dependencies within sequences to improve the accuracy of anomaly detection. We run extensive experiments on the actual public log dataset BGL. The experimental results show that the Precision and F1-score of ETCNLog reach 98.15% and 98.21%, respectively, both of which are better than the current anomaly detection methods.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zhuangbin Chen,Jinyang Liu,Wenwei Gu,Yuxin Su,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.2107.05908

2021-07-13

Software Engineering

Abstract:Logs have been an imperative resource to ensure the reliability and continuity of many software systems, especially large-scale distributed systems. They faithfully record runtime information to facilitate system troubleshooting and behavior understanding. Due to the large scale and complexity of modern software systems, the volume of logs has reached an unprecedented level. Consequently, for log-based anomaly detection, conventional manual inspection methods or even traditional machine learning-based methods become impractical, which serve as a catalyst for the rapid development of deep learning-based solutions. However, there is currently a lack of rigorous comparison among the representative log-based anomaly detectors that resort to neural networks. Moreover, the re-implementation process demands non-trivial efforts, and bias can be easily introduced. To better understand the characteristics of different anomaly detectors, in this paper, we provide a comprehensive review and evaluation of five popular neural networks used by six state-of-the-art methods. Particularly, four of the selected methods are unsupervised, and the remaining two are supervised. These methods are evaluated with two publicly available log datasets, which contain nearly 16 million log messages and 0.4 million anomaly instances in total. We believe our work can serve as a basis in this field and contribute to future academic research and industrial applications.

Zhijun Zhao,Chen Xu,Bo Li

DOI: https://doi.org/10.1007/s11265-021-01644-4

2021-02-05

Journal of Signal Processing Systems

Abstract:Abstract Security devices produce huge number of logs which are far beyond the processing speed of human beings. This paper introduces an unsupervised approach to detecting anomalous behavior in large scale security logs. We propose a novel feature extracting mechanism and could precisely characterize the features of malicious behaviors. We design a LSTM-based anomaly detection approach and could successfully identify attacks on two widely-used datasets. Our approach outperforms three popular anomaly detection algorithms, one-class SVM, GMM and Principal Components Analysis, in terms of accuracy and efficiency.

Jiyu Tian,Mingchu Li,Zumin Wang,Liming Chen,Jing Qin,Runfa Zhang

2024-10-22

Abstract:Log anomaly detection (LAD) is essential to ensure safe and stable operation of software systems. Although current LAD methods exhibit significant potential in addressing challenges posed by unstable log events and temporal sequence patterns, their limitations in detection efficiency and generalization ability present a formidable challenge when dealing with evolving systems. To construct a real-time and reliable online log anomaly detection model, we propose OMLog, a semi-supervised online meta-learning method, to effectively tackle the distribution shift issue caused by changes in log event types and frequencies. Specifically, we introduce a maximum mean discrepancy-based distribution shift detection method to identify distribution changes in unseen log sequences. Depending on the identified distribution gap, the method can automatically trigger online fine-grained detection or offline fast inference. Furthermore, we design an online learning mechanism based on meta-learning, which can effectively learn the highly repetitive patterns of log sequences in the feature space, thereby enhancing the generalization ability of the model to evolving data. Extensive experiments conducted on two publicly available log datasets, HDFS and BGL, validate the effectiveness of the OMLog approach. When trained using only normal log sequences, the proposed approach achieves the F1-Score of 93.7\% and 64.9\%, respectively, surpassing the performance of the state-of-the-art (SOTA) LAD methods and demonstrating superior detection efficiency.

Software Engineering,Cryptography and Security