Xiaoqing Zhao,Zhongyuan Jiang,Jianfeng Ma

DOI: https://doi.org/10.1109/IJCNN55064.2022.9892726

2022-01-01

Abstract:The modern system is becoming more and more complex in scale and structure. Mastering the operation status is crucial to ensure the stable and reliable operation of the system. Log anomaly detection is the critical means of system state monitoring and anomaly response. However, the characteristics of complex log data structure, large amount of data and hidden abnormal behavior patterns bring new challenges to efficient and automated log anomaly detection. This paper summarized the basic framework of log anomaly detection, including log collection and filtering, log parsing, feature extraction and anomaly detection. We have reviewed the relevant technologies and methods involved in each link. In particular, various deep learning detection models in recent years are analyzed, such as the use of recurrent neural network and convolutional neural network to capture the context information of log sequences, the use of generative adversarial network to make up for the deficiency of abnormal data, and the training of federated learning between different systems. We hope that our work can help beginners understand log anomaly detection and relevant experts keep abreast of the latest research trends.

Zhuangbin Chen,Jinyang Liu,Wenwei Gu,Yuxin Su,Michael R. Lyu

DOI: https://doi.org/10.48550/arXiv.2107.05908

2021-07-13

Software Engineering

Abstract:Logs have been an imperative resource to ensure the reliability and continuity of many software systems, especially large-scale distributed systems. They faithfully record runtime information to facilitate system troubleshooting and behavior understanding. Due to the large scale and complexity of modern software systems, the volume of logs has reached an unprecedented level. Consequently, for log-based anomaly detection, conventional manual inspection methods or even traditional machine learning-based methods become impractical, which serve as a catalyst for the rapid development of deep learning-based solutions. However, there is currently a lack of rigorous comparison among the representative log-based anomaly detectors that resort to neural networks. Moreover, the re-implementation process demands non-trivial efforts, and bias can be easily introduced. To better understand the characteristics of different anomaly detectors, in this paper, we provide a comprehensive review and evaluation of five popular neural networks used by six state-of-the-art methods. Particularly, four of the selected methods are unsupervised, and the remaining two are supervised. These methods are evaluated with two publicly available log datasets, which contain nearly 16 million log messages and 0.4 million anomaly instances in total. We believe our work can serve as a basis in this field and contribute to future academic research and industrial applications.

Jiechao Cheng,Rui Ren,Lei Wang,Jianfeng Zhan

DOI: https://doi.org/10.48550/arXiv.1710.09052

2017-12-30

Abstract:The increasing popularity of server usage has brought a plenty of anomaly log events, which have threatened a vast collection of machines. Recognizing and categorizing the anomalous events thereby is a much salient work for our systems, especially the ones generate the massive amount of data and harness it for technology value creation and business development. To assist in focusing on the classification and the prediction of anomaly events, and gaining critical insights from system event records, we propose a novel log preprocessing method which is very effective to filter abundant information and retain critical characteristics. Additionally, a competitive approach for automated classification of anomalous events detected from the distributed system logs with the state-of-the-art deep (Convolutional Neural Network) architectures is proposed in this paper. We measure a series of deep CNN algorithms with varied hyper-parameter combinations by using standard evaluation metrics, the results of our study reveals the advantages and potential capabilities of the proposed deep CNN models for anomaly event classification tasks on real-world systems. The optimal classification precision of our approach is 98.14%, which surpasses the popular traditional machine learning methods.

Distributed, Parallel, and Cluster Computing,Machine Learning

Lanlan Xi,Yang Xin,Shoushan Luo,Yanlei Shang,Qifeng Tang

DOI: https://doi.org/10.1109/ccai50917.2021.9447458

2021-01-01

Abstract:In order to realize Intelligent Disaster Recovery and break the traditional reactive backup mode, it is necessary to forecast the potential system anomalies, and proactively backup the real-time datas and configurations. System logs record the running status as well as the critical events (including errors and warnings), which can help to detect system performance, debug system faults and analyze the causes of anomalies. What's more, with the features of real-time, hierarchies and easy-access, log data can be an ideal source for monitoring system status. To reduce the complexity and improve the robustness and practicability of existing log-based anomaly detection methods, we propose a new anomaly detection mechanism based on hierarchical weights, which can deal with unstable log data. We firstly extract semantic information of log strings, and get the word-level weights by SIF algorithm to embed log strings into vectors, which are then feed into attention-based Long Short-Term Memory(LSTM) deep learning network model. In addition to get sentence-level weight which can be used to explore the interdependence between different log sequences and improve the accuracy, we utilize attention weights to help with building workflow to diagnose the abnormal points in the execution of a specific task. Our experimental results show that the hierarchical weights mechanism can effectively improve accuracy of perdition task and reduce complexity of the model, which provides the feasibility foundation support for Intelligent Disaster Recovery.

