Junchi Xing,Chunming Wu

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162940

2020-01-01

Abstract:The widely used encryption of network traffic poses a great challenge to anomaly detection. Currently, the supervised and semi-supervised solutions suffer from the problems of noisy label of data, non-stationary traffic distribution, and huge resource consumption for offline training. To address this, in this paper, we present an unsupervised, robust, and online anomaly detection method for encrypted traffic by using deep dictionary learning, called D2LAD. D2LAD offers the potential to extract sequential features from raw encrypted traffic data with the help of an LSTM-based autoencoder. Then, according to the sequential features, D2LAD is able to explore the hidden normal patterns by iterative deep dictionary learning. Eventually, D2LAD can obtain the anomaly score of raw data by calculating its relevance to the deep dictionary. We implement a prototype of D2LAD and evaluate its effectiveness and performance by experiments using realistic datasets. The experimental results show that our method achieves high accuracy and low resource usage, and outperforms the representative state-of-the-art methods in real-world settings.

Yachao Yuan,Yu Huang,Yali Yuan,Jin Wang

2024-10-30

Abstract:The proliferation of the Internet of Things (IoT) has heightened the vulnerability to cyber threats, making it imperative to develop Anomaly Detection Systems (ADSs) capable of adapting to emerging or novel attacks. Prior research has predominantly concentrated on offline unsupervised learning techniques to protect ADSs, which are impractical for real-world applications. Furthermore, these studies often rely heavily on the assumption of known legitimate behaviors and fall short of meeting the interpretability requirements in security contexts, thereby hindering their practical adoption. In response, this paper introduces Adaptive NAD, a comprehensive framework aimed at enhancing and interpreting online unsupervised anomaly detection within security domains. We propose an interpretable two-layer anomaly detection approach that generates dependable, high-confidence pseudo-labels. Subsequently, we incorporate an online learning mechanism that updates Adaptive NAD using an innovative threshold adjustment method to accommodate new threats. Experimental findings reveal that Adaptive NAD surpasses state-of-the-art solutions by achieving improvements of over 5.4% and 23.0% in SPAUC on the CIC-Darknet2020 and CIC-DoHBrw-2020 datasets, respectively. The code for Adaptive NAD is publicly available at <a class="link-external link-https" href="https://github.com/MyLearnCodeSpace/Adaptive-NAD" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Signal Processing

Yifei Lin,Hanqiu Deng,Xingyu Li

2024-04-13

Abstract:Nowadays large computers extensively output logs to record the runtime status and it has become crucial to identify any suspicious or malicious activities from the information provided by the realtime logs. Thus, fast log anomaly detection is a necessary task to be implemented for automating the infeasible manual detection. Most of the existing unsupervised methods are trained only on normal log data, but they usually require either additional abnormal data for hyperparameter selection or auxiliary datasets for discriminative model optimization. In this paper, aiming for a highly effective discriminative model that enables rapid anomaly detection,we propose FastLogAD, a generator-discriminator framework trained to exhibit the capability of generating pseudo-abnormal logs through the Mask-Guided Anomaly Generation (MGAG) model and efficiently identifying the anomalous logs via the Discriminative Abnormality Separation (DAS) model. Particularly, pseudo-abnormal logs are generated by replacing randomly masked tokens in a normal sequence with unlikely candidates. During the discriminative stage, FastLogAD learns a distinct separation between normal and pseudoabnormal samples based on their embedding norms, allowing the selection of a threshold without exposure to any test data and achieving competitive performance. Extensive experiments on several common benchmarks show that our proposed FastLogAD outperforms existing anomaly detection approaches. Furthermore, compared to previous methods, FastLogAD achieves at least x10 speed increase in anomaly detection over prior work. Our implementation is available at

