Shijing Gu,Yuchun Chu,Wenbin Zhang,Peishun Liu,Qilin Yin,Qi Li

DOI: https://doi.org/10.1109/icaibd51990.2021.9459087

2021-01-01

Abstract:A wide variety of logs are generated during the running of the system, which record the state of the system at runtime and the various operations performed by the system. They are good sources of information for online monitoring and exception detection. Therefore, it is important to detect the anomaly logs in the system quickly and accurately to maintain the security and stability of the system. This paper presents a log anomaly detection algorithm based on Bi-SSGRU-Ga-Attention, which has the advantages of simple parameters and fast convergence. It reduces the running time and achieves high accuracy. It has achieved good results in log analysis of large information systems.

Xinqiang Li,Weina Niu,Xiaosong Zhang,Runzi Zhang,Zhenqi Yu,Zimu Li

DOI: https://doi.org/10.1109/cecit53797.2021.00121

2021-01-01

Abstract:In recent years, with the increase in the scale and complexity of system software, how to effectively capture, analyze and locate the abnormal behavior generated during system operation has increasingly become a recognized problem in the software testing field. Traditional white-box-based anomaly detection methods need to provide system source code and cannot effectively detect abnormal behaviors that occur when the program is running. Black-box-based anomaly detection methods rely on test cases and have low code coverage. Anomaly detection based on the logs generated during system operation can alleviate the abovementioned problems. However, the existing system log-based abnormality detection method mainly extracts log template characteristics, and cannot effectively determine the logical and temporal abnormalities related to the log. Therefore, in order to detect anomalies in the log sequence more comprehensively, this paper proposes an anomaly detection method based on BiLSTM. This method combines the semantic and temporal characteristics of the log for modeling. In terms of semantics, the Bert natural language processing model is used to extract the contextual semantic information of the logs; in terms of time, the log time interval characteristics are extracted based on the three potential relationships of the logs. In addition, the proposed method also adds an attention mechanism to balance feature weights. Finally, we evaluate our method in experiments on two real datasets, HDFS and OpenStack. The experimental results show that our method has a great improvement in accuracy and recall.

Weibin Meng,Ying Liu,Yichen Zhu,Shenglin Zhang,Dan Pei,Yuqing Liu,Yihao Chen,Ruizhi Zhang,Shimin Tao,Pei Sun,Rong Zhou

DOI: https://doi.org/10.24963/ijcai.2019/658

2019-08-01

Abstract:Recording runtime status via logs is common for almost every computer system, and detecting anomalies in logs is crucial for timely identifying malfunctions of systems. However, manually detecting anomalies for logs is time-consuming, error-prone, and infeasible. Existing automatic log anomaly detection approaches, using indexes rather than semantics of log templates, tend to cause false alarms. In this work, we propose LogAnomaly, a framework to model unstructured a log stream as a natural language sequence. Empowered by template2vec, a novel, simple yet effective method to extract the semantic information hidden in log templates, LogAnomaly can detect both sequential and quantitive log anomalies simultaneously, which were not done by any previous work. Moreover, LogAnomaly can avoid the false alarms caused by the newly appearing log templates between periodic model retrainings. Our evaluation on two public production log datasets show that LogAnomaly outperforms existing log-based anomaly detection methods.

Zezhou Li,Jing Zhang,Xianbo Zhang,Feng Lin,Chao Wang,Xingye Cai

DOI: https://doi.org/10.1109/seai55746.2022.9832400

2022-01-01

Abstract:Logs are widely used in IT industry and the anomaly detection of logs is essential to identify the running status of systems. Conventional methods solving this problem require sophisticated rule-based regulations and intensive labor input. In this paper, we propose a new model based on natural language processing techniques. In order to modify the feature extraction and to improve the vector quality of log templates, Part-of-Speech (PoS) and Named Entity Recognition (NER) are employed in our model, which leads to the less involvement of regulation-based rule and a modification of the template vector thanks to the weight vector by NER. The PoS property of each token in the template is firstly analyzed, which also reduces labor involvement and helps for better weight allocation. The weight investigation on tokens of the template is introduced to modify the template vector. And the final detection based on the modified vector of templates is realized by deep neural networks (DNNs). The effectiveness of our model is tested on three datasets, and compared with two state-of-the-art models. The evaluation results prove that our model achieves better log anomaly detection.

