Wenhao Hu,Yingying Liu,Jiazhen Xu,Xuanyu Chen,Gaoang Wang

DOI: https://doi.org/10.1109/ICME55011.2023.00269

2023-01-01

Abstract:Anomaly detection aims at identifying deviant samples from the normal data distribution. Much progress has been made in recent years for anomaly detection with self-supervised representation learning. However, most existing approaches assume the training set contains either only clean normal samples or some labeled abnormal samples. With a contaminated unlabeled training set, the performance is degraded with unclear discrimination between normal and abnormal samples. To address the above challenge, in this paper, we propose a novel unsupervised representation learning framework that takes advantage of the extra information provided by the anomalies in the unlabeled contaminated data for anomaly detection. Specifically, anomaly discrimination learning with pseudo normality score generation and multi-instance contrastive learning is proposed for distinguishing abnormal samples from the unlabeled set. Meanwhile, we combine the discrimination learning with mean-shifted contrastive learning and distribution-shifting transformation classification into a multi-task representation learning framework to improve the stability and robustness of the training. Our proposed method achieves state-of-the-art performance on CIFAR-10, ImageNet-10, MNIST and F-MNIST datasets. Extensive ablation studies further demonstrate the effectiveness of different components of the proposed framework.

Zezhou Li,Jing Zhang,Xianbo Zhang,Feng Lin,Chao Wang,Xingye Cai

DOI: https://doi.org/10.1109/seai55746.2022.9832400

2022-01-01

Abstract:Logs are widely used in IT industry and the anomaly detection of logs is essential to identify the running status of systems. Conventional methods solving this problem require sophisticated rule-based regulations and intensive labor input. In this paper, we propose a new model based on natural language processing techniques. In order to modify the feature extraction and to improve the vector quality of log templates, Part-of-Speech (PoS) and Named Entity Recognition (NER) are employed in our model, which leads to the less involvement of regulation-based rule and a modification of the template vector thanks to the weight vector by NER. The PoS property of each token in the template is firstly analyzed, which also reduces labor involvement and helps for better weight allocation. The weight investigation on tokens of the template is introduced to modify the template vector. And the final detection based on the modified vector of templates is realized by deep neural networks (DNNs). The effectiveness of our model is tested on three datasets, and compared with two state-of-the-art models. The evaluation results prove that our model achieves better log anomaly detection.

Yukyung Lee,Jina Kim,Pilsung Kang

DOI: https://doi.org/10.48550/arXiv.2111.09564

2023-07-24

Abstract:The system log generated in a computer system refers to large-scale data that are collected simultaneously and used as the basic data for determining errors, intrusion and abnormal behaviors. The aim of system log anomaly detection is to promptly identify anomalies while minimizing human intervention, which is a critical problem in the industry. Previous studies performed anomaly detection through algorithms after converting various forms of log data into a standardized template using a parser. Particularly, a template corresponding to a specific event should be defined in advance for all the log data using which the information within the log key may get lost. In this study, we propose LAnoBERT, a parser free system log anomaly detection method that uses the BERT model, exhibiting excellent natural language processing performance. The proposed method, LAnoBERT, learns the model through masked language modeling, which is a BERT-based pre-training method, and proceeds with unsupervised learning-based anomaly detection using the masked language modeling loss function per log key during the test process. In addition, we also propose an efficient inference process to establish a practically applicable pipeline to the actual system. Experiments on three well-known log datasets, i.e., HDFS, BGL, and Thunderbird, show that not only did LAnoBERT yield a higher anomaly detection performance compared to unsupervised learning-based benchmark models, but also it resulted in a comparable performance with supervised learning-based benchmark models.