Machine Learning

Zhiwei Yang,Peng Wu,Jing Liu,Xiaotao Liu

DOI: https://doi.org/10.48550/arXiv.2207.10948

2022-07-22

Abstract:Existing methods for anomaly detection based on memory-augmented autoencoder (AE) have the following drawbacks: (1) Establishing a memory bank requires additional memory space. (2) The fixed number of prototypes from subjective assumptions ignores the data feature differences and diversity. To overcome these drawbacks, we introduce DLAN-AC, a Dynamic Local Aggregation Network with Adaptive Clusterer, for anomaly detection. First, The proposed DLAN can automatically learn and aggregate high-level features from the AE to obtain more representative prototypes, while freeing up extra memory space. Second, The proposed AC can adaptively cluster video data to derive initial prototypes with prior information. In addition, we also propose a dynamic redundant clustering strategy (DRCS) to enable DLAN for automatically eliminating feature clusters that do not contribute to the construction of prototypes. Extensive experiments on benchmarks demonstrate that DLAN-AC outperforms most existing methods, validating the effectiveness of our method. Our code is publicly available at <a class="link-external link-https" href="https://github.com/Beyond-Zw/DLAN-AC" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Lukas Schynol,Marius Pesavento

2024-09-18

Abstract:Anomaly detection (AD) is increasingly recognized as a key component for ensuring the resilience of future communication systems. While deep learning has shown state-of-the-art AD performance, its application in critical systems is hindered by concerns regarding training data efficiency, domain adaptation and interpretability. This work considers AD in network flows using incomplete measurements, leveraging a robust tensor decomposition approach and deep unrolling techniques to address these challenges. We first propose a novel block-successive convex approximation algorithm based on a regularized model-fitting objective where the normal flows are modeled as low-rank tensors and anomalies as sparse. An augmentation of the objective is introduced to decrease the computational cost. We apply deep unrolling to derive a novel deep network architecture based on our proposed algorithm, treating the regularization parameters as learnable weights. Inspired by Bayesian approaches, we extend the model architecture to perform online adaptation to per-flow and per-time-step statistics, improving AD performance while maintaining a low parameter count and preserving the problem's permutation equivariances. To optimize the deep network weights for detection performance, we employ a homotopy optimization approach based on an efficient approximation of the area under the receiver operating characteristic curve. Extensive experiments on synthetic and real-world data demonstrate that our proposed deep network architecture exhibits a high training data efficiency, outperforms reference methods, and adapts seamlessly to varying network topologies.

Machine Learning,Signal Processing

Chao Chen,Dawei Wang,Feng Mao,Jiacheng Xu,Zongzhang Zhang,Yang Yu

DOI: https://doi.org/10.5555/3635637.3662879

2024-01-01

Abstract:Anomaly detection (AD) holds substantial practical value, and considering the limited labeled data, the semi-supervised anomaly detection technique has garnered increasing attention. We find that previous methods suffer from insufficient exploitation of labeled data and under-exploration of unlabeled data. To tackle the above problem, we aim to search for possible anomalies in unlabeled data and use the searched anomalies to enhance performance. We innovatively model this search process as a Markov decision process and utilize a reinforcement learning algorithm to solve it. Our method, Deep Anomaly Detection and Search (DADS), integrates the exploration of unlabeled data and the exploitation of labeled data into one framework. Experimentally, we compare DADS with several state-of-the-art methods in widely used benchmarks, and the results show that DADS can efficiently search anomalies from unlabeled data and learn from them, thus achieving good performance. Code: https://github.com/LAMDA-RL/DADS

Jiyu Tian,Mingchu Li,Zumin Wang,Liming Chen,Jing Qin,Runfa Zhang

2024-10-22

Abstract:Log anomaly detection (LAD) is essential to ensure safe and stable operation of software systems. Although current LAD methods exhibit significant potential in addressing challenges posed by unstable log events and temporal sequence patterns, their limitations in detection efficiency and generalization ability present a formidable challenge when dealing with evolving systems. To construct a real-time and reliable online log anomaly detection model, we propose OMLog, a semi-supervised online meta-learning method, to effectively tackle the distribution shift issue caused by changes in log event types and frequencies. Specifically, we introduce a maximum mean discrepancy-based distribution shift detection method to identify distribution changes in unseen log sequences. Depending on the identified distribution gap, the method can automatically trigger online fine-grained detection or offline fast inference. Furthermore, we design an online learning mechanism based on meta-learning, which can effectively learn the highly repetitive patterns of log sequences in the feature space, thereby enhancing the generalization ability of the model to evolving data. Extensive experiments conducted on two publicly available log datasets, HDFS and BGL, validate the effectiveness of the OMLog approach. When trained using only normal log sequences, the proposed approach achieves the F1-Score of 93.7\% and 64.9\%, respectively, surpassing the performance of the state-of-the-art (SOTA) LAD methods and demonstrating superior detection efficiency.

