Lu Chen,Qian Dang,Mu Chen,Biying Sun,Chunhui Du,Ziang Lu

DOI: https://doi.org/10.1007/978-981-99-6222-8_36

2023-01-01

Abstract:Microservice systems in the industry typically comprise a large-scale distributed architecture with numerous services running on different machines. Anomalies caused by cyber attacks or other factors within such a system are often reflected in different logging systems. Existing log-based approaches for anomaly detection mainly rely on a single type of logs. To address these limitations and enhance anomaly detection, we propose BertHTLG, an approach for detecting microservice anomalies using a heterogeneous graph representation enhanced by Sentence-Bert. It leverages the heterogeneous graph representation to capture the intricate structure and heterogeneity of traces along with the embedded log events. Our approach employs RGCN based on a deep Support Vector Data Description (SVDD) model. By calculating the distances between anomalous traces and the center of the hypersphere using the trained model, we can effectively identify and distinguish anomalous traces. Evaluation on a microservice benchmark demonstrates that BertHTLG achieves remarkable precision (98.5%), recall (99.2%), and F1-Score (98.8%), surpassing state-of-the-art approaches for trace/log anomaly detection with an increase of 3.4% in F1-score. These results validate the effectiveness of BertHTLG, the contribution of the heterogeneous graph representation, and the influence pre-trained language model.

Wu Chen,Ningning Han,Xiaoman Tan,Dongdong Wang,Siyang Lu

DOI: https://doi.org/10.1109/ICPADS60453.2023.00174

2023-12-17

Abstract:Syslog-based anomaly detection is crucial for protecting the systems from malicious attacks or malfunctions. System logs are semi-structured text messages printed by logging statements to record the system’s run-time status, involving rich semantic information. However, the existing BERT-based log anomaly detection method is based on the log key sequence, does not consider the semantics of the log data, and discards the variable part, resulting in a high rate of missed detection. In this paper, we propose SemLog, a self-supervised framework for log anomaly detection based on BERT. By incorporating log semantics and variables and employing multi-feature fusion, we mitigate the independent assumption issue in the Masked Language Modeling model. The experimental results on three benchmarks show that SemLog achieves high performance compared with the state-of-the-art approaches for anomaly detection.

Computer Science

Caiping Hu,Xuekui Sun,Hua Dai,Hangchuan Zhang,Haiqiang Liu

DOI: https://doi.org/10.3390/electronics12173580

IF: 2.9

2023-08-25

Electronics

Abstract:Log anomaly detection is crucial for computer systems. By analyzing and processing the logs generated by a system, abnormal events or potential problems in the system can be identified, which is helpful for its stability and reliability. At present, due to the expansion of the scale and complexity of software systems, the amount of log data grows enormously, and traditional detection methods have been unable to detect system anomalies in time. Therefore, it is important to design log anomaly detection methods with high accuracy and strong generalization. In this paper, we propose the log anomaly detection method LogADSBERT, which is based on Sentence-BERT. This method adopts the Sentence-BERT model to extract the semantic behavior characteristics of log events and implements anomaly detection through the bidirectional recurrent neural network, Bi-LSTM. Experiments on the open log data set show that the accuracy of LogADSBERT is better than that of the existing log anomaly detection methods. Moreover, LogADSBERT is robust even under the scenario of new log event injections.

engineering, electrical & electronic,computer science, information systems,physics, applied

Haixuan Guo,Shuhan Yuan,Xintao Wu

DOI: https://doi.org/10.1109/ijcnn52387.2021.9534113

2021-07-18

Abstract:Detecting anomalous events in online computer systems is crucial to protect the systems from malicious attacks or malfunctions. System logs, which record detailed information of computational events, are widely used for system status analysis. In this paper, we propose LogBERT, a self-supervised framework for log anomaly detection based on Bidirectional Encoder Representations from Transformers (BERT). LogBERT learns the patterns of normal log sequences by two novel self-supervised training tasks, masked log message prediction and volume of hypersphere minimization. After training, LogBERT is able to capture the patterns of normal log sequences and further detect anomalies where the underlying patterns deviate from expected patterns. The experimental results on three log datasets show that LogBERT outperforms state-of-the-art approaches for anomaly detection.

