Ping Liu,Haowen Xu,Qianyu Ouyang,Rui Jiao,Zhekang Chen,Shenglin Zhang,Jiahai Yang,Linlin Mo,Jice Zeng,Wenman Xue,Dan Pei

DOI: https://doi.org/10.1109/issre5003.2020.00014

2020-01-01

Abstract:The anomalies of microservice invocation traces (traces) often indicate that the quality of the microservice-based large software service is being impaired. However, timely and accurately detecting trace anomalies is very challenging due to: 1) the large number of underlying microservices, 2) the complex call relationships between them, 3) the interdependency between the response times and invocation paths. Our core idea is to use machine learning to automatically learn the overall normal patterns of traces during periodic offline training. In online anomaly detection, a new trace with a small anomaly score (computed based on the learned normal pattern) is considered anomalous. With our novel trace representation and the design of deep Bayesian networks with posterior flow, our unsupervised anomaly detection system, called TraceAnomaly, can accurately and robustly detect trace anomalies in a unified fashion. TraceAnomaly has been deployed on 18 online services in a company S. Detailed evaluations on four large online services which contain hundreds of microservices and a testbed which contains 41 microservices show that the recall and precision of TraceAnomaly are both above 0.97, outperforming the existing approach in S (hard-coded rule) by 19.6% and 7.1%, and seven other baselines by 57.0% and 41.6% on average.

Ke Zhang,Xiya Wu,Xin Peng,Dongmei Zhang,Chenxi Zhang,Zhenqing Fu,Qingwei Lin,Chaofeng Sha

DOI: https://doi.org/10.1145/3510003.3510180

2022-05-01

Abstract:A microservice system in industry is usually a large-scale dis-tributed system consisting of dozens to thousands of services run-ning in different machines. An anomaly of the system often can be reflected in traces and logs, which record inter-service interactions and intra-service behaviors respectively. Existing trace anomaly detection approaches treat a trace as a sequence of service invocations. They ignore the complex structure of a trace brought by its invocation hierarchy and parallel/asynchronous invocations. On the other hand, existing log anomaly detection approaches treat a log as a sequence of events and cannot handle microservice logs that are distributed in a large number of services with complex interactions. In this paper, we propose DeepTraLog, a deep learning based microservice anomaly detection approach. DeepTraLog uses a unified graph representation to describe the complex structure of a trace together with log events embedded in the structure. Based on the graph representation, DeepTraLog trains a GGNNs based deep SVDD model by combing traces and logs and detects anom-alies in new traces and the corresponding logs. Evaluation on a microservice benchmark shows that DeepTraLog achieves a high precision (0.93) and recall (0.97), outperforming state-of-the-art trace/log anomaly detection approaches with an average increase of 0.37 in F1-score. It also validates the efficiency of DeepTraLog, the contribution of the unified graph representation, and the impact of the configurations of some key parameters.

Computer Science

Jun Huang,Yang Yang,Hang Yu,Jianguo Li,Xiao Zheng

DOI: https://doi.org/10.48550/arXiv.2310.04701

2023-10-07

Abstract:Microservice architecture has sprung up over recent years for managing enterprise applications, due to its ability to independently deploy and scale services. Despite its benefits, ensuring the reliability and safety of a microservice system remains highly challenging. Existing anomaly detection algorithms based on a single data modality (i.e., metrics, logs, or traces) fail to fully account for the complex correlations and interactions between different modalities, leading to false negatives and false alarms, whereas incorporating more data modalities can offer opportunities for further performance gain. As a fresh attempt, we propose in this paper a semi-supervised graph-based anomaly detection method, MSTGAD, which seamlessly integrates all available data modalities via attentive multi-modal learning. First, we extract and normalize features from the three modalities, and further integrate them using a graph, namely MST (microservice system twin) graph, where each node represents a service instance and the edge indicates the scheduling relationship between different service instances. The MST graph provides a virtual representation of the status and scheduling relationships among service instances of a real-world microservice system. Second, we construct a transformer-based neural network with both spatial and temporal attention mechanisms to model the inter-correlations between different modalities and temporal dependencies between the data points. This enables us to detect anomalies automatically and accurately in real-time. The source code of MSTGAD is publicly available at <a class="link-external link-https" href="https://github.com/alipay/microservice_system_twin_graph_based_anomaly_detection" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Software Engineering