Zezhou Li,Jing Zhang,Xianbo Zhang,Feng Lin,Chao Wang,Xingye Cai

DOI: https://doi.org/10.1109/seai55746.2022.9832400

2022-01-01

Abstract:Logs are widely used in IT industry and the anomaly detection of logs is essential to identify the running status of systems. Conventional methods solving this problem require sophisticated rule-based regulations and intensive labor input. In this paper, we propose a new model based on natural language processing techniques. In order to modify the feature extraction and to improve the vector quality of log templates, Part-of-Speech (PoS) and Named Entity Recognition (NER) are employed in our model, which leads to the less involvement of regulation-based rule and a modification of the template vector thanks to the weight vector by NER. The PoS property of each token in the template is firstly analyzed, which also reduces labor involvement and helps for better weight allocation. The weight investigation on tokens of the template is introduced to modify the template vector. And the final detection based on the modified vector of templates is realized by deep neural networks (DNNs). The effectiveness of our model is tested on three datasets, and compared with two state-of-the-art models. The evaluation results prove that our model achieves better log anomaly detection.

Van-Hoang Le,Hongyu Zhang

DOI: https://doi.org/10.48550/arXiv.2202.04301

2022-02-09

Software Engineering

Abstract:Software-intensive systems produce logs for troubleshooting purposes. Recently, many deep learning models have been proposed to automatically detect system anomalies based on log data. These models typically claim very high detection accuracy. For example, most models report an F-measure greater than 0.9 on the commonly-used HDFS dataset. To achieve a profound understanding of how far we are from solving the problem of log-based anomaly detection, in this paper, we conduct an in-depth analysis of five state-of-the-art deep learning-based models for detecting system anomalies on four public log datasets. Our experiments focus on several aspects of model evaluation, including training data selection, data grouping, class distribution, data noise, and early detection ability. Our results point out that all these aspects have significant impact on the evaluation, and that all the studied models do not always work well. The problem of log-based anomaly detection has not been solved yet. Based on our findings, we also suggest possible future work.

Shuzhan Wang,Ruxue Jiang,Zhaoqi Wang,Yan Zhou

2024-09-14

Abstract:Computer network anomaly detection and log analysis, as an important topic in the field of network security, has been a key task to ensure network security and system reliability. First, existing network anomaly detection and log analysis methods are often challenged by high-dimensional data and complex network topologies, resulting in unstable performance and high false-positive rates. In addition, traditional methods are usually difficult to handle time-series data, which is crucial for anomaly detection and log analysis. Therefore, we need a more efficient and accurate method to cope with these problems. To compensate for the shortcomings of current methods, we propose an innovative fusion model that integrates Isolation Forest, GAN (Generative Adversarial Network), and Transformer with each other, and each of them plays a unique role. Isolation Forest is used to quickly identify anomalous data points, and GAN is used to generate synthetic data with the real data distribution characteristics to augment the training dataset, while the Transformer is used for modeling and context extraction on time series data. The synergy of these three components makes our model more accurate and robust in anomaly detection and log analysis tasks. We validate the effectiveness of this fusion model in an extensive experimental evaluation. Experimental results show that our model significantly improves the accuracy of anomaly detection while reducing the false alarm rate, which helps to detect potential network problems in advance. The model also performs well in the log analysis task and is able to quickly identify anomalous behaviors, which helps to improve the stability of the system. The significance of this study is that it introduces advanced deep learning techniques, which work anomaly detection and log analysis.

Machine Learning,Cryptography and Security

Weina Niu,Xuhan Liao,Shiping Huang,Yudong Li,Xiaosong Zhang,Beibei Li

DOI: https://doi.org/10.1016/j.asoc.2024.111314

IF: 8.7

2024-01-01

Applied Soft Computing

Abstract:Log-based anomaly detections have shown huge commercial potential in system maintenance. However, existing methods encounter two practical challenges. Firstly, they struggle to maintain consistent performance when dealing with evolving logs over time. Secondly, they face difficulties in effectively detecting frequency anomalies, such as abnormal system resource usage and abnormal system operating frequencies. In this paper, we propose a robust log-based anomaly detection framework using Wide & Deep learning called WDLog. Particularly, we enhance the processing of template semantic information by building upon the Drain algorithm, then we introduce invariant features and statistical features and propose a multi-feature anomaly detection method based on the Wide & Deep framework. The experimental results on HDFS and BGL datasets demonstrate the promising performance of WDLog compared to state-of-the-art methods in terms of anomaly detection effectiveness. Furthermore, WDLog exhibits robustness to evolving logs, achieving F1-scores of over 90% under different degrees of log variation.

