Song Chen,Hai Liao

DOI: https://doi.org/10.1080/08839514.2022.2145642

IF: 2.777

2022-11-17

Applied Artificial Intelligence

Abstract:Logs are primary information resource for fault diagnosis and anomaly detection in large-scale computer systems, but it is hard to classify anomalies from system logs. Recent studies focus on extracting semantic information from unstructured log messages and converting it into word vectors. Therefore, LSTM approach is more suitable for time series data. Word2Vec is the up-to-date encoding method, but the order of words in sequences is not taken into account. In this article, we propose BERT-Log, which regards the log sequence as a natural language sequence, use pre-trained language model to learn the semantic representation of normal and anomalous logs, and a fully connected neural network is utilized to fine-tune the BERT model to detect abnormal. It can capture all the semantic information from log sequence including context and position. It has achieved the highest performance among all the methods on HDFS dataset, with an F1-score of 99.3%. We propose a new log feature extractor on BGL dataset to obtain log sequence by sliding window including node ID, window size and step size. BERT-Log approach detects anomalies on BGL dataset with an F1-score of 99.4%. It gives 19% performance improvement compared to LogRobust and 7% performance improvement compared to HitAnomaly.

computer science, artificial intelligence,engineering, electrical & electronic

Qilin Yin,Ruichun Tang,Ren Huyue,Wenbin Zhang,Peishun Liu,Qi Li,Yangyi Shao

DOI: https://doi.org/10.1109/ICCCBDA55098.2022.9778900

2022-04-22

Abstract:In the field of computer system anomaly detection, log anomaly detection is a very important project. In order to detect system faults from log text data accurately and quickly, this paper proposes a log anomaly detection method, namely Prog-BERT-LSTM, which uses the network based on the BERT model as the text vectorization module, and designs the sequence feature learning module based on LSTM to avoid the loss of sequence features caused by the disappearance of gradient in the calculation process, and further obtain the semantics and features of the input log sequence text. The progressive masking strategy is used to aggregate the text semantic vector and sequence feature vector. We compare the Prog-BERT-LSTM model with the BERT-based model (LogBERT) on three public log datasets. The test results show that the Prog-BERT-LSTM model has better performance than the standard BERT-based model (LogBERT).

Computer Science

Qiaozheng Wang,Xiuguo Zhang,Xuejie Wang,Zhiying Cao

DOI: https://doi.org/10.3390/e24010069

2021-12-30

Abstract:The log messages generated in the system reflect the state of the system at all times. The realization of autonomous detection of abnormalities in log messages can help operators find abnormalities in time and provide a basis for analyzing the causes of abnormalities. First, this paper proposes a log sequence anomaly detection method based on contrastive adversarial training and dual feature extraction. This method uses BERT (Bidirectional Encoder Representations from Transformers) and VAE (Variational Auto-Encoder) to extract the semantic features and statistical features of the log sequence, respectively, and the dual features are combined to perform anomaly detection on the log sequence, with a novel contrastive adversarial training method also used to train the model. In addition, this paper introduces the method of obtaining statistical features of log sequence and the method of combining semantic features with statistical features. Furthermore, the specific process of contrastive adversarial training is described. Finally, an experimental comparison is carried out, and the experimental results show that the method in this paper is better than the contrasted log sequence anomaly detection method.

Yihan Zhou,Yan Chen,Xuanming Rao,Yukang Zhou,Yuxin Li,Chao Hu

DOI: https://doi.org/10.3390/math12172758

IF: 2.4

2024-09-06

Mathematics

Abstract:Computer systems and applications generate large amounts of logs to measure and record information, which is vital to protect the systems from malicious attacks and useful for repairing faults, especially with the rapid development of distributed computing. Among various logs, the anomaly log is beneficial for operations and maintenance (O&M) personnel to locate faults and improve efficiency. In this paper, we utilize a large language model, ChatGPT, for the log parser task. We choose the BERT model, a self-supervised framework for log anomaly detection. BERT, an embedded transformer encoder, with a self-attention mechanism can better handle context-dependent tasks such as anomaly log detection. Meanwhile, it is based on the masked language model task and next sentence prediction task in the pretraining period to capture the normal log sequence pattern. The experimental results on two log datasets show that the BERT model combined with an LLM performed better than other classical models such as Deelog and Loganomaly.