Mahsa Panahandeh,Abdelwahab Hamou-Lhadj,Mohammad Hamdaqa,James Miller

DOI: https://doi.org/10.1016/j.jss.2023.111917

IF: 3.5

2023-12-16

Journal of Systems and Software

Abstract:Anomaly detection is an essential activity for identifying abnormal behaviours in microservice-based systems. A common approach is to model the system behavior during normal operation using either distributed traces or profiling metrics. The model is then used to detect anomalies during system operation. In this paper, we present a new anomaly detection approach, called ServiceAnomaly, for anomaly detection in microservice systems that combines distributed traces and six profiling metrics to build an annotated directed acyclic graph that characterizes the normal behaviour of the system. Unlike existing techniques, our approach captures the context propagation provided by distributed traces as a graph that is annotated with functions characterizing both linear and non-linear relationships between profiling metrics. The final annotated graph is used to detect abnormal executions during system operation. The results of applying our approach to two open-source benchmarks show that our approach detects anomalies with an F1-score up to 86%. We also show how developers can use the annotated graph to reason about the causes of anomalies

computer science, theory & methods, software engineering

Jingchu Wang,Jianfei Chen,Jianyi Liu,Mingyang Zhang,Hua Sheng,Rui Shi

DOI: https://doi.org/10.1109/ICSIP55141.2022.9886069

2022-07-20

Abstract:Semantics extraction is a very important part in the field of log anomaly detection, how to accurately obtain the semantics representation of log events will have a direct impact on the final anomaly detection results. However, existing research focuses on using word embedding to extract the semantics of log events, this method based on weighted aggregation of all word vectors may lose the semantic relationship of word order, and does not consider the interaction between words in log events, which cannot fully represent the semantics of log events. To solve this problem and further improve the anomaly detection performance, this paper proposes a novel practical log-based anomaly detection approach, LogST, which uses the SBERT model to extract the semantics representation of log events, considering the semantic and word order relationship of each word of log events, which is convenient to understand the log sequence context, and then design a GRU model for anomaly detection. Experimental results conducted on the public HDFS datasets demonstrate that LogST outperforms other methods in the case of a sufficient number of labeled normal logs, and can still guarantee the stability of anomaly detection accuracy in the case of a small number of labeled normal logs.

Computer Science

Haixuan Guo,Shuhan Yuan,Xintao Wu

DOI: https://doi.org/10.1109/ijcnn52387.2021.9534113

2021-07-18

Abstract:Detecting anomalous events in online computer systems is crucial to protect the systems from malicious attacks or malfunctions. System logs, which record detailed information of computational events, are widely used for system status analysis. In this paper, we propose LogBERT, a self-supervised framework for log anomaly detection based on Bidirectional Encoder Representations from Transformers (BERT). LogBERT learns the patterns of normal log sequences by two novel self-supervised training tasks, masked log message prediction and volume of hypersphere minimization. After training, LogBERT is able to capture the patterns of normal log sequences and further detect anomalies where the underlying patterns deviate from expected patterns. The experimental results on three log datasets show that LogBERT outperforms state-of-the-art approaches for anomaly detection.

Yuan Zuo,Yulei Wu,Geyong Min,Chengqiang Huang,Ke Pei

DOI: https://doi.org/10.1109/tccn.2020.2966615

IF: 6.359

2020-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:Service-oriented 5G mobile systems are commonly believed to reshape the landscape of the Internet with ubiquitous services and infrastructures. The micro-services architecture has attracted significant interests from both academia and industry, offering the capabilities of agile development and scale capacity. The emerging mobile edge computing is able to firmly maintain efficient resource utility of 5G systems, which can be empowered by micro-services. However, such capabilities impose significant challenges on micro-services system management. Although substantial data are produced for system maintenance, the interleaved temporal-spatial information has not been fully exploited. Additionally, the flooding data impose heavy pressures on automatic analysis tools. Automated digestion of data is in an urgent need for system maintenance. In this paper, we propose a new learning-based anomaly detection framework for service-provision systems with micro-services architectures using service execution logs (temporally) and query traces (spatially). It includes two major parts: logging and tracing representation, and two-stage identification via a sequential model and temporal-spatial analysis. The experimental results show that the temporal-spatial features can accurately capture the nature of operational data. The proposed framework performs well on anomaly detection, and helps gain in-depth insights of large-scale systems.