Max Landauer,Sebastian Onder,Florian Skopik,Markus Wurzenberger

DOI: https://doi.org/10.1016/j.mlwa.2023.100470

2023-05-15

Abstract:Automatic log file analysis enables early detection of relevant incidents such as system failures. In particular, self-learning anomaly detection techniques capture patterns in log data and subsequently report unexpected log event occurrences to system operators without the need to provide or manually model anomalous scenarios in advance. Recently, an increasing number of approaches leveraging deep learning neural networks for this purpose have been presented. These approaches have demonstrated superior detection performance in comparison to conventional machine learning techniques and simultaneously resolve issues with unstable data formats. However, there exist many different architectures for deep learning and it is non-trivial to encode raw and unstructured log data to be analyzed by neural networks. We therefore carry out a systematic literature review that provides an overview of deployed models, data pre-processing mechanisms, anomaly detection techniques, and evaluations. The survey does not quantitatively compare existing approaches but instead aims to help readers understand relevant aspects of different model architectures and emphasizes open issues for future work.

Machine Learning

Van-Hoang Le,Hongyu Zhang

DOI: https://doi.org/10.1109/ase51524.2021.9678773

2021-11-01

Abstract:Software systems often record important runtime information in system logs for troubleshooting purposes. There have been many studies that use log data to construct machine learning models for detecting system anomalies. Through our empirical study, we find that existing log-based anomaly detection approaches are significantly affected by log parsing errors that are introduced by 1) OOV (out-of-vocabulary) words, and 2) semantic misunderstandings. The log parsing errors could cause the loss of important information for anomaly detection. To address the limitations of existing methods, we propose NeuralLog, a novel log-based anomaly detection approach that does not require log parsing. NeuralLog extracts the semantic meaning of raw log messages and represents them as semantic vectors. These representation vectors are then used to detect anomalies through a Transformer-based classification model, which can capture the contextual information from log sequences. Our experimental results show that the proposed approach can effectively understand the semantic meaning of log messages and achieve accurate anomaly detection results. Overall, NeuralLog achieves F1-scores greater than 0.95 on four public datasets, outperforming the existing approaches.

Peng Xu,Qihong Gao,Zhongbao Zhang,Kai Zhao

DOI: https://doi.org/10.1016/j.eswa.2023.121675

IF: 8.5

2023-09-27

Expert Systems with Applications

Abstract:Anomaly detection is vital in complex distributed systems. However, existing methods did not take into full account the temporal and spatial characteristics of data from multiple sources in the system. That will lead to less accurate of anomaly detection. To address this limitation, in this paper we propose a multi-source data based anomaly detection method through temporal and spatial characteristics. Specifically, we first considered the spatial characteristics. We propose a Transformer encoder to parse log templates and output template vectors, then an attention-based CNN is introduced to obtain the spatial characteristics from traces. Next, we considered the temporal characteristics. We propose Bi-LSTM network to obtain the temporal characteristics of multi-source data of the distributed systems, followed by anomaly detection. Finally, extensive comparative experiments verify the effectiveness of our method, the F1-score reaches 0.859 and improves by 2.14% compared to state-of-the-art methods.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Xuze Xia,Wei Zhang,Jianhui Jiang

DOI: https://doi.org/10.1109/prdc47002.2019.00034

2019-01-01

Abstract:Anomaly detection plays an important role in large-scale distributed systems. System logs are significant source of troubleshooting and problem diagnosis. Most of the existing anomaly detection methods apply only one machine learning model to extract feature from structured logs. However, each machine learning model has different strength towards different target system. It is hard for developers to know which is the best method to their practical problem at hand. This paper proposes two methods for anomaly detection based on the machine learning ensemble models. The first method takes mixture of experts to combine the weighted prediction of ensemble members to generate the final prediction. The second method divides the sample into n parts, then use n models to extracting features. Experimental results demonstrate the validity and accuracy of the proposed methods.