Machine Learning,Computation and Language

Xianbo Zhang,Jing Zhang,Jicheng Yang,Feng Lin,Chao Wang,Liang Chang,Dongjiang Li

DOI: https://doi.org/10.1109/icpeca56706.2023.10075876

2023-01-01

Abstract:Log data is a valuable resource for understanding system status. Log recording running status for a computer system is commonly used to identify performance issues and malfunctions. Sequential anomaly detection of logs is crucial for building a secure and stable system and is beneficial for the discovery, location, and analysis of system failures. In this paper, we propose a new log sequential anomaly detection method based on natural language processing techniques by the Population Based Training (PBT) algorithm, which can make full use of semantic information in log templates to analyze log sequences. The Part-of-Speech (PoS) weight mechanism is first employed to improve the digital representation quality of the log template in the feature extraction. And then, TextCNN is used to extract noteworthy information in log template vectors. In the sequence log anomaly detection stage, the combination of TextCNN and LSTM neural network can improve the accuracy of log sequential anomaly detection. On the other hand, the proposed method jointly trains the parameters of the PoS weight mechanism and the parameters of the anomaly detection neural network model through the PBT algorithm, which accelerates the model convergence speed and improves the accuracy of the log sequential anomaly detection. Our model has been tested on four data sets and compared with two state-of-the-art models to prove the effectiveness of our model. The experimental results show that, compared with other log anomaly detection methods, the proposed method performs well.

Jiawei Lu,Chengrong Wu

2024-11-22

Abstract:Log-system is an important mechanism for recording the runtime status and events of Web service systems, and anomaly detection in logs is an effective method of detecting problems. However, manual anomaly detection in logs is inefficient, error-prone, and unrealistic. Existing log anomaly detection methods either use the indexes of event templates, or form vectors by embedding the fixed string part of the template as a sentence, or use time parameters for sequence analysis. However, log entries often contain features and semantic information that cannot be fully represented by these methods, resulting in missed and false alarms. In this paper, we propose TPLogAD, a universal unsupervised method for analyzing unstructured logs, which performs anomaly detection based on event templates and key parameters. The itemplate2vec and para2vec included in TPLogAD are two efficient and easy-to-implement semantic representation methods for logs, detecting anomalies in event templates and parameters respectively, which has not been achieved in previous work. Additionally, TPLogAD can avoid the interference of log diversity and dynamics on anomaly detection. Our experiments on four public log datasets show that TPLogAD outperforms existing log anomaly detection methods.

Machine Learning,Artificial Intelligence,Computation and Language,Computers and Society

Haixuan Guo,Shuhan Yuan,Xintao Wu

DOI: https://doi.org/10.1109/ijcnn52387.2021.9534113

2021-07-18

Abstract:Detecting anomalous events in online computer systems is crucial to protect the systems from malicious attacks or malfunctions. System logs, which record detailed information of computational events, are widely used for system status analysis. In this paper, we propose LogBERT, a self-supervised framework for log anomaly detection based on Bidirectional Encoder Representations from Transformers (BERT). LogBERT learns the patterns of normal log sequences by two novel self-supervised training tasks, masked log message prediction and volume of hypersphere minimization. After training, LogBERT is able to capture the patterns of normal log sequences and further detect anomalies where the underlying patterns deviate from expected patterns. The experimental results on three log datasets show that LogBERT outperforms state-of-the-art approaches for anomaly detection.

Minghua He,Tong Jia,Chiming Duan,Huaqian Cai,Ying Li,Gang Huang

DOI: https://doi.org/10.1109/issre62328.2024.00023

2024-01-01

Abstract:Log-based anomaly detection is an essential task in maintaining software reliability. Existing log-based anomaly detection approaches often consist of three key phases: log parsing, event embedding, and model construction. Event embedding efficiently extracts semantic information from log events and produces vector representations of log events. However, existing event embedding methods suffer from two key problems. First, semantic noises are buried in log events leading to inevitable gaps between the obtained semantics from log events and their essential meanings. Second, there exists a gap between general semantic embedding and the specific embedding requirement of anomaly detection tasks. To mitigate these problems and improve the quality of representations of log events, we propose a novel anomaly detection approach named LLMeLog. It leverages the capabilities of large language models (LLMs) to enrich the contents of log events with in-context learning techniques. Then it utilizes the enriched log events to fine-tune a pre-trained BERT model. At last, it trains a transformer-based anomaly detection model with the event representations produced by the pre-trained BERT model. Evaluation results on three public log datasets show that LLMeLog achieves the best performance across all datasets, boasting F1-scores exceeding 99%. Besides, when using only 10% of labeled data as training data, our approach can still achieve over 90% F1-scores.