Bohao Qian,Mengying Zhu,Mengyuan Yang,Enze Wu,Guojie Xie,Yuebing Liang,Xiaolin Zheng

DOI: https://doi.org/10.1109/icws62655.2024.00041

2024-01-01

Abstract:Log anomaly detection in digital service networks is challenging due to the heterogeneity and complexity of log formats and semantics. Traditional log anomaly detection methods struggle with two main challenges: the inability to directly correlate heterogeneous logs and the semantic heterogeneity across and within logs. To address these challenges, we propose a novel framework, HEDGE, which constructs a dynamic heterogeneous log graph to capture spatio-temporal relationships between logs, reflecting fine-grained semantic correlations and evolutionary properties of sequential logs comprehensively and detecting log anomalies effectively. To capture log representations under heterogeneity from both semantic and spatio-temporal perspectives, HEDGE not only pre-trains a dual-tower SemanticFormer based on BERT to align global and local semantic information for heterogeneous nodes but also adopts a dynamic heterogeneous graph model to learn spatio-temporal topological features within inner-snapshot and intra-snapshot contexts. Extensive experiments on public datasets demonstrate the superiority of our framework compared to state-of-the-art baselines.

Shenglin Zhang,Zhongjie Pan,Heng Liu,Pengxiang Jin,Yongqian Sun,Qianyu Ouyang,Jiaju Wang,Xueying Jia,Yuzhi Zhang,Hui Yang,Yongqiang Zou,Dan Pei

DOI: https://doi.org/10.1109/issre59848.2023.00012

2023-01-01

Abstract:Microservice invocation anomalies can have a detrimental impact on user experience and service revenue. While existing trace anomaly detection approaches typically focus on anomalies in response time and invocation structure, they often overlook the importance of using fine-grained features to detect anomalies. Additionally, trace data obtained from real-world scenarios is typically accompanied by noise, which can hinder the effectiveness of anomaly detection approaches. Furthermore, large-scale trace data can significantly impact model training efficiency. To address these challenges, we propose TraceSieve, an unsupervised trace anomaly detection method that accurately detects trace anomalies. Our approach leverages an auto-encoder architecture within an adversarial training framework to filter out noise data. Additionally, we integrate VGAE-EWC, which combines Variational Graph Auto-Encoder (VGAE) with Elastic Weight Consolidation (EWC), to overcome the challenges of enormous time consumption during the training phase. Finally, we localize the root cause of trace anomalies. Our proposed method is evaluated using two different datasets, and our results demonstrate that TraceSieve achieves an F 1 -score of 0.970 and 0.925, respectively, outperforming state-of-the-art trace anomaly detection approaches.

Dan Pei,Wanxue Li,Hanzhang Wang,Wenxiao Chen,Lang Su,Haowen Xu,Zhe Xie,Huai Jiang

DOI: https://doi.org/10.1145/3543507.3583215

2023-04-30

Abstract:The microservice architecture is widely employed in large Internet systems. For each user request, a few of the microservices are called, and a trace is formed to record the tree-like call dependencies among microservices and the time consumption at each call node. Traces are useful in diagnosing system failures, but their complex structures make it difficult to model their patterns and detect their anomalies. In this paper, we propose a novel dual-variable graph variational autoencoder (VAE) for unsupervised anomaly detection on microservice traces. To reconstruct the time consumption of nodes, we propose a novel dispatching layer. We find that the inversion of negative log-likelihood (NLL) appears for some anomalous samples, which makes the anomaly score infeasible for anomaly detection. To address this, we point out that the NLL can be decomposed into KL-divergence and data entropy, whereas lower-dimensional anomalies can introduce an entropy gap with normal inputs. We propose three techniques to mitigate this entropy gap for trace anomaly detection: Bernoulli & Categorical Scaling, Node Count Normalization, and Gaussian Std-Limit. On five trace datasets from a top Internet company, our proposed TraceVAE achieves excellent F-scores.