Weibin Meng,Ying Liu,Yichen Zhu,Shenglin Zhang,Dan Pei,Yuqing Liu,Yihao Chen,Ruizhi Zhang,Shimin Tao,Pei Sun,Rong Zhou

DOI: https://doi.org/10.24963/ijcai.2019/658

2019-08-01

Abstract:Recording runtime status via logs is common for almost every computer system, and detecting anomalies in logs is crucial for timely identifying malfunctions of systems. However, manually detecting anomalies for logs is time-consuming, error-prone, and infeasible. Existing automatic log anomaly detection approaches, using indexes rather than semantics of log templates, tend to cause false alarms. In this work, we propose LogAnomaly, a framework to model unstructured a log stream as a natural language sequence. Empowered by template2vec, a novel, simple yet effective method to extract the semantic information hidden in log templates, LogAnomaly can detect both sequential and quantitive log anomalies simultaneously, which were not done by any previous work. Moreover, LogAnomaly can avoid the false alarms caused by the newly appearing log templates between periodic model retrainings. Our evaluation on two public production log datasets show that LogAnomaly outperforms existing log-based anomaly detection methods.

Yahong Han,Feng Lin,Yi Chai,Kaiming Qie,Shuo Li,Yuanyuan Wang,Cheng Zhang,Minyi Guo

2023-01-01

Abstract:To achieve real-time anomaly detection in system logs, this paper presents a distributed processing method for large scale logs based on spark, flume, kafka, zookeeper and so on. The method utilizes Spark Streaming to enable parallel log parsing. Additionally, a novel anomaly detection model is proposed, which integrates multiple log features for improved detection accuracy. Experimental results on the HDFS (Hadoop Log File System) dataset demonstrate the method’s efficiency and effectiveness in processing massive log data.

Dongqing Yu,Xiaowei Hou,Ce Li,Qiujian Lv,Yan Wang,Ning Li

DOI: https://doi.org/10.1109/ic-nidc54101.2021.9660476

2021-01-01

Abstract:System logs record valuable information about the runtime status of IT systems. Therefore, system logs are a naturally excellent source of information for anomaly detection. Most of the existing studies on log-based anomaly detection construct a detection model to identify anomalous logs. Generally, the model treats historical logs as natural language sequences and learns the normal patterns from normal log sequences, and detects deviations from normal patterns as anomalies. However, the majority of existing methods focus on sequential and quantitative information and ignore semantic information hidden in log sequence so that they are inefficient in anomaly detection. In this paper, we propose a novel framework for automatically detecting log anomalies by utilizing an attention-based Bi-LSTM model. To demonstrate the effectiveness of our proposed model, we evaluate the performance on a public production log dataset. Extensive experimental results show that the proposed approach outperforms all comparison methods for anomaly detection.

Tingting Zhang,Markus Falt,Stefan Forsstrom

DOI: https://doi.org/10.1109/icsrs53853.2021.9660694

2021-11-24

Abstract:Modern enterprise IT systems generate large amounts of log data to record system state, potential errors, and performance metrics. Manual analysis of log data is becoming more difficult as these systems become more complex. Therefore, machine learning based anomaly detection of system logs is a vital component for the future of system management. Existing log anomaly detection models commonly rely on learning the general normal behavior of the target systems to accurately detect anomalies. They are however limited by the often sparse existing system knowledge. Therefore, this paper proposes a general anomaly detection method which requires little or no knowledge of the target system. This is done by assuming there are semantic similarities in different systems’ log data. Labeled log data from other systems can then be used for training the anomaly detection model. The model uses self-attention transformers and ensemble learning techniques to learn the semantic representation of normal and abnormal log messages. The proposed method achieves a performance comparable to other log anomaly detection methods while requiring little knowledge of the target system.

Siyang Lu,Xiang Wei,Yandong Li,Liqiang Wang

DOI: https://doi.org/10.1109/DASC/PiCom/DataCom/CyberSciTec.2018.00037

2018-01-01

Abstract:Nowadays, big data systems are being widely adopted by many domains for offering effective data solutions, such as manufacturing, healthcare, education, and media. Big data systems produce tons of unstructured logs that contain buried valuable information. However, it is a daunting task to manually unearth the information and detect system anomalies. A few automatic methods have been developed, where the cutting-edge machine learning technique is one of the most promising ways. In this paper, we propose a novel approach for anomaly detection from big data system logs by leveraging Convolutional Neural Networks (CNN). Different from other existing statistical methods or traditional rule-based machine learning approaches, our CNN-based model can automatically learn event relationships in system logs and detect anomaly with high accuracy. Our deep neural network consists of logkey2vec embeddings, three 1D convolutional layers, dropout layer, and max-pooling. According to our experiment, our CNN-based approach has better accuracy(reaches to 99%) compared to other approaches using Long Short term memory (LSTM) and Multilayer Perceptron (MLP) on detecting anomaly in Hadoop Distributed File System (HDFS) logs.