Xianbo Zhang,Jing Zhang,Jicheng Yang,Feng Lin,Chao Wang,Liang Chang,Dongjiang Li

DOI: https://doi.org/10.1109/icpeca56706.2023.10075876

2023-01-01

Abstract:Log data is a valuable resource for understanding system status. Log recording running status for a computer system is commonly used to identify performance issues and malfunctions. Sequential anomaly detection of logs is crucial for building a secure and stable system and is beneficial for the discovery, location, and analysis of system failures. In this paper, we propose a new log sequential anomaly detection method based on natural language processing techniques by the Population Based Training (PBT) algorithm, which can make full use of semantic information in log templates to analyze log sequences. The Part-of-Speech (PoS) weight mechanism is first employed to improve the digital representation quality of the log template in the feature extraction. And then, TextCNN is used to extract noteworthy information in log template vectors. In the sequence log anomaly detection stage, the combination of TextCNN and LSTM neural network can improve the accuracy of log sequential anomaly detection. On the other hand, the proposed method jointly trains the parameters of the PoS weight mechanism and the parameters of the anomaly detection neural network model through the PBT algorithm, which accelerates the model convergence speed and improves the accuracy of the log sequential anomaly detection. Our model has been tested on four data sets and compared with two state-of-the-art models to prove the effectiveness of our model. The experimental results show that, compared with other log anomaly detection methods, the proposed method performs well.

Qingfeng Du,Liang Zhao,Jincheng Xu,Yongqi Han,Shuangli Zhang

DOI: https://doi.org/10.1007/978-3-030-86472-9_31

2021-01-01

Abstract:Anomaly detection is one of the key technologies to ensure the performance and reliability of software systems. Because of the rich information provided by logs, log-based anomaly detection approaches have attracted great interest nowadays. However, it's time-consuming to check the large amount of logs manually due to the ever-increasing scale and complexity of the system. In this work, we propose a log-based automated anomaly detection approach called LogAttention, which embeds log patterns into semantic vectors and subsequently uses a self-attention based neural network to detect anomalies in the log pattern sequences. LogAttention has the ability to capture contextual and semantic information in the log patterns and to attend far more long-range dependencies in the log pattern sequence. We evaluate LogAttention on two publicly available log datasets, and the experimental results demonstrate that our proposed approach can achieve better results compared to the existing baselines.

Hao Chen,Ruizhi Xiao,Shuyuan Jin

DOI: https://doi.org/10.18293/seke2021-126

2021-01-01

Abstract:The anomaly detection based on rich and descriptive system logs is critical to securing information systems. Existing techniques rarely consider semantic information of logs in the detection, resulting in their incapability to handle unseen log events, neither further improve their detection rates. This paper proposes a CNN and LSTM based anomaly detection approach. It utilizes the meaning of log entries — the semantic information of logs in the detection, where the relations among short sequences are automatically learned. The results of comparative experiments demonstrate the effectiveness of the proposed approach on both stable(fixed format) and unstable(unseen, unfixed format) logs.

Yi Han,Feng Lin,Yi Chai,Kaiming Qie,Lin Wang,Yuanyuan Wang,Zhang Cheng,Minyi Guo

2023-01-01

Abstract:This paper proposes an anomaly detection algorithm for logs based on self-attention mechanism and BiGRU model to deal with the multiple characteristics exhibited by logs during system anomalies. First, two BiGRU models are utilized to process the log template sequence and log template frequency vector, respectively. Then, the outputs of the two BiGRU models are concatenated and input into a self-attention layer to fuse different features. Finally, the distribution probability of the next log template is output to achieve log anomaly detection. The proposed method is evaluated on the Hadoop Log File System (HDFS) dataset and achieves an precision of approximately 96.7 $$\%$$ . Compared to other log anomaly detection algorithms such as DeepLog and LogAnomaly, our method demonstrates better performance on this dataset.