mathematics

Shuxian Liu,Le Deng,Huan Xu,Wei Wang

DOI: https://doi.org/10.3390/app13137739

2023-06-30

Applied Sciences

Abstract:The log data generated during operation of a software system contain information about the system, and using logs for anomaly detection can detect system failures in a timely manner. Most existing log anomaly detection methods are specific to a particular system, have cold-start problems, and are sensitive to updates in log format. In this paper, we propose a log anomaly detection method LogBD based on pretrained models and domain adaptation, which uses the pretraining model BERT to learn the semantic information of logs. This method can solve problems caused by the multiple meaning of words and log statement updates. The distance to determine anomalies in LogBD is constructed on the basis of domain adaptation, using TCNs to extract common features of different system logs and mapping them to the same hypersphere space. Lastly, experiments were conducted on two publicly available datasets to evaluate the method. The experimental results showed that the method can better solve the log instability problem and exhibits some improvement in the cross-system log anomaly detection effect.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Minghua He,Tong Jia,Chiming Duan,Huaqian Cai,Ying Li,Gang Huang

DOI: https://doi.org/10.1109/issre62328.2024.00023

2024-01-01

Abstract:Log-based anomaly detection is an essential task in maintaining software reliability. Existing log-based anomaly detection approaches often consist of three key phases: log parsing, event embedding, and model construction. Event embedding efficiently extracts semantic information from log events and produces vector representations of log events. However, existing event embedding methods suffer from two key problems. First, semantic noises are buried in log events leading to inevitable gaps between the obtained semantics from log events and their essential meanings. Second, there exists a gap between general semantic embedding and the specific embedding requirement of anomaly detection tasks. To mitigate these problems and improve the quality of representations of log events, we propose a novel anomaly detection approach named LLMeLog. It leverages the capabilities of large language models (LLMs) to enrich the contents of log events with in-context learning techniques. Then it utilizes the enriched log events to fine-tune a pre-trained BERT model. At last, it trains a transformer-based anomaly detection model with the event representations produced by the pre-trained BERT model. Evaluation results on three public log datasets show that LLMeLog achieves the best performance across all datasets, boasting F1-scores exceeding 99%. Besides, when using only 10% of labeled data as training data, our approach can still achieve over 90% F1-scores.

Lu Chen,Qian Dang,Mu Chen,Biying Sun,Chunhui Du,Ziang Lu

DOI: https://doi.org/10.1007/978-981-99-6222-8_36

2023-01-01

Abstract:Microservice systems in the industry typically comprise a large-scale distributed architecture with numerous services running on different machines. Anomalies caused by cyber attacks or other factors within such a system are often reflected in different logging systems. Existing log-based approaches for anomaly detection mainly rely on a single type of logs. To address these limitations and enhance anomaly detection, we propose BertHTLG, an approach for detecting microservice anomalies using a heterogeneous graph representation enhanced by Sentence-Bert. It leverages the heterogeneous graph representation to capture the intricate structure and heterogeneity of traces along with the embedded log events. Our approach employs RGCN based on a deep Support Vector Data Description (SVDD) model. By calculating the distances between anomalous traces and the center of the hypersphere using the trained model, we can effectively identify and distinguish anomalous traces. Evaluation on a microservice benchmark demonstrates that BertHTLG achieves remarkable precision (98.5%), recall (99.2%), and F1-Score (98.8%), surpassing state-of-the-art approaches for trace/log anomaly detection with an increase of 3.4% in F1-score. These results validate the effectiveness of BertHTLG, the contribution of the heterogeneous graph representation, and the influence pre-trained language model.

Yukyung Lee,Jina Kim,Pilsung Kang

DOI: https://doi.org/10.48550/arXiv.2111.09564

2023-07-24

Abstract:The system log generated in a computer system refers to large-scale data that are collected simultaneously and used as the basic data for determining errors, intrusion and abnormal behaviors. The aim of system log anomaly detection is to promptly identify anomalies while minimizing human intervention, which is a critical problem in the industry. Previous studies performed anomaly detection through algorithms after converting various forms of log data into a standardized template using a parser. Particularly, a template corresponding to a specific event should be defined in advance for all the log data using which the information within the log key may get lost. In this study, we propose LAnoBERT, a parser free system log anomaly detection method that uses the BERT model, exhibiting excellent natural language processing performance. The proposed method, LAnoBERT, learns the model through masked language modeling, which is a BERT-based pre-training method, and proceeds with unsupervised learning-based anomaly detection using the masked language modeling loss function per log key during the test process. In addition, we also propose an efficient inference process to establish a practically applicable pipeline to the actual system. Experiments on three well-known log datasets, i.e., HDFS, BGL, and Thunderbird, show that not only did LAnoBERT yield a higher anomaly detection performance compared to unsupervised learning-based benchmark models, but also it resulted in a comparable performance with supervised learning-based benchmark models.