Software Engineering,Cryptography and Security

Haitian Yang,Degang Sun,Wen Liu,Yanshu Li,Yan Wang,Weiqing Huang

DOI: https://doi.org/10.48550/arXiv.2402.11841

2024-02-19

Abstract:Logs are widely used in the development and maintenance of software systems. Logs can help engineers understand the runtime behavior of systems and diagnose system failures. For anomaly diagnosis, existing methods generally use log event data extracted from historical logs to build diagnostic models. However, we find that existing methods do not make full use of two types of features, (1) statistical features: some inherent statistical features in log data, such as word frequency and abnormal label distribution, are not well exploited. Compared with log raw data, statistical features are deterministic and naturally compatible with corresponding tasks. (2) semantic features: Logs contain the execution logic behind software systems, thus log statements share deep semantic relationships. How to effectively combine statistical features and semantic features in log data to improve the performance of log anomaly diagnosis is the key point of this paper. In this paper, we propose an adaptive semantic gate networks (ASGNet) that combines statistical features and semantic features to selectively use statistical features to consolidate log text semantic representation. Specifically, ASGNet encodes statistical features via a variational encoding module and fuses useful information through a well-designed adaptive semantic threshold mechanism. The threshold mechanism introduces the information flow into the classifier based on the confidence of the semantic features in the decision, which is conducive to training a robust classifier and can solve the overfitting problem caused by the use of statistical features. The experimental results on the real data set show that our method proposed is superior to all baseline methods in terms of various performance indicators.

Software Engineering

Jingxi Liang,Wen Zhao,Wei Ye

DOI: https://doi.org/10.1145/3171592.3171594

2017-01-01

Abstract:As the era of cloud technology arises, more and more people are beginning to migrate their applications and personal data to the cloud. This makes web-based applications an attractive target for cyber-attacks. As a result, web-based applications now need more protections than ever. However, current anomaly-based web attack detection approaches face the difficulties like unsatisfying accuracy and lack of generalization. And the rule-based web attack detection can hardly fight unknown attacks and is relatively easy to bypass. Therefore, we propose a novel deep learning approach to detect anomalous requests. Our approach is to first train two Recurrent Neural Networks (RNNs) with the complicated recurrent unit (LSTM unit or GRU unit) to learn the normal request patterns using only normal requests unsupervisedly and then supervisedly train a neural network classifier which takes the output of RNNs as the input to discriminate between anomalous and normal requests. We tested our model on two datasets and the results showed that our model was competitive with the state-of-the-art. Our approach frees us from feature selection. Also to the best of our knowledge, this is the first time that the RNN is applied on anomaly-based web attack detection systems.

Huaqian Cai,Chiming Duan,Ying Li,Tong Jia,Gang Huang

DOI: https://doi.org/10.1109/ISSRE59848.2023.00068

2023-10-09

Abstract:Log-based anomaly detection is becoming more and more important for maintaining the availability of modern microservice systems. Existing supervised/semi-supervised log anomaly detection models require a large amount of human-labeled logs for training which are hard to collect in real-world systems. Unsupervised models often perform poorly without explicit anomaly labels. To improve the performance of unsupervised models, in this paper, we first make an empirical study of existing unsupervised models to tackle the reason why they often produce unsatisfied results. We find that anomaly detection results produced by existing unsupervised models are significantly affected by two key problems including Not-Cover (NC) problem and Suspicious-Noise (SN) problem. To solve these problems, we propose a novel augmentation framework called AFALog. AFALog leverages the idea of active learning to incorporate human knowledge so as to augment data quality. It can support almost all existing unsupervised models and improve their performance. Our experiments on two open datasets and one dataset collected from a real-world microservice system demonstrate that DALog improves the F1-score by an average of 6.61%, with only 5.9% labeled training data.