Computer Science

Jian Chen,Fagui Liu,Jun Jiang,Guoxiang Zhong,Dishi Xu,Zhuanglun Tan,Shangsong Shi

DOI: https://doi.org/10.1016/j.comcom.2023.03.028

2022-01-01

SSRN Electronic Journal

Abstract:Trace is widely used to detect anomalies in distributed microservice systems because of the capability of precisely reconstructing user request paths. However, most existing trace-based anomaly detection approaches treat the trace as a sequence of microservice invocations with response time information, which ignores the graph structure of trace and abnormal resource consumption of the complex distributed deployment environment of microservice. In this paper, we propose TraceGra, an unsupervised encoder–decoder anomaly detection approach. TraceGra first provides a unified graph representation to combine traces and performance metrics of the container. Then, it introduces the graph neural network (GNN) and long short-term memory network (LSTM) to extract the topology and temporal features, respectively. Finally, it adds the two-part loss value with two hyperparameters as the anomaly score. The evaluation results on an open-source dataset and a local dataset collected from an ARM server cluster show that TraceGra achieves a high precision (0.97) and recall (0.93), outperforming some state-of-the-art approaches with an average increase of 0.1 in F1-score.

Hongyang Chen,Pengfei Chen,Benran Wang,Xian Yu,Xiaofan Chen,Dandan Ma,Zibin Zheng

DOI: https://doi.org/10.1016/j.comnet.2023.110135

IF: 5.493

2024-02-01

Computer Networks

Abstract:Software-Defined Network (SDN) has been widely employed in data center networks to host various software systems such as microservice systems. A microservice system is constructed by a microservice architecture composed of dozens of services running in different lightweight virtual machines (e.g., containers) and relying on overlay networks for connectivity. However, with the increase of the system scale and the network traffic volume, the network becomes more complex and common to behave anomalously. Therefore, it is error-prone to manually investigate anomalies. To tackle this problem, we propose a non-intrusive monitoring system to help network operators obtain deep insights from the network traffic generated by the running system. Based on the monitoring system, we propose an anomaly detection method to automatically detect network anomalies. The core idea is to learn behavior patterns of inter/intra-components by modeling spatial–temporal relationships amongst collected network metrics with the proposed model STCell-VAE. The pattern will be leveraged to reconstruct the input data. Subsequently, the reconstruction probability is used to determine anomalies. Additionally, STCell-VAE can assimilate network information from new components as the network evolves, eliminating the necessity for retraining. Experiments are conducted within a real networking system and four simulated large-scale networks. The results demonstrate that our system can detect anomalies with about 0.7 F1-score, which outperforms state-of-the-art methods.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yihan Zhou,Yan Chen,Xuanming Rao,Yukang Zhou,Yuxin Li,Chao Hu

DOI: https://doi.org/10.3390/math12172758

IF: 2.4

2024-09-06

Mathematics

Abstract:Computer systems and applications generate large amounts of logs to measure and record information, which is vital to protect the systems from malicious attacks and useful for repairing faults, especially with the rapid development of distributed computing. Among various logs, the anomaly log is beneficial for operations and maintenance (O&M) personnel to locate faults and improve efficiency. In this paper, we utilize a large language model, ChatGPT, for the log parser task. We choose the BERT model, a self-supervised framework for log anomaly detection. BERT, an embedded transformer encoder, with a self-attention mechanism can better handle context-dependent tasks such as anomaly log detection. Meanwhile, it is based on the masked language model task and next sentence prediction task in the pretraining period to capture the normal log sequence pattern. The experimental results on two log datasets show that the BERT model combined with an LLM performed better than other classical models such as Deelog and Loganomaly.