Machine Learning,Computation and Language

Zhichao Yin,Xian Kong,Chunyong Yin

DOI: https://doi.org/10.1016/j.cose.2024.103808

IF: 5.105

2024-03-25

Computers & Security

Abstract:System logs record system operation status and important event information. They are the important basis for debugging system failures and cause analysis. Due to the low accuracy of log parsing and insufficient labeled samples, anomaly detection precision is low. Therefore, we propose a new log-based semi-supervised anomaly detection method named BTCNLog. Firstly, the improved log parsing method with the dictionary keeps part of the parameter information in the log event. So, it can improve the utilization rate of log information and the accuracy of log parsing. Then, BERT is used to encode the semantic information to obtain the semantic vector of the log for the template. What's more, the clustering method is applied to estimate the tag to deal with insufficient data tagging problems. Therefore, it can improve the ability to detect unstable data for the model. Finally, a bidirectional temporal convolution network (Bi-TCN) with residual blocks is introduced to capture contextual information from two directions to improve the accuracy and efficiency of anomaly detection. To evaluate the performance of the proposed method, BTCNLog is compared with six baselines on two datasets. The final experimental results show that, compared with the latest three benchmark models, LogBERT, PLELog, and LogEncoder, the proposed method showed an average improvement of 7%, 14.1%, and 8.04% in F1 values.

computer science, information systems

Xianbo Zhang,Jing Zhang,Jicheng Yang,Feng Lin,Chao Wang,Liang Chang,Dongjiang Li

DOI: https://doi.org/10.1109/icpeca56706.2023.10075876

2023-01-01

Abstract:Log data is a valuable resource for understanding system status. Log recording running status for a computer system is commonly used to identify performance issues and malfunctions. Sequential anomaly detection of logs is crucial for building a secure and stable system and is beneficial for the discovery, location, and analysis of system failures. In this paper, we propose a new log sequential anomaly detection method based on natural language processing techniques by the Population Based Training (PBT) algorithm, which can make full use of semantic information in log templates to analyze log sequences. The Part-of-Speech (PoS) weight mechanism is first employed to improve the digital representation quality of the log template in the feature extraction. And then, TextCNN is used to extract noteworthy information in log template vectors. In the sequence log anomaly detection stage, the combination of TextCNN and LSTM neural network can improve the accuracy of log sequential anomaly detection. On the other hand, the proposed method jointly trains the parameters of the PoS weight mechanism and the parameters of the anomaly detection neural network model through the PBT algorithm, which accelerates the model convergence speed and improves the accuracy of the log sequential anomaly detection. Our model has been tested on four data sets and compared with two state-of-the-art models to prove the effectiveness of our model. The experimental results show that, compared with other log anomaly detection methods, the proposed method performs well.

Wu Chen,Ningning Han,Xiaoman Tan,Dongdong Wang,Siyang Lu

DOI: https://doi.org/10.1109/ICPADS60453.2023.00174

2023-12-17

Abstract:Syslog-based anomaly detection is crucial for protecting the systems from malicious attacks or malfunctions. System logs are semi-structured text messages printed by logging statements to record the system’s run-time status, involving rich semantic information. However, the existing BERT-based log anomaly detection method is based on the log key sequence, does not consider the semantics of the log data, and discards the variable part, resulting in a high rate of missed detection. In this paper, we propose SemLog, a self-supervised framework for log anomaly detection based on BERT. By incorporating log semantics and variables and employing multi-feature fusion, we mitigate the independent assumption issue in the Masked Language Modeling model. The experimental results on three benchmarks show that SemLog achieves high performance compared with the state-of-the-art approaches for anomaly detection.

Computer Science

Haixuan Guo,Shuhan Yuan,Xintao Wu

DOI: https://doi.org/10.1109/ijcnn52387.2021.9534113

2021-07-18

Abstract:Detecting anomalous events in online computer systems is crucial to protect the systems from malicious attacks or malfunctions. System logs, which record detailed information of computational events, are widely used for system status analysis. In this paper, we propose LogBERT, a self-supervised framework for log anomaly detection based on Bidirectional Encoder Representations from Transformers (BERT). LogBERT learns the patterns of normal log sequences by two novel self-supervised training tasks, masked log message prediction and volume of hypersphere minimization. After training, LogBERT is able to capture the patterns of normal log sequences and further detect anomalies where the underlying patterns deviate from expected patterns. The experimental results on three log datasets show that LogBERT outperforms state-of-the-art approaches for anomaly detection.