Computer Science

Aiguo Chen,Yang Fu,Xu Zheng,Guoming Lu

DOI: https://doi.org/10.1016/j.cose.2021.102600

2022-03-01

Abstract:The Internet environment is exposed to diverse and increasingly numerous intrusion attacks due to its continuously expanding scale, threatening the information and assets of individuals and companies. The application of machine learning and deep learning methods has significantly improved the performance of network behavior anomaly detection (NBAD). However, existing NBAD methods based on machine learning classify network behaviors with hand-selected feature vectors, which are not flexible enough to adapt to various cyber environments and new categories of attacks, resulting in low accuracy. Moreover, high-dimensional and large-scale data have significantly increased the training, retraining, and detection time, resulting in low scalability. To solve these problems, an efficient NBAD algorithm based on deep belief networks (DBN) and long short-term memory (LSTM) networks is proposed. First, a nonlinear feature extraction method using a DBN is applied to extract features automatically and reduce the dimension of the original data while guaranteeing accuracy. Then, a light-structure LSTM network is used to obtain the classification results. The results of multiple experiments show that the proposed approach performs well in feature learning and has high accuracy while obtaining results in a timely manner and easily updating the model.

computer science, information systems

Zhi-Quan Qin,Xing-Kong Ma,Yong-Jun Wang

DOI: https://doi.org/10.1016/j.cose.2020.102070

2020-12-01

Abstract:<p>Detecting anomalous discrete sequences such as payloads and syscall traces is a crucial task of network security analysis for discovering novel attacks. The data characteristics that lack of labels, very long sequences and irregularly variable lengths make generating proper representations for the sequences for anomaly detection quite challenging. Traditional methods combining shallow models with feature engineering require lots of time and effort from researchers. And they only catch short patterns for the sequences. Recently deep learning is paid more and more attention due to its excellent performance on data representation. Current works simply adopt recurrent neural network based models to this task. They learn the local patterns of the sequences but can not view the sequences globally. Besides, the variable length makes the deep models that accept fixed-size inputs unavailable. Moreover, the deep models usually lack interpretability. Here an unsupervised deep learning framework utilizing attention mechanism called ADSAD is proposed to address these issues. ADSAD takes both the data characteristics and the limitation of the deep models into consideration and generate the global representations for the sequences by two steps, in which the attention mechanism is applied to improve the interpretability. The empirical results showed that the ADSAD instances significantly outperformed the state-of-the-art deep models, with the relative AUC improvement of up to 7%. The attention mechanism not only enhanced the detection performance by up to 73% in terms of AUC but was also able to assist experts for anomaly analysis by visualization.</p>

computer science, information systems

Mukhtar Ahmed,Jinfu Chen,Ernest Akpaku,Rexford Nii Ayitey Sosu,Ajmal Latif

DOI: https://doi.org/10.1145/3690637

IF: 2.717

2024-08-29

ACM Transactions on Privacy and Security

Abstract:With the rapid advancements in internet technology, the complexity and sophistication of network traffic attacks are increasing, making it challenging for traditional anomaly detection systems to analyze and detect malicious network attacks. The increasing advancedness of cyber threats calls for innovative approaches to identify malicious patterns within network traffic precisely. The primary issue lies in the fact that these approaches do not focus on the essential adaptive features of network traffic. We proposed an effective anomaly detection system for malicious network traffic attacks called the Deep Ensemble Learning Model (DELM). We leverage the structure of the Feedforward Deep Neural Network (FDNN), and Deep Belief Network (DBN), incorporating multiple hidden layers with non-linear activation functions. Integrating Adaptive Feature Aggregation (AFA) with the FDNN algorithm dynamically adjusts the feature aggregation process based on incoming traffic characteristics to improve adaptability. The Conditional Generative Network was employed to enhance DELM for generating data for minority classes. To improve the model’s accuracy, we applied batch normalization and data augmentation techniques for preprocessing, utilized n-gram, one-hot encoding, and feature aggregation methods for effective feature extraction. This study significantly contributes to network security by enhancing systems for detecting malicious network traffic. With its interpretability and adaptability, our proposed model shows promise in addressing the evolving cyber threat and fortifying critical network infrastructure. The experimental results demonstrate that our model performs with higher stability than the existing state-of-the-art detection approaches, as reflected by its higher accuracy, precision, recall, f1 score, and AUC-ROC.