Qilin Yin,Ruichun Tang,Ren Huyue,Wenbin Zhang,Peishun Liu,Qi Li,Yangyi Shao

DOI: https://doi.org/10.1109/ICCCBDA55098.2022.9778900

2022-04-22

Abstract:In the field of computer system anomaly detection, log anomaly detection is a very important project. In order to detect system faults from log text data accurately and quickly, this paper proposes a log anomaly detection method, namely Prog-BERT-LSTM, which uses the network based on the BERT model as the text vectorization module, and designs the sequence feature learning module based on LSTM to avoid the loss of sequence features caused by the disappearance of gradient in the calculation process, and further obtain the semantics and features of the input log sequence text. The progressive masking strategy is used to aggregate the text semantic vector and sequence feature vector. We compare the Prog-BERT-LSTM model with the BERT-based model (LogBERT) on three public log datasets. The test results show that the Prog-BERT-LSTM model has better performance than the standard BERT-based model (LogBERT).

Computer Science

Wu Chen,Ningning Han,Xiaoman Tan,Dongdong Wang,Siyang Lu

DOI: https://doi.org/10.1109/ICPADS60453.2023.00174

2023-12-17

Abstract:Syslog-based anomaly detection is crucial for protecting the systems from malicious attacks or malfunctions. System logs are semi-structured text messages printed by logging statements to record the system’s run-time status, involving rich semantic information. However, the existing BERT-based log anomaly detection method is based on the log key sequence, does not consider the semantics of the log data, and discards the variable part, resulting in a high rate of missed detection. In this paper, we propose SemLog, a self-supervised framework for log anomaly detection based on BERT. By incorporating log semantics and variables and employing multi-feature fusion, we mitigate the independent assumption issue in the Masked Language Modeling model. The experimental results on three benchmarks show that SemLog achieves high performance compared with the state-of-the-art approaches for anomaly detection.

Computer Science

Ruyi Zhang,Hongzuo Xu,Songlei Jian,Yusong Tan,Haifang Zhou,Rulin Xu

2024-10-26

Abstract:Training in unsupervised time series anomaly detection is constantly plagued by the discrimination between harmful `anomaly contaminations' and beneficial `hard normal samples'. These two samples exhibit analogous loss behavior that conventional loss-based methodologies struggle to differentiate. To tackle this problem, we propose a novel approach that supplements traditional loss behavior with `parameter behavior', enabling a more granular characterization of anomalous patterns. Parameter behavior is formalized by measuring the parametric response to minute perturbations in input samples. Leveraging the complementary nature of parameter and loss behaviors, we further propose a dual Parameter-Loss Data Augmentation method (termed PLDA), implemented within the reinforcement learning paradigm. During the training phase of anomaly detection, PLDA dynamically augments the training data through an iterative process that simultaneously mitigates anomaly contaminations while amplifying informative hard normal samples. PLDA demonstrates remarkable versatility, which can serve as an additional component that seamlessly integrated with existing anomaly detectors to enhance their detection performance. Extensive experiments on ten datasets show that PLDA significantly improves the performance of four distinct detectors by up to 8\%, outperforming three state-of-the-art data augmentation methods.

Machine Learning,Artificial Intelligence

Weibin Meng,Ying Liu,Yichen Zhu,Shenglin Zhang,Dan Pei,Yuqing Liu,Yihao Chen,Ruizhi Zhang,Shimin Tao,Pei Sun,Rong Zhou

DOI: https://doi.org/10.24963/ijcai.2019/658

2019-08-01

Abstract:Recording runtime status via logs is common for almost every computer system, and detecting anomalies in logs is crucial for timely identifying malfunctions of systems. However, manually detecting anomalies for logs is time-consuming, error-prone, and infeasible. Existing automatic log anomaly detection approaches, using indexes rather than semantics of log templates, tend to cause false alarms. In this work, we propose LogAnomaly, a framework to model unstructured a log stream as a natural language sequence. Empowered by template2vec, a novel, simple yet effective method to extract the semantic information hidden in log templates, LogAnomaly can detect both sequential and quantitive log anomalies simultaneously, which were not done by any previous work. Moreover, LogAnomaly can avoid the false alarms caused by the newly appearing log templates between periodic model retrainings. Our evaluation on two public production log datasets show that LogAnomaly outperforms existing log-based anomaly detection methods.