Ningning Han,Siyang Lu,Dongdong Wang,Mingquan Wang,Xiaoman Tan,Xiang Wei

DOI: https://doi.org/10.1109/smartworld-uic-atc-scalcom-digitaltwin-pricomp-metaverse56740.2022.00122

2022-01-01

Abstract:System logs are critical to system health diagnosis, especially for big data distributed systems. To detect anomalies in logs, log analysis has become a popular and practical approach. However, with the increasing complexity of system logs in real-world systems, more noisy data are generated. The noise disturbs the regular detection procedure and decreases the detection quality. Hence, it is more difficult to improve detection performance under such uncertain circumstance. To tackle this challenge, we propose SKDLog, a novel and effective log anomaly detection method equipped with self-knowledge distillation. This approach leverages the knowledge from soft labels and refined feature maps through knowledge distillation. Moreover, it helps the detection model better acquire latent information. To better exploit feature maps, an auxiliary self-teacher branch is incorporated into the framework. After the integration, the model achieves performance gain in log anomaly detection. To demonstrate the effectiveness, we compare SKDLog with the state-of-the-art log-based anomaly detection approaches on HDFS and Hadoop Application datasets. Our model outperforms other approaches on both recall and F1-score. Furthermore, we challenge problem solving by performing experiments on an industry dataset and an unstable dataset. The experimental results show that SKDLog more accurately detects abnormal logs from noisy data with high recall and F1-score.

Minquan Wang,Siyang Lu,Sizhe Xiao,Dong,Xiang Wei,Ningning Han,Liqiang Wang

DOI: https://doi.org/10.1142/s0218843023500181

2024-01-01

International Journal of Cooperative Information Systems

Abstract:We consider the problem of real-time log anomaly detection for distributed system with deep neural networks by unsupervised learning. There are two challenges in this problem, including detection accuracy and analysis efficacy. To tackle these two challenges, we propose GLAD, a simple yet effective approach mining for anomalies in distributed systems. To ensure detection accuracy, we exploit the gradient features in a well-calibrated deep neural network and analyze anomalous pattern within log files. To improve the analysis efficacy, we further integrate one-class support vector machine (SVM) into anomalous analysis, which significantly reduces the cost of anomaly decision boundary delineation. This effective integration successfully solves both accuracy and efficacy in real-time log anomaly detection. Also, since anomalous analysis is based upon unsupervised learning, it significantly reduces the extra data labeling cost. We conduct a series of experiments to justify that GLAD has the best comprehensive performance balanced between accuracy and efficiency, which implies the advantage in tackling practical problems. The results also reveal that GLAD enables effective anomaly mining and consistently outperforms state-of-the-art methods on both recall and F1 scores.

D. A. Khudyakov

DOI: https://doi.org/10.25205/1818-7900-2023-21-1-62-72

2023-08-28

Abstract:Software system developers must respond quickly to failures in order to avoid reputational and financial losses for their customers. Therefore, it is important to detect behavioral anomalies in the operation of software systems in a timely manner. At the moment, various tools for automatic monitoring of systems are being actively developed, but logs are the main tool for analyzing failures. Logs contain information about the operation of the system at various points of execution. Modern systems often have a distributed microservice architecture, which significantly complicates the task of analyzing logs. Logs of such systems are collected centrally from different microservices, forming a huge flow of information that is very difficult to analyze manually. However, the problem of identifying logs related to a specific request to the system is solved by distributed tracing, the use of which opens up wide opportunities for the introduction of automatic analysis. There are already many solutions for detecting anomalies in logs, but they do not take advantage of distributed tracing. The article is considered to solving the problem of detecting behavioral anomalies in the work of distributed software systems based on automatic analysis of log traces. The solution is based on the synthesis of machine learning methods. Log traces are preprocessed and cleaned using process mining methods. Next, vectorization and clustering of log messages is performed. After that, a long short-term memory network (LSTM) is used to analyze deviations in the sequences of processed logs. As a result of the work performed, a prototype of the anomaly detection system was developed and tested.