computer science, information systems

Pengfei Han,Huakang Li,Gang Xue,Chao Zhang

DOI: https://doi.org/10.1111/coin.12573

2023-04-23

Computational Intelligence

Abstract:Anomaly detection is a key step in ensuring the security and reliability of large‐scale distributed systems. Analyzing system logs through artificial intelligence methods can quickly detect anomalies and thus help maintenance personnel to maintain system security. Most of the current works only focus on the temporal or spatial features of distributed system logs, and they cannot sufficiently extract the global features of distributed system logs to achieve a good correct rate of anomaly detection. To further address the shortcomings of existing methods, this paper proposes a deep learning model with global spatiotemporal features to detect the presence of anomalies in distributed system logs. First, we extract semi‐structured log events from log templates and model them as natural language. In addition, we focus on the temporal characteristics of logs using the bidirectional long short‐term memory network and the spatial invocation characteristics of logs using the Transformer. Extensive experimental evaluations show the advantages of our proposed model for distributed system log anomaly detection tasks. The optimal F1‐Score on three open‐source datasets and our own collected distributed system datasets reach 98.04%, 94.34%, 88.16%, and 97.40%, respectively.

computer science, artificial intelligence

Shuzhan Wang,Ruxue Jiang,Zhaoqi Wang,Yan Zhou

2024-09-14

Abstract:Computer network anomaly detection and log analysis, as an important topic in the field of network security, has been a key task to ensure network security and system reliability. First, existing network anomaly detection and log analysis methods are often challenged by high-dimensional data and complex network topologies, resulting in unstable performance and high false-positive rates. In addition, traditional methods are usually difficult to handle time-series data, which is crucial for anomaly detection and log analysis. Therefore, we need a more efficient and accurate method to cope with these problems. To compensate for the shortcomings of current methods, we propose an innovative fusion model that integrates Isolation Forest, GAN (Generative Adversarial Network), and Transformer with each other, and each of them plays a unique role. Isolation Forest is used to quickly identify anomalous data points, and GAN is used to generate synthetic data with the real data distribution characteristics to augment the training dataset, while the Transformer is used for modeling and context extraction on time series data. The synergy of these three components makes our model more accurate and robust in anomaly detection and log analysis tasks. We validate the effectiveness of this fusion model in an extensive experimental evaluation. Experimental results show that our model significantly improves the accuracy of anomaly detection while reducing the false alarm rate, which helps to detect potential network problems in advance. The model also performs well in the log analysis task and is able to quickly identify anomalous behaviors, which helps to improve the stability of the system. The significance of this study is that it introduces advanced deep learning techniques, which work anomaly detection and log analysis.

Machine Learning,Cryptography and Security

Xue Yang,Enda Howley,Micheal Schukat

2023-12-04

Abstract:The complexity and scale of IT systems are increasing dramatically, posing many challenges to real-world anomaly detection. Deep learning anomaly detection has emerged, aiming at feature learning and anomaly scoring, which has gained tremendous success. However, little work has been done on the thresholding problem despite it being a critical factor for the effectiveness of anomaly detection. In this paper, we model thresholding in anomaly detection as a Markov Decision Process and propose an agent-based dynamic thresholding (ADT) framework based on a deep Q-network. The proposed method can be integrated into many systems that require dynamic thresholding. An auto-encoder is utilized in this study to obtain feature representations and produce anomaly scores for complex input data. ADT can adjust thresholds adaptively by utilizing the anomaly scores from the auto-encoder and significantly improve anomaly detection performance. The properties of ADT are studied through experiments on three real-world datasets and compared with benchmarks, hence demonstrating its thresholding capability, data-efficient learning, stability, and robustness. Our study validates the effectiveness of reinforcement learning in optimal thresholding control in anomaly detection.

Machine Learning,Artificial Intelligence

Beibei Li,Shang Ma,Ruilong Deng,Kim-Kwang Raymond Choo,Jin Yang

DOI: https://doi.org/10.1109/tnsm.2022.3152620

2022-01-01

IEEE Transactions on Network and Service Management

Abstract:Runtime log-based anomaly detection is one of several key building blocks in ensuring system security, as well as post-incident forensic investigations. However, existing log-based anomaly detection approaches that are implemented on large-scale Internet of Things (IoT) systems generally upload local data from edge devices to a centralized (cloud) server for processing and analysis. Such a workflow incurs significant communication and computation overheads, with potential privacy implications. Hence, in this paper, we propose a customizable and communication-efficient federated anomaly detection scheme (hereafter referred to as FedLog), designed to facilitate the identification of abnormal log patterns in large-scale IoT systems. Specifically, we first craft a Temporal Convolutional Network-Attention Mechanism-based Convolutional Neural Network (TCN-ACNN) model, to effectively extract fine-grained features from system logs. Second, we develop a new federated learning framework to support IoT devices in establishing a comprehensive anomaly detection model in a collaborative and privacy-preserving manner. Third, a lottery ticket hypothesis based masking strategy is designed to achieve customizable and communication-efficient federated learning in handling non-Independent and Identically Distributed (non-IID) log datasets. We then evaluate the performance of our proposed scheme with those of DeepLog (published in CCS, 2017) and Loganomaly (published in IJCAI, 2019) in both centralized learning and federated learning settings, using two publicly available and widely used real-world datasets (i.e., HDFS and BGL). The findings demonstrate the utility of the proposed FedLog scheme, in terms of log-based anomaly detection.