Haitian Yang,Degang Sun,Weiqing Huang

DOI: https://doi.org/10.1016/j.neunet.2024.106680

Abstract:Most existing log-driven anomaly detection methods assume that logs are static and unchanged, which is often impractical. To address this, we propose a log anomaly detection model called DualAttlog. This model includes word-level and sequence-level semantic encoding modules, as well as a context-aware dual attention module. Specifically, The word-level semantic encoding module utilizes a self-matching attention mechanism to explore the interactive properties between words in log sequences. By performing word embedding and semantic encoding, it captures the associations and evolution processes between words, extracting local-level semantic information. while The sequence-level semantic encoding module encoding the entire log sequence using a pre-trained model. This extracts global semantic information, capturing overall patterns and trends in the logs. The context-aware dual attention module integrates these two levels of encoding, utilizing contextual information to reduce redundancy and enhance detection accuracy. Experimental results show that the DualAttlog model achieves an F1-Score of over 95% on 7 public datasets. Impressively, it achieves an F1-Score of 82.35% on the Real-Industrial W dataset and 83.54% on the Real-Industrial Q dataset. It outperforms existing baseline techniques on 9 datasets, demonstrating its significant advantages.

Pei Xiao,Tong Jia,Chiming Duan,Huaqian Cai,Ying Li,Gang Huang

DOI: https://doi.org/10.1109/issre62328.2024.00024

2024-01-01

Abstract:Log-based anomaly detection plays a crucial role in maintaining the reliability of software systems. Unsupervised models are more suitable for real-world usage because they do not rely on huge data labeling efforts. However, their effectiveness is limited because of the lack of supervision of data labels. To balance model effectiveness and labeling efforts, existing approaches enhance model capabilities by incorporating relatively few but key human labels as a golden signal, thereby improving the model ability with acceptable labeling efforts. However, these methods still face limitations of complex human labels and insufficient utilization of human knowledge. In this paper, we introduce LogCAE, a two-stage log anomaly detection approach based on active learning and contrastive learning. It utilizes an unsupervised model to learn from unlabeled log data without human labels and incorporates human knowledge through active learning during online optimization. We employ contrastive learning to optimize the representation of log samples in feature space for more efficient usage of human labels. We conducted experiments on three distinct public log datasets (Thunderbird, BGL, and Zookeeper). The results show that our method improves 12.93% F1-score on average with 6.06% labeled data samples. Besides, our approach is more effective in utilizing human labels than state-of-the-art approaches.

Zezhou Li,Jing Zhang,Xianbo Zhang,Feng Lin,Chao Wang,Xingye Cai

DOI: https://doi.org/10.1109/seai55746.2022.9832400

2022-01-01

Abstract:Logs are widely used in IT industry and the anomaly detection of logs is essential to identify the running status of systems. Conventional methods solving this problem require sophisticated rule-based regulations and intensive labor input. In this paper, we propose a new model based on natural language processing techniques. In order to modify the feature extraction and to improve the vector quality of log templates, Part-of-Speech (PoS) and Named Entity Recognition (NER) are employed in our model, which leads to the less involvement of regulation-based rule and a modification of the template vector thanks to the weight vector by NER. The PoS property of each token in the template is firstly analyzed, which also reduces labor involvement and helps for better weight allocation. The weight investigation on tokens of the template is introduced to modify the template vector. And the final detection based on the modified vector of templates is realized by deep neural networks (DNNs). The effectiveness of our model is tested on three datasets, and compared with two state-of-the-art models. The evaluation results prove that our model achieves better log anomaly detection.

Zhongliang Li,Xuezhen Tu,Hong Gao,Shiyue Huang,Zongmin Ma

DOI: https://doi.org/10.3233/jifs-235801

2024-02-07

Journal of Intelligent & Fuzzy Systems

Abstract:With the development of artificial intelligence, deep-learning-based log anomaly detection proves to be an important research topic. In this paper, we propose LogCSS, a novel log anomaly detection framework based on the Context-Semantics-Statistics Convolutional Neural Network (CSSCNN). It is the first model that uses BERT (Bidirectional Encoder Representation from Transformers) and CNN (Convolutional Neural Network) to extract the semantic, temporal, and correlational features of the logs. We combine the features with the statistic information of log templates for the classification model to improve the accuracy. We also propose a technique, DOOT (Deals with the Out-Of-Templates), for online template matching. The experimental research shows that our framework improves the average F1 score of the six best algorithms in the industry by more than 5% on the open-source dataset HDFS, and improves the average F1 score of the six best algorithms in the industry by more than 8% on the BGL dataset, LogCSS also performs better than other similar methods on our own constructed dataset.