Song Chen,Hai Liao

DOI: https://doi.org/10.1080/08839514.2022.2145642

IF: 2.777

2022-11-17

Applied Artificial Intelligence

Abstract:Logs are primary information resource for fault diagnosis and anomaly detection in large-scale computer systems, but it is hard to classify anomalies from system logs. Recent studies focus on extracting semantic information from unstructured log messages and converting it into word vectors. Therefore, LSTM approach is more suitable for time series data. Word2Vec is the up-to-date encoding method, but the order of words in sequences is not taken into account. In this article, we propose BERT-Log, which regards the log sequence as a natural language sequence, use pre-trained language model to learn the semantic representation of normal and anomalous logs, and a fully connected neural network is utilized to fine-tune the BERT model to detect abnormal. It can capture all the semantic information from log sequence including context and position. It has achieved the highest performance among all the methods on HDFS dataset, with an F1-score of 99.3%. We propose a new log feature extractor on BGL dataset to obtain log sequence by sliding window including node ID, window size and step size. BERT-Log approach detects anomalies on BGL dataset with an F1-score of 99.4%. It gives 19% performance improvement compared to LogRobust and 7% performance improvement compared to HitAnomaly.

computer science, artificial intelligence,engineering, electrical & electronic

Shijing Gu,Yuchun Chu,Wenbin Zhang,Peishun Liu,Qilin Yin,Qi Li

DOI: https://doi.org/10.1109/icaibd51990.2021.9459087

2021-01-01

Abstract:A wide variety of logs are generated during the running of the system, which record the state of the system at runtime and the various operations performed by the system. They are good sources of information for online monitoring and exception detection. Therefore, it is important to detect the anomaly logs in the system quickly and accurately to maintain the security and stability of the system. This paper presents a log anomaly detection algorithm based on Bi-SSGRU-Ga-Attention, which has the advantages of simple parameters and fast convergence. It reduces the running time and achieves high accuracy. It has achieved good results in log analysis of large information systems.

Qilin Yin,Ruichun Tang,Ren Huyue,Wenbin Zhang,Peishun Liu,Qi Li,Yangyi Shao

DOI: https://doi.org/10.1109/ICCCBDA55098.2022.9778900

2022-04-22

Abstract:In the field of computer system anomaly detection, log anomaly detection is a very important project. In order to detect system faults from log text data accurately and quickly, this paper proposes a log anomaly detection method, namely Prog-BERT-LSTM, which uses the network based on the BERT model as the text vectorization module, and designs the sequence feature learning module based on LSTM to avoid the loss of sequence features caused by the disappearance of gradient in the calculation process, and further obtain the semantics and features of the input log sequence text. The progressive masking strategy is used to aggregate the text semantic vector and sequence feature vector. We compare the Prog-BERT-LSTM model with the BERT-based model (LogBERT) on three public log datasets. The test results show that the Prog-BERT-LSTM model has better performance than the standard BERT-based model (LogBERT).

Computer Science

Xinqiang Li,Weina Niu,Xiaosong Zhang,Runzi Zhang,Zhenqi Yu,Zimu Li

DOI: https://doi.org/10.1109/cecit53797.2021.00121

2021-01-01

Abstract:In recent years, with the increase in the scale and complexity of system software, how to effectively capture, analyze and locate the abnormal behavior generated during system operation has increasingly become a recognized problem in the software testing field. Traditional white-box-based anomaly detection methods need to provide system source code and cannot effectively detect abnormal behaviors that occur when the program is running. Black-box-based anomaly detection methods rely on test cases and have low code coverage. Anomaly detection based on the logs generated during system operation can alleviate the abovementioned problems. However, the existing system log-based abnormality detection method mainly extracts log template characteristics, and cannot effectively determine the logical and temporal abnormalities related to the log. Therefore, in order to detect anomalies in the log sequence more comprehensively, this paper proposes an anomaly detection method based on BiLSTM. This method combines the semantic and temporal characteristics of the log for modeling. In terms of semantics, the Bert natural language processing model is used to extract the contextual semantic information of the logs; in terms of time, the log time interval characteristics are extracted based on the three potential relationships of the logs. In addition, the proposed method also adds an attention mechanism to balance feature weights. Finally, we evaluate our method in experiments on two real datasets, HDFS and OpenStack. The experimental results show that our method has a great improvement in accuracy and recall.

Weibin Meng,Ying Liu,Yichen Zhu,Shenglin Zhang,Dan Pei,Yuqing Liu,Yihao Chen,Ruizhi Zhang,Shimin Tao,Pei Sun,Rong Zhou

DOI: https://doi.org/10.24963/ijcai.2019/658

2019-08-01

Abstract:Recording runtime status via logs is common for almost every computer system, and detecting anomalies in logs is crucial for timely identifying malfunctions of systems. However, manually detecting anomalies for logs is time-consuming, error-prone, and infeasible. Existing automatic log anomaly detection approaches, using indexes rather than semantics of log templates, tend to cause false alarms. In this work, we propose LogAnomaly, a framework to model unstructured a log stream as a natural language sequence. Empowered by template2vec, a novel, simple yet effective method to extract the semantic information hidden in log templates, LogAnomaly can detect both sequential and quantitive log anomalies simultaneously, which were not done by any previous work. Moreover, LogAnomaly can avoid the false alarms caused by the newly appearing log templates between periodic model retrainings. Our evaluation on two public production log datasets show that LogAnomaly outperforms existing log-based anomaly detection methods.