Jesse Nyyssölä,Mika Mäntylä,Martín Varela

DOI: https://doi.org/10.48550/arXiv.2208.01991

2022-08-03

Abstract:Software Log anomaly event detection with masked event prediction has various technical approaches with countless configurations and parameters. Our objective is to provide a baseline of settings for similar studies in the future. The models we use are the N-Gram model, which is a classic approach in the field of natural language processing (NLP), and two deep learning (DL) models long short-term memory (LSTM) and convolutional neural network (CNN). For datasets we used four datasets Profilence, BlueGene/L (BGL), Hadoop Distributed File System (HDFS) and Hadoop. Other settings are the size of the sliding window which determines how many surrounding events we are using to predict a given event, mask position (the position within the window we are predicting), the usage of only unique sequences, and the portion of data that is used for training. The results show clear indications of settings that can be generalized across datasets. The performance of the DL models does not deteriorate as the window size increases while the N-Gram model shows worse performance with large window sizes on the BGL and Profilence datasets. Despite the popularity of Next Event Prediction, the results show that in this context it is better not to predict events at the edges of the subsequence, i.e., first or last event, with the best result coming from predicting the fourth event when the window size is five. Regarding the amount of data used for training, the results show differences across datasets and models. For example, the N-Gram model appears to be more sensitive toward the lack of data than the DL models. Overall, for similar experimental setups we suggest the following general baseline: Window size 10, mask position second to last, do not filter out non-unique sequences, and use a half of the total data for training.

Software Engineering

Yining Zhao,Carol J. Fung,Hailong Yang,Shaohan Huang,Yi Liu,Zhongzhi Luan,Rong He

DOI: https://doi.org/10.1109/TNSM.2020.3034647

2020-12-01

IEEE Transactions on Network and Service Management

Abstract:Enterprise systems often produce a large volume of logs to record runtime status and events. Anomaly detection from system logs is crucial for service management and system maintenance. Most existing log-based anomaly detection methods use log event indexes parsed from log data to detect anomalies. Those methods cannot handle unseen log templates and lead to inaccurate anomaly detection. Some recent studies focused on the semantics of log templates but ignored the information of parameter values. Therefore, their approaches failed to address the abnormal logs caused by parameter values. In this article, we propose HitAnomaly, a log-based anomaly detection model utilizing a hierarchical transformer structure to model both log template sequences and parameter values. We designed a log sequence encoder and a parameter value encoder to obtain their representations correspondingly. We then use an attention mechanism as our final classification model. In this way, HitAnomaly is able to capture the semantic information in both log template sequence and parameter values and handle various types of anomalies. We evaluated our proposed method on three log datasets. Our experimental results demonstrate that HitAnomaly has outperformed other existing log-based anomaly detection methods. We also assess the robustness of our proposed model on unstable log data.

Computer Science

Haitian Yang,Degang Sun,Weiqing Huang

DOI: https://doi.org/10.1016/j.neunet.2024.106680

Abstract:Most existing log-driven anomaly detection methods assume that logs are static and unchanged, which is often impractical. To address this, we propose a log anomaly detection model called DualAttlog. This model includes word-level and sequence-level semantic encoding modules, as well as a context-aware dual attention module. Specifically, The word-level semantic encoding module utilizes a self-matching attention mechanism to explore the interactive properties between words in log sequences. By performing word embedding and semantic encoding, it captures the associations and evolution processes between words, extracting local-level semantic information. while The sequence-level semantic encoding module encoding the entire log sequence using a pre-trained model. This extracts global semantic information, capturing overall patterns and trends in the logs. The context-aware dual attention module integrates these two levels of encoding, utilizing contextual information to reduce redundancy and enhance detection accuracy. Experimental results show that the DualAttlog model achieves an F1-Score of over 95% on 7 public datasets. Impressively, it achieves an F1-Score of 82.35% on the Real-Industrial W dataset and 83.54% on the Real-Industrial Q dataset. It outperforms existing baseline techniques on 9 datasets, demonstrating its significant advantages.