Ding Qiu,Minghua Yu,Xinye Zhang,Xiaoli Chai

DOI: https://doi.org/10.1109/ISPDS58840.2023.10235370

2023-07-14

Abstract:Log-based anomaly detection is the key to ensuring that today's large-scale distributed systems can function properly. Analyzing log data that records the running status of software systems and quickly and accurately identifying abnormal parts is the primary task of maintaining system and software security and stability. The main contribution of this paper is the presentation of a new model combining LSTM network and variational autoencoder model: LogLVAE. The model includes a data preprocessing phase and an anomaly detection phase. In the data preprocessing phase, the current most efficient online log parsing algorithm, Drain, is used to parse the log data into log templates, and then the log template sequence is divided by the sliding window algorithm. In the anomaly detection phase, the model first uses LSTM to be able to extract semantic features of log sequences by contextual information, then reconstructs the input data by VAE, calculates the reconstruction error using the reconstructed data and the input data, and detects anomalies in log sequences and reports the results to the administrator if the reconstruction error exceeds a predefined threshold. The results of our experiments, which were based on two real log datasets, indicate that LogLVAE outperformed other algorithms in terms of overall performance.

Computer Science

Xu Zhang,Yong Xu,Qingwei Lin,Bo Qiao,Hongyu Zhang,Yingnong Dang,Chunyu Xie,Xinsheng Yang,Qian Cheng,Ze Li,Junjie Chen,Xiaoting He,Randolph Yao,Jian-Guang Lou,Murali Chintalapati,Furao Shen,Dongmei Zhang

DOI: https://doi.org/10.1145/3338906.3338931

2019-01-01

Abstract:Logs are widely used by large and complex software-intensive systems for troubleshooting. There have been a lot of studies on log-based anomaly detection. To detect the anomalies, the existing methods mainly construct a detection model using log event data extracted from historical logs. However, we find that the existing methods do not work well in practice. These methods have the close-world assumption, which assumes that the log data is stable over time and the set of distinct log events is known. However, our empirical study shows that in practice, log data often contains previously unseen log events or log sequences. The instability of log data comes from two sources: 1) the evolution of logging statements, and 2) the processing noise in log data. In this paper, we propose a new log-based anomaly detection approach, called LogRobust. LogRobust extracts semantic information of log events and represents them as semantic vectors. It then detects anomalies by utilizing an attention-based Bi-LSTM model, which has the ability to capture the contextual information in the log sequences and automatically learn the importance of different log events. In this way, LogRobust is able to identify and handle unstable log events and sequences. We have evaluated LogRobust using logs collected from the Hadoop system and an actual online service system of Microsoft. The experimental results show that the proposed approach can well address the problem of log instability and achieve accurate and robust results on real-world, ever-changing log data.

Chao Wang,Jing Zhang,Dongjiang Li,Liang Chang,Feng Lin,Xianbo Zhang

DOI: https://doi.org/10.1109/ICCT56141.2022.10072770

2022-11-11

Abstract:System logs are widely used by engineers to record runtime status in the information technology (IT) field. The sequential anomaly detection of logs is crucial for building a secure and stable system and is beneficial for the discovery, location, and analysis of system failures. Conventional manual log anomaly detection suffers high costs and unsustainable development. Thus, automatic methods based on Natural Language Processing (NLP) technology are proposed to improve the accuracy and efficiency of log anomaly detection. In this paper, we propose a new log anomaly detection model, named LogPS. LogPS utilizes the Part-of-Speech (PoS) technique to extract semantic information from log messages. By allocating the learned PoS-based weights to different tokens in a log template, LogPS can improve the representation quality of the log template vector. In the final anomaly detection stage, we treat a system log as a natural language sequence and build a Bidirectional Long Short-Term Memory (BiLSTM) neural network as the LogPS detection model. Therefore, LogPS can capture sufficient and contextual information from input log sequences from the forward pass and the backward pass. And LogPS can automatically learn log patterns and detect anomalies. The effectiveness of our model is tested on three datasets and is compared with other state-of-the-art models. The experimental results show that, compared with other log anomaly detection methods, the proposed LogPS performs well.

Computer Science

Haitian Yang,Degang Sun,Weiqing Huang

DOI: https://doi.org/10.1016/j.neunet.2024.106680

Abstract:Most existing log-driven anomaly detection methods assume that logs are static and unchanged, which is often impractical. To address this, we propose a log anomaly detection model called DualAttlog. This model includes word-level and sequence-level semantic encoding modules, as well as a context-aware dual attention module. Specifically, The word-level semantic encoding module utilizes a self-matching attention mechanism to explore the interactive properties between words in log sequences. By performing word embedding and semantic encoding, it captures the associations and evolution processes between words, extracting local-level semantic information. while The sequence-level semantic encoding module encoding the entire log sequence using a pre-trained model. This extracts global semantic information, capturing overall patterns and trends in the logs. The context-aware dual attention module integrates these two levels of encoding, utilizing contextual information to reduce redundancy and enhance detection accuracy. Experimental results show that the DualAttlog model achieves an F1-Score of over 95% on 7 public datasets. Impressively, it achieves an F1-Score of 82.35% on the Real-Industrial W dataset and 83.54% on the Real-Industrial Q dataset. It outperforms existing baseline techniques on 9 datasets, demonstrating its significant advantages.