Jing Zhang,Zezhou Li,Xianbo Zhang,Feng Lin,Chao Wang,Xingye Cai

DOI: https://doi.org/10.1109/prai55851.2022.9904207

2022-01-01

Abstract:Logs that record the information of events conducted by clusters are of great importance to the system maintenance. The log classification is also of great value to help engineers monitor the system running status, predict the log anomaly, and take corresponding measures. In order to comprehensively consider the various significance of each token in the template and build a comprehensive representation of the log template, we propose a natural language processing-based model, PoSBert, which is a modified Bert model based on the part-of-speech (PoS) analysis of the tokens of log template. The PoS analysis is firstly carried out and the PoS-based weight embedding is obtained, which realizes the proper weight allocation and helps modify the representation of log templates. The segmented embedding of the vanilla Bert is replaced by this PoS-based weight embedding, which is of more practical significance compared to the segment embeddings in the domain of log classification. The PoS analysis and PoS-based weight embedding provide the Bert with more informative inputs which promotes the model to make better results. Four public datasets and one dataset collected from a practical warning platform are employed for evaluation. The results prove that our model can achieve a better classification result in the log classification domain.

Wanhao Zhang,Qianli Zhang,Enyu Yu,Yuxiang Ren,Yeqing Meng,Mingxi Qiu,Jilong Wang

DOI: https://doi.org/10.1109/icws62655.2024.00129

2024-01-01

Abstract:Log-based anomaly detection is critical in monitoring the operation of microservice systems and in the realtime reporting of system failures. Utilizing deep learning-based log anomaly detection methods facilitates effective detection of anomalies within logs. However, existing methods are greatly dependent on log parsers, and parsing errors can considerably affect downstream anomaly detection tasks. Additionally, methods that predict the next log event in a sequence are susceptible to the instability of sequences and the emergence of unseen logs as systems evolve, resulting in a higher false positive rate. In this paper, we propose a semi-supervised log anomaly detection framework based on retrieval-augmented generation (RAG). This framework conducts phased detection using both Log Tokens and Log Templates to mitigate the impact of log parsing errors. It also utilizes a single-class classifier to model the normal behavior of the system, thereby circumventing the effects of unstable sequences. Finally, it employs large language model (LLM) empowered by RAG to reevaluate detected anomalous logs.

Minghua He,Tong Jia,Chiming Duan,Huaqian Cai,Ying Li,Gang Huang

DOI: https://doi.org/10.1109/issre62328.2024.00023

2024-01-01

Abstract:Log-based anomaly detection is an essential task in maintaining software reliability. Existing log-based anomaly detection approaches often consist of three key phases: log parsing, event embedding, and model construction. Event embedding efficiently extracts semantic information from log events and produces vector representations of log events. However, existing event embedding methods suffer from two key problems. First, semantic noises are buried in log events leading to inevitable gaps between the obtained semantics from log events and their essential meanings. Second, there exists a gap between general semantic embedding and the specific embedding requirement of anomaly detection tasks. To mitigate these problems and improve the quality of representations of log events, we propose a novel anomaly detection approach named LLMeLog. It leverages the capabilities of large language models (LLMs) to enrich the contents of log events with in-context learning techniques. Then it utilizes the enriched log events to fine-tune a pre-trained BERT model. At last, it trains a transformer-based anomaly detection model with the event representations produced by the pre-trained BERT model. Evaluation results on three public log datasets show that LLMeLog achieves the best performance across all datasets, boasting F1-scores exceeding 99%. Besides, when using only 10% of labeled data as training data, our approach can still achieve over 90% F1-scores.

Chao Wang,Jing Zhang,Dongjiang Li,Liang Chang,Feng Lin,Xianbo Zhang

DOI: https://doi.org/10.1109/ICCT56141.2022.10072770

2022-11-11

Abstract:System logs are widely used by engineers to record runtime status in the information technology (IT) field. The sequential anomaly detection of logs is crucial for building a secure and stable system and is beneficial for the discovery, location, and analysis of system failures. Conventional manual log anomaly detection suffers high costs and unsustainable development. Thus, automatic methods based on Natural Language Processing (NLP) technology are proposed to improve the accuracy and efficiency of log anomaly detection. In this paper, we propose a new log anomaly detection model, named LogPS. LogPS utilizes the Part-of-Speech (PoS) technique to extract semantic information from log messages. By allocating the learned PoS-based weights to different tokens in a log template, LogPS can improve the representation quality of the log template vector. In the final anomaly detection stage, we treat a system log as a natural language sequence and build a Bidirectional Long Short-Term Memory (BiLSTM) neural network as the LogPS detection model. Therefore, LogPS can capture sufficient and contextual information from input log sequences from the forward pass and the backward pass. And LogPS can automatically learn log patterns and detect anomalies. The effectiveness of our model is tested on three datasets and is compared with other state-of-the-art models. The experimental results show that, compared with other log anomaly detection methods, the proposed LogPS performs well.