Shenglin Zhang,Yuhe Ji,Jiaqi Luan,Xiaohui Nie,Zi`ang Chen,Minghua Ma,Yongqian Sun,Dan Pei

DOI: https://doi.org/10.1145/3691620.3695535

2024-01-01

Abstract:As modern software systems evolve towards greater complexity, ensuring their reliable operation has become a critical challenge. Log data analysis is vital in maintaining system stability, with anomaly detection being a key aspect. However, existing log anomaly detection methods heavily rely on manual effort from experts, lacking transferability across systems. This has led to the situation where to perform anomaly detection on a new dataset, the operators must have a high level of understanding of the dataset, make multiple attempts, and spend a lot of time to deploy an algorithm that performs well successfully. This paper proposes LogCraft, an end-to-end unsupervised log anomaly detection framework based on automated machine learning (AutoML). LogCraft automates feature engineering, model selection, and anomaly detection, reducing the need for specialized knowledge and lowering the threshold for algorithm deployment. Extensive evaluations on five public datasets demonstrate LogCraft's effectiveness, achieving an average F1 score of 0.899, which outperforms the second-best average F1 score of 0.847 obtained by existing unsupervised algorithms. According to our knowledge, LogCraft is the first attempt to extract fixed-dimensional vectors as latent representations from a complete log dataset. The proposed meta-feature extractor also exhibits promising potential for measuring log dataset similarity and guiding future log analytics research.

Caiping Hu,Xuekui Sun,Hua Dai,Hangchuan Zhang,Haiqiang Liu

DOI: https://doi.org/10.3390/electronics12173580

IF: 2.9

2023-08-25

Electronics

Abstract:Log anomaly detection is crucial for computer systems. By analyzing and processing the logs generated by a system, abnormal events or potential problems in the system can be identified, which is helpful for its stability and reliability. At present, due to the expansion of the scale and complexity of software systems, the amount of log data grows enormously, and traditional detection methods have been unable to detect system anomalies in time. Therefore, it is important to design log anomaly detection methods with high accuracy and strong generalization. In this paper, we propose the log anomaly detection method LogADSBERT, which is based on Sentence-BERT. This method adopts the Sentence-BERT model to extract the semantic behavior characteristics of log events and implements anomaly detection through the bidirectional recurrent neural network, Bi-LSTM. Experiments on the open log data set show that the accuracy of LogADSBERT is better than that of the existing log anomaly detection methods. Moreover, LogADSBERT is robust even under the scenario of new log event injections.

engineering, electrical & electronic,computer science, information systems,physics, applied

Shayan Hashemi,Mika Mäntylä

DOI: https://doi.org/10.48550/arXiv.2104.07324

2021-04-15

Software Engineering

Abstract:In recent years, with the growth of online services and IoT devices, software log anomaly detection has become a significant concern for both academia and industry. However, at the time of writing this paper, almost all contributions to the log anomaly detection task, follow the same traditional architecture based on parsing, vectorizing, and classifying. This paper proposes OneLog, a new approach that uses a large deep model based on instead of multiple small components. OneLog utilizes a character-based convolutional neural network (CNN) originating from traditional NLP tasks. This allows the model to take advantage of multiple datasets at once and take advantage of numbers and punctuations, which were removed in previous architectures. We evaluate OneLog using four open data sets Hadoop Distributed File System (HDFS), BlueGene/L (BGL), Hadoop, and OpenStack. We evaluate our model with single and multi-project datasets. Additionally, we evaluate robustness with synthetically evolved datasets and ahead-of-time anomaly detection test that indicates capabilities to predict anomalies before occurring. To the best of our knowledge, our multi-project model outperforms state-of-the-art methods in HDFS, Hadoop, and BGL datasets, respectively setting getting F1 scores of 99.99, 99.99, and 99.98. However, OneLog's performance on the Openstack is unsatisfying with F1 score of only 21.18. Furthermore, Onelogs performance suffers very little from noise showing F1 scores of 99.95, 99.92, and 99.98 in HDFS, Hadoop, and BGL.