Zhijun Zhao,Chen Xu,Bo Li

DOI: https://doi.org/10.1007/s11265-021-01644-4

2021-02-05

Journal of Signal Processing Systems

Abstract:Abstract Security devices produce huge number of logs which are far beyond the processing speed of human beings. This paper introduces an unsupervised approach to detecting anomalous behavior in large scale security logs. We propose a novel feature extracting mechanism and could precisely characterize the features of malicious behaviors. We design a LSTM-based anomaly detection approach and could successfully identify attacks on two widely-used datasets. Our approach outperforms three popular anomaly detection algorithms, one-class SVM, GMM and Principal Components Analysis, in terms of accuracy and efficiency.

Tingting Zhang,Markus Falt,Stefan Forsstrom

DOI: https://doi.org/10.1109/icsrs53853.2021.9660694

2021-11-24

Abstract:Modern enterprise IT systems generate large amounts of log data to record system state, potential errors, and performance metrics. Manual analysis of log data is becoming more difficult as these systems become more complex. Therefore, machine learning based anomaly detection of system logs is a vital component for the future of system management. Existing log anomaly detection models commonly rely on learning the general normal behavior of the target systems to accurately detect anomalies. They are however limited by the often sparse existing system knowledge. Therefore, this paper proposes a general anomaly detection method which requires little or no knowledge of the target system. This is done by assuming there are semantic similarities in different systems’ log data. Labeled log data from other systems can then be used for training the anomaly detection model. The model uses self-attention transformers and ensemble learning techniques to learn the semantic representation of normal and abnormal log messages. The proposed method achieves a performance comparable to other log anomaly detection methods while requiring little knowledge of the target system.

Yicheng Guo,Yujin Wen,Congwei Jiang,Yixin Lian,Yi Wan

DOI: https://doi.org/10.48550/arXiv.2101.02392

IF: 5.414

2021-01-07

Machine Learning

Abstract:Anomaly detection is a crucial and challenging subject that has been studied within diverse research areas. In this work, we explore the task of log anomaly detection (especially computer system logs and user behavior logs) by analyzing logs' sequential information. We propose LAMA, a multi-head attention based sequential model to process log streams as template activity (event) sequences. A next event prediction task is applied to train the model for anomaly detection. Extensive empirical studies demonstrate that our new model outperforms existing log anomaly detection methods including statistical and deep learning methodologies, which validate the effectiveness of our proposed method in learning sequence patterns of log data.

Xiaoqing Zhao,Zhongyuan Jiang,Jianfeng Ma

DOI: https://doi.org/10.1109/IJCNN55064.2022.9892726

2022-01-01

Abstract:The modern system is becoming more and more complex in scale and structure. Mastering the operation status is crucial to ensure the stable and reliable operation of the system. Log anomaly detection is the critical means of system state monitoring and anomaly response. However, the characteristics of complex log data structure, large amount of data and hidden abnormal behavior patterns bring new challenges to efficient and automated log anomaly detection. This paper summarized the basic framework of log anomaly detection, including log collection and filtering, log parsing, feature extraction and anomaly detection. We have reviewed the relevant technologies and methods involved in each link. In particular, various deep learning detection models in recent years are analyzed, such as the use of recurrent neural network and convolutional neural network to capture the context information of log sequences, the use of generative adversarial network to make up for the deficiency of abnormal data, and the training of federated learning between different systems. We hope that our work can help beginners understand log anomaly detection and relevant experts keep abreast of the latest research trends.