Computer Science

Xu Zhang,Yong Xu,Qingwei Lin,Bo Qiao,Hongyu Zhang,Yingnong Dang,Chunyu Xie,Xinsheng Yang,Qian Cheng,Ze Li,Junjie Chen,Xiaoting He,Randolph Yao,Jian-Guang Lou,Murali Chintalapati,Furao Shen,Dongmei Zhang

DOI: https://doi.org/10.1145/3338906.3338931

2019-01-01

Abstract:Logs are widely used by large and complex software-intensive systems for troubleshooting. There have been a lot of studies on log-based anomaly detection. To detect the anomalies, the existing methods mainly construct a detection model using log event data extracted from historical logs. However, we find that the existing methods do not work well in practice. These methods have the close-world assumption, which assumes that the log data is stable over time and the set of distinct log events is known. However, our empirical study shows that in practice, log data often contains previously unseen log events or log sequences. The instability of log data comes from two sources: 1) the evolution of logging statements, and 2) the processing noise in log data. In this paper, we propose a new log-based anomaly detection approach, called LogRobust. LogRobust extracts semantic information of log events and represents them as semantic vectors. It then detects anomalies by utilizing an attention-based Bi-LSTM model, which has the ability to capture the contextual information in the log sequences and automatically learn the importance of different log events. In this way, LogRobust is able to identify and handle unstable log events and sequences. We have evaluated LogRobust using logs collected from the Hadoop system and an actual online service system of Microsoft. The experimental results show that the proposed approach can well address the problem of log instability and achieve accurate and robust results on real-world, ever-changing log data.

Xianbo Zhang,Jing Zhang,Jicheng Yang,Feng Lin,Chao Wang,Liang Chang,Dongjiang Li

DOI: https://doi.org/10.1109/icpeca56706.2023.10075876

2023-01-01

Abstract:Log data is a valuable resource for understanding system status. Log recording running status for a computer system is commonly used to identify performance issues and malfunctions. Sequential anomaly detection of logs is crucial for building a secure and stable system and is beneficial for the discovery, location, and analysis of system failures. In this paper, we propose a new log sequential anomaly detection method based on natural language processing techniques by the Population Based Training (PBT) algorithm, which can make full use of semantic information in log templates to analyze log sequences. The Part-of-Speech (PoS) weight mechanism is first employed to improve the digital representation quality of the log template in the feature extraction. And then, TextCNN is used to extract noteworthy information in log template vectors. In the sequence log anomaly detection stage, the combination of TextCNN and LSTM neural network can improve the accuracy of log sequential anomaly detection. On the other hand, the proposed method jointly trains the parameters of the PoS weight mechanism and the parameters of the anomaly detection neural network model through the PBT algorithm, which accelerates the model convergence speed and improves the accuracy of the log sequential anomaly detection. Our model has been tested on four data sets and compared with two state-of-the-art models to prove the effectiveness of our model. The experimental results show that, compared with other log anomaly detection methods, the proposed method performs well.

Wanhao Zhang,Qianli Zhang,Enyu Yu,Yuxiang Ren,Yeqing Meng,Mingxi Qiu,Jilong Wang

DOI: https://doi.org/10.1109/issre62328.2024.00026

2024-01-01

Abstract:Log-based anomaly detection is critical in monitoring the operations of information systems and in the real-time reporting of system failures. Utilizing deep learning-based log anomaly detection methods facilitates effective detection of anomalies within logs. However, existing methods are greatly dependent on log parsers, and parsing errors can considerably affect downstream anomaly detection tasks. Additionally, methods that predict the next log event in a sequence are susceptible to the instability of sequences and the emergence of unseen logs as systems evolve, resulting in a higher false positive rate. In this paper, we put forward LogRAG, a semi-supervised log anomaly detection framework based on retrieval-augmented generation (RAG). This framework conducts phased detection using both Log Tokens and Log Templates to mitigate the impact of log parsing errors. It also utilizes a single-class classifier to model the normal behavior of the system, thereby circumventing the effects of unstable sequences. Finally, it employs large language model (LLM) empowered by RAG to reevaluate detected anomalous logs, thereby improving accuracy. LogRAG demonstrates a 15% improvement in F1 Score on the BGL dataset and a 60% improvement on the Spirit dataset when compared to the previous best semi-supervised learning algorithm.

Zezhou Li,Jing