Xinqiang Li,Weina Niu,Xiaosong Zhang,Runzi Zhang,Zhenqi Yu,Zimu Li

DOI: https://doi.org/10.1109/cecit53797.2021.00121

2021-01-01

Abstract:In recent years, with the increase in the scale and complexity of system software, how to effectively capture, analyze and locate the abnormal behavior generated during system operation has increasingly become a recognized problem in the software testing field. Traditional white-box-based anomaly detection methods need to provide system source code and cannot effectively detect abnormal behaviors that occur when the program is running. Black-box-based anomaly detection methods rely on test cases and have low code coverage. Anomaly detection based on the logs generated during system operation can alleviate the abovementioned problems. However, the existing system log-based abnormality detection method mainly extracts log template characteristics, and cannot effectively determine the logical and temporal abnormalities related to the log. Therefore, in order to detect anomalies in the log sequence more comprehensively, this paper proposes an anomaly detection method based on BiLSTM. This method combines the semantic and temporal characteristics of the log for modeling. In terms of semantics, the Bert natural language processing model is used to extract the contextual semantic information of the logs; in terms of time, the log time interval characteristics are extracted based on the three potential relationships of the logs. In addition, the proposed method also adds an attention mechanism to balance feature weights. Finally, we evaluate our method in experiments on two real datasets, HDFS and OpenStack. The experimental results show that our method has a great improvement in accuracy and recall.

Yifei Lin,Hanqiu Deng,Xingyu Li

2024-04-13

Abstract:Nowadays large computers extensively output logs to record the runtime status and it has become crucial to identify any suspicious or malicious activities from the information provided by the realtime logs. Thus, fast log anomaly detection is a necessary task to be implemented for automating the infeasible manual detection. Most of the existing unsupervised methods are trained only on normal log data, but they usually require either additional abnormal data for hyperparameter selection or auxiliary datasets for discriminative model optimization. In this paper, aiming for a highly effective discriminative model that enables rapid anomaly detection,we propose FastLogAD, a generator-discriminator framework trained to exhibit the capability of generating pseudo-abnormal logs through the Mask-Guided Anomaly Generation (MGAG) model and efficiently identifying the anomalous logs via the Discriminative Abnormality Separation (DAS) model. Particularly, pseudo-abnormal logs are generated by replacing randomly masked tokens in a normal sequence with unlikely candidates. During the discriminative stage, FastLogAD learns a distinct separation between normal and pseudoabnormal samples based on their embedding norms, allowing the selection of a threshold without exposure to any test data and achieving competitive performance. Extensive experiments on several common benchmarks show that our proposed FastLogAD outperforms existing anomaly detection approaches. Furthermore, compared to previous methods, FastLogAD achieves at least x10 speed increase in anomaly detection over prior work. Our implementation is available at

Machine Learning

Chao Wang,Jing Zhang,Dongjiang Li,Liang Chang,Feng Lin,Xianbo Zhang

DOI: https://doi.org/10.1109/ICCT56141.2022.10072770

2022-11-11

Abstract:System logs are widely used by engineers to record runtime status in the information technology (IT) field. The sequential anomaly detection of logs is crucial for building a secure and stable system and is beneficial for the discovery, location, and analysis of system failures. Conventional manual log anomaly detection suffers high costs and unsustainable development. Thus, automatic methods based on Natural Language Processing (NLP) technology are proposed to improve the accuracy and efficiency of log anomaly detection. In this paper, we propose a new log anomaly detection model, named LogPS. LogPS utilizes the Part-of-Speech (PoS) technique to extract semantic information from log messages. By allocating the learned PoS-based weights to different tokens in a log template, LogPS can improve the representation quality of the log template vector. In the final anomaly detection stage, we treat a system log as a natural language sequence and build a Bidirectional Long Short-Term Memory (BiLSTM) neural network as the LogPS detection model. Therefore, LogPS can capture sufficient and contextual information from input log sequences from the forward pass and the backward pass. And LogPS can automatically learn log patterns and detect anomalies. The effectiveness of our model is tested on three datasets and is compared with other state-of-the-art models. The experimental results show that, compared with other log anomaly detection methods, the proposed LogPS performs well.

Computer Science