Van-Hoang Le,Hongyu Zhang

DOI: https://doi.org/10.1109/ase51524.2021.9678773

2021-11-01

Abstract:Software systems often record important runtime information in system logs for troubleshooting purposes. There have been many studies that use log data to construct machine learning models for detecting system anomalies. Through our empirical study, we find that existing log-based anomaly detection approaches are significantly affected by log parsing errors that are introduced by 1) OOV (out-of-vocabulary) words, and 2) semantic misunderstandings. The log parsing errors could cause the loss of important information for anomaly detection. To address the limitations of existing methods, we propose NeuralLog, a novel log-based anomaly detection approach that does not require log parsing. NeuralLog extracts the semantic meaning of raw log messages and represents them as semantic vectors. These representation vectors are then used to detect anomalies through a Transformer-based classification model, which can capture the contextual information from log sequences. Our experimental results show that the proposed approach can effectively understand the semantic meaning of log messages and achieve accurate anomaly detection results. Overall, NeuralLog achieves F1-scores greater than 0.95 on four public datasets, outperforming the existing approaches.

Lanlan Xi,Yang Xin,Shoushan Luo,Yanlei Shang,Qifeng Tang

DOI: https://doi.org/10.1109/ccai50917.2021.9447458

2021-01-01

Abstract:In order to realize Intelligent Disaster Recovery and break the traditional reactive backup mode, it is necessary to forecast the potential system anomalies, and proactively backup the real-time datas and configurations. System logs record the running status as well as the critical events (including errors and warnings), which can help to detect system performance, debug system faults and analyze the causes of anomalies. What's more, with the features of real-time, hierarchies and easy-access, log data can be an ideal source for monitoring system status. To reduce the complexity and improve the robustness and practicability of existing log-based anomaly detection methods, we propose a new anomaly detection mechanism based on hierarchical weights, which can deal with unstable log data. We firstly extract semantic information of log strings, and get the word-level weights by SIF algorithm to embed log strings into vectors, which are then feed into attention-based Long Short-Term Memory(LSTM) deep learning network model. In addition to get sentence-level weight which can be used to explore the interdependence between different log sequences and improve the accuracy, we utilize attention weights to help with building workflow to diagnose the abnormal points in the execution of a specific task. Our experimental results show that the hierarchical weights mechanism can effectively improve accuracy of perdition task and reduce complexity of the model, which provides the feasibility foundation support for Intelligent Disaster Recovery.

Dan Lv,Nurbol Luktarhan,Yiyong Chen

DOI: https://doi.org/10.3390/s21186125

2021-09-13

Abstract:Enterprise systems typically produce a large number of logs to record runtime states and important events. Log anomaly detection is efficient for business management and system maintenance. Most existing log-based anomaly detection methods use log parser to get log event indexes or event templates and then utilize machine learning methods to detect anomalies. However, these methods cannot handle unknown log types and do not take advantage of the log semantic information. In this article, we propose ConAnomaly, a log-based anomaly detection model composed of a log sequence encoder (log2vec) and multi-layer Long Short Term Memory Network (LSTM). We designed log2vec based on the Word2vec model, which first vectorized the words in the log content, then deleted the invalid words through part of speech tagging, and finally obtained the sequence vector by the weighted average method. In this way, ConAnomaly not only captures semantic information in the log but also leverages log sequential relationships. We evaluate our proposed approach on two log datasets. Our experimental results show that ConAnomaly has good stability and can deal with unseen log types to a certain extent, and it provides better performance than most log-based anomaly detection methods.

Zhihao Xu,Yuliang Shi,Zhiyuan Su,Li Song,Jianjun Zhang,Xinjun Wang,Hui Li

DOI: https://doi.org/10.1007/978-981-97-2303-4_33

2024-01-01

Abstract:The software system usually records important runtime information in the log for troubleshooting. Researchers mine large log data for anomalies. Many studies use log data to build deep-learning models for detecting system anomalies. Although progress has been made in log anomaly detection on high-performance computing platforms, it is still difficult to achieve real-time and accurate anomaly detection on mobile devices and Internet of Things devices, as these devices usually do not have high computational power. To solve the above limitations, we propose an efficient log anomaly detection based on dimension reduction and attention aware temporal convolutional network method, namely EfficientLog. The model achieves efficient and accurate log detection in two ways: (1) it reduces the communication cost between mobile devices and cloud computing platforms by reducing the log vector dimension through BERT-whitening, and (2) it detects log anomalies by using the attention aware temporal convolutional network to reduce model testing time and computational consumption. We evaluate the proposed method on two public datasets, and the experimental results show that EfficientLog can outperform existing popular log-based anomaly detection methods in terms of detection accuracy and computational consumption.