Caiping Hu,Xuekui Sun,Hua Dai,Hangchuan Zhang,Haiqiang Liu

DOI: https://doi.org/10.3390/electronics12173580

IF: 2.9

2023-08-25

Electronics

Abstract:Log anomaly detection is crucial for computer systems. By analyzing and processing the logs generated by a system, abnormal events or potential problems in the system can be identified, which is helpful for its stability and reliability. At present, due to the expansion of the scale and complexity of software systems, the amount of log data grows enormously, and traditional detection methods have been unable to detect system anomalies in time. Therefore, it is important to design log anomaly detection methods with high accuracy and strong generalization. In this paper, we propose the log anomaly detection method LogADSBERT, which is based on Sentence-BERT. This method adopts the Sentence-BERT model to extract the semantic behavior characteristics of log events and implements anomaly detection through the bidirectional recurrent neural network, Bi-LSTM. Experiments on the open log data set show that the accuracy of LogADSBERT is better than that of the existing log anomaly detection methods. Moreover, LogADSBERT is robust even under the scenario of new log event injections.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wei Guan,Jian Cao,Shiyou Qian,Jianqi Gao

2024-11-13

Abstract:Software systems often record important runtime information in logs to help with troubleshooting. Log-based anomaly detection has become a key research area that aims to identify system issues through log data, ultimately enhancing the reliability of software systems. Traditional deep learning methods often struggle to capture the semantic information embedded in log data, which is typically organized in natural language. In this paper, we propose LogLLM, a log-based anomaly detection framework that leverages large language models (LLMs). LogLLM employs BERT for extracting semantic vectors from log messages, while utilizing Llama, a transformer decoder-based model, for classifying log sequences. Additionally, we introduce a projector to align the vector representation spaces of BERT and Llama, ensuring a cohesive understanding of log semantics. Unlike conventional methods that require log parsers to extract templates, LogLLM preprocesses log messages with regular expressions, streamlining the entire process. Our framework is trained through a novel three-stage procedure designed to enhance performance and adaptability. Experimental results across four public datasets demonstrate that LogLLM outperforms state-of-the-art methods. Even when handling unstable logs, it effectively captures the semantic meaning of log messages and detects anomalies accurately.

Software Engineering,Artificial Intelligence

Chenyangguang Zhang,Tong Jia,Guopeng Shen,Pinyan Zhu,Ying Li

DOI: https://doi.org/10.1145/3597503.3639205

2024-01-01

Abstract:Log-based anomaly detection plays a crucial role in ensuring the stability of software. However, current approaches for log-based anomaly detection heavily depend on a vast amount of labeled his-torical data, which is often unavailable in many real-world systems. To mitigate this problem, we leverage the features of the abundant historical labeled logs of mature systems to help construct anomaly detection models of new systems with very few labels, that is, to generalize the model ability trained from labeled logs of mature systems to achieve anomaly detection on new systems with insufficient data labels. Specifically, we propose MetaLog, a generalizable cross-system anomaly detection approach. MetaLog first incorporates a globally consistent semantic embedding module to obtain log event semantic embedding vectors in a shared global space. Then it leverages the meta-learning paradigm to improve the model's generalization ability. We evaluate MetaLog's performance on four public log datasets (HDFS, BGL, OpenStack, and Thunderbird) from four different systems. Results show that MetaLog reaches over 80% F1-score when using only 1% labeled logs of the target system, showing similar performance with state-of-the-art supervised anomaly detection models trained with 100% labeled data. Besides, it outperforms state-of-art transfer-learning-based cross-system anomaly detection models by 20% in the same settings of 1% labeled training logs of the target system.

Yuyuan Chang,Nurbol Luktarhan,Jingru Liu,Qinglin Chen

DOI: https://doi.org/10.3390/electronics12081877

IF: 2.9

2023-04-17

Electronics

Abstract:The scale of the system and network applications is expanding, and higher requirements are being put forward for anomaly detection. The system log can record system states and significant operational events at different critical points. Therefore, using the system log for anomaly detection can help with system maintenance and avoid unnecessary loss. The system log has obvious timing characteristics, and the execution sequence of the system log has a certain dependency relationship. However, sometimes the length of sequence dependence is long. To handle the problem of longer sequence logs in anomaly detection, this paper proposes a system log anomaly detection method based on efficient channel attention and temporal convolutional network (ETCNLog). It builds a model by treating the system log as a natural language sequence. To handle longer sequence logs more effectively, ETCNLog uses the semantic and timing information of logs. It can automatically learn the importance of different log sequences and detect hidden dependencies within sequences to improve the accuracy of anomaly detection. We run extensive experiments on the actual public log dataset BGL. The experimental results show that the Precision and F1-score of ETCNLog reach 98.15% and 98.21%, respectively, both of which are better than the current anomaly detection methods.

engineering, electrical & electronic,computer science, information systems,physics, applied