mathematics

Song Chen,Hai Liao

DOI: https://doi.org/10.1080/08839514.2022.2145642

IF: 2.777

2022-11-17

Applied Artificial Intelligence

Abstract:Logs are primary information resource for fault diagnosis and anomaly detection in large-scale computer systems, but it is hard to classify anomalies from system logs. Recent studies focus on extracting semantic information from unstructured log messages and converting it into word vectors. Therefore, LSTM approach is more suitable for time series data. Word2Vec is the up-to-date encoding method, but the order of words in sequences is not taken into account. In this article, we propose BERT-Log, which regards the log sequence as a natural language sequence, use pre-trained language model to learn the semantic representation of normal and anomalous logs, and a fully connected neural network is utilized to fine-tune the BERT model to detect abnormal. It can capture all the semantic information from log sequence including context and position. It has achieved the highest performance among all the methods on HDFS dataset, with an F1-score of 99.3%. We propose a new log feature extractor on BGL dataset to obtain log sequence by sliding window including node ID, window size and step size. BERT-Log approach detects anomalies on BGL dataset with an F1-score of 99.4%. It gives 19% performance improvement compared to LogRobust and 7% performance improvement compared to HitAnomaly.

computer science, artificial intelligence,engineering, electrical & electronic

Caiping Hu,Xuekui Sun,Hua Dai,Hangchuan Zhang,Haiqiang Liu

DOI: https://doi.org/10.3390/electronics12173580

IF: 2.9

2023-08-25

Electronics

Abstract:Log anomaly detection is crucial for computer systems. By analyzing and processing the logs generated by a system, abnormal events or potential problems in the system can be identified, which is helpful for its stability and reliability. At present, due to the expansion of the scale and complexity of software systems, the amount of log data grows enormously, and traditional detection methods have been unable to detect system anomalies in time. Therefore, it is important to design log anomaly detection methods with high accuracy and strong generalization. In this paper, we propose the log anomaly detection method LogADSBERT, which is based on Sentence-BERT. This method adopts the Sentence-BERT model to extract the semantic behavior characteristics of log events and implements anomaly detection through the bidirectional recurrent neural network, Bi-LSTM. Experiments on the open log data set show that the accuracy of LogADSBERT is better than that of the existing log anomaly detection methods. Moreover, LogADSBERT is robust even under the scenario of new log event injections.

engineering, electrical & electronic,computer science, information systems,physics, applied

Tong Jia,Pengfei Chen,Lin Yang,Ying Li,Fanjing Meng,Jingmin Xu

DOI: https://doi.org/10.1109/icws.2017.12

2017-01-01

Abstract:Detecting runtime anomalies is very important to monitoring and maintenance of distributed services. People often use execution logs for troubleshooting and problem diagnosis manually, which is time consuming and error-prone. In this paper, we propose an approach for automatic anomaly detection based on logs. We first mine a hybrid graph model that captures normal execution flows inter and intra services, and then raise anomaly alerts on observing deviations from the hybrid model. We evaluate the effectiveness of our approach by leveraging logs from an IBM public cloud production platform and two simulated systems in the lab environment. Evaluation results show that our hybrid graph model mining performs over 80% precision and 70% recall and anomaly detection performs nearly 90% precision and 80% recall on average.

Zhe Xie,Changhua Pei,Wanxue Li,Huai Jiang,Liangfei Su,Jianhui Li,Gaogang Xie,Dan Pei