computer science, information systems

Zhijun Zhao,Chen Xu,Bo Li

DOI: https://doi.org/10.1007/s11265-021-01644-4

2021-02-05

Journal of Signal Processing Systems

Abstract:Abstract Security devices produce huge number of logs which are far beyond the processing speed of human beings. This paper introduces an unsupervised approach to detecting anomalous behavior in large scale security logs. We propose a novel feature extracting mechanism and could precisely characterize the features of malicious behaviors. We design a LSTM-based anomaly detection approach and could successfully identify attacks on two widely-used datasets. Our approach outperforms three popular anomaly detection algorithms, one-class SVM, GMM and Principal Components Analysis, in terms of accuracy and efficiency.

Ming-Chang Lee,Jia-Chun Lin,Ernst Gunnar Gran

DOI: https://doi.org/10.48550/arXiv.2104.09968

2021-05-04

Abstract:Real-world time series data often present recurrent or repetitive patterns and it is often generated in real time, such as transportation passenger volume, network traffic, system resource consumption, energy usage, and human gait. Detecting anomalous events based on machine learning approaches in such time series data has been an active research topic in many different areas. However, most machine learning approaches require labeled datasets, offline training, and may suffer from high computation complexity, consequently hindering their applicability. Providing a lightweight self-adaptive approach that does not need offline training in advance and meanwhile is able to detect anomalies in real time could be highly beneficial. Such an approach could be immediately applied and deployed on any commodity machine to provide timely anomaly alerts. To facilitate such an approach, this paper introduces SALAD, which is a Self-Adaptive Lightweight Anomaly Detection approach based on a special type of recurrent neural networks called Long Short-Term Memory (LSTM). Instead of using offline training, SALAD converts a target time series into a series of average absolute relative error (AARE) values on the fly and predicts an AARE value for every upcoming data point based on short-term historical AARE values. If the difference between a calculated AARE value and its corresponding forecast AARE value is higher than a self-adaptive detection threshold, the corresponding data point is considered anomalous. Otherwise, the data point is considered normal. Experiments based on two real-world open-source time series datasets demonstrate that SALAD outperforms five other state-of-the-art anomaly detection approaches in terms of detection accuracy. In addition, the results also show that SALAD is lightweight and can be deployed on a commodity machine.

Machine Learning

Hailong Li,Xiao Peng,Di Wang,Siyao An,Chentao Zhang,Weining Shi

DOI: https://doi.org/10.1142/s0129156424401165

2024-09-20

International Journal of High Speed Electronics and Systems

Abstract:International Journal of High Speed Electronics and Systems, Ahead of Print. In recent years, with the increasing complexity of software systems, logs have become crucial for system maintenance. Log-based anomaly detection plays a vital role in automatically detecting system anomalies through log analysis. However, current log-based anomaly detection approaches encounter significant practical challenges. Supervised methods often require a large amount of manually labeled training data, which can be time-consuming and costly to obtain. On the other hand, unsupervised and semi-supervised approaches may suffer from subpar performance, as they do not leverage historical anomalies to improve their detection capabilities. These challenges underscore the necessity for the development of more efficient and effective log-based anomaly detection methods. Database anomaly access detection is critical for ensuring the stability and security of database systems. We present a survey of existing log anomaly detection models and propose a novel approach, Template-Parsed Log Anomaly Detection (TPLAD) model, for automated anomaly detection in massive database log files. The proposed model combines the original log template with template parsing using code and text semantic representation. Experimental results demonstrate the effectiveness of the proposed approach in detecting abnormal database access patterns, including runtime errors, unauthorized access, and data leaks. The findings indicate that TPLAD model shows promise in enhancing database security and stability in business systems.