DOI: https://doi.org/10.1145/3611643.3613861

2023-01-01

Abstract:As Internet applications continue to scale up, microservice architecture has become increasingly popular due to its flexibility and logical structure. Anomaly detection in traces that record inter-microservice invocations is essential for diagnosing system failures. Deep learning-based approaches allow for accurate modeling of structural features (i.e., call paths) and latency features (i.e., call response time), which can determine the anomaly of a particular trace sample. However, the point-wise manner employed by these methods results in substantial system detection overhead and impracticality, given the massive volume of traces (billion-level). Furthermore, the point-wise approach lacks high-level information, as identical sub-structures across multiple traces may be encoded differently. In this paper, we introduce the first Group-wise Trace anomaly detection algorithm, named GTrace. This method categorizes the traces into distinct groups based on their shared sub-structure, such as the entire tree or sub-tree structure. A group-wise Variational AutoEncoder (VAE) is then employed to obtain structural representations. Moreover, the innovative "predicting latency with structure" learning paradigm facilitates the association between the grouped structure and the latency distribution within each group. With the group-wise design, representation caching, and batched inference strategies can be implemented, which significantly reduces the burden of detection on the system. Our comprehensive evaluation reveals that GTrace outperforms state-of-the-art methods in both performances (2.64% to 195.45% improvement in AUC metrics and 2.31% to 40.92% improvement in best F-Score) and efficiency (21.9x to 28.2x speedup). We have deployed and assessed the proposed algorithm on eBay's microservices cluster, and our code is available at https://github.com/NetManAIOps/GTrace.git.

Yukyung Lee,Jina Kim,Pilsung Kang

DOI: https://doi.org/10.48550/arXiv.2111.09564

2023-07-24

Abstract:The system log generated in a computer system refers to large-scale data that are collected simultaneously and used as the basic data for determining errors, intrusion and abnormal behaviors. The aim of system log anomaly detection is to promptly identify anomalies while minimizing human intervention, which is a critical problem in the industry. Previous studies performed anomaly detection through algorithms after converting various forms of log data into a standardized template using a parser. Particularly, a template corresponding to a specific event should be defined in advance for all the log data using which the information within the log key may get lost. In this study, we propose LAnoBERT, a parser free system log anomaly detection method that uses the BERT model, exhibiting excellent natural language processing performance. The proposed method, LAnoBERT, learns the model through masked language modeling, which is a BERT-based pre-training method, and proceeds with unsupervised learning-based anomaly detection using the masked language modeling loss function per log key during the test process. In addition, we also propose an efficient inference process to establish a practically applicable pipeline to the actual system. Experiments on three well-known log datasets, i.e., HDFS, BGL, and Thunderbird, show that not only did LAnoBERT yield a higher anomaly detection performance compared to unsupervised learning-based benchmark models, but also it resulted in a comparable performance with supervised learning-based benchmark models.

Machine Learning,Computation and Language

Qilin Yin,Ruichun Tang,Ren Huyue,Wenbin Zhang,Peishun Liu,Qi Li,Yangyi Shao

DOI: https://doi.org/10.1109/ICCCBDA55098.2022.9778900

2022-04-22

Abstract:In the field of computer system anomaly detection, log anomaly detection is a very important project. In order to detect system faults from log text data accurately and quickly, this paper proposes a log anomaly detection method, namely Prog-BERT-LSTM, which uses the network based on the BERT model as the text vectorization module, and designs the sequence feature learning module based on LSTM to avoid the loss of sequence features caused by the disappearance of gradient in the calculation process, and further obtain the semantics and features of the input log sequence text. The progressive masking strategy is used to aggregate the text semantic vector and sequence feature vector. We compare the Prog-BERT-LSTM model with the BERT-based model (LogBERT) on three public log datasets. The test results show that the Prog-BERT-LSTM model has better performance than the standard BERT-based model (LogBERT).

Computer Science

Wu Chen,Ningning Han,Xiaoman Tan,Dongdong Wang,Siyang Lu

DOI: https://doi.org/10.1109/ICPADS60453.2023.00174

2023-12-17

Abstract:Syslog-based anomaly detection is crucial for protecting the systems from malicious attacks or malfunctions. System logs are semi-structured text messages printed by logging statements to record the system’s run-time status, involving rich semantic information. However, the existing BERT-based log anomaly detection method is based on the log key sequence, does not consider the semantics of the log data, and discards the variable part, resulting in a high rate of missed detection. In this paper, we propose SemLog, a self-supervised framework for log anomaly detection based on BERT. By incorporating log semantics and variables and employing multi-feature fusion, we mitigate the independent assumption issue in the Masked Language Modeling model. The experimental results on three benchmarks show that SemLog achieves high performance compared with the state-of-the-art approaches for anomaly detection.

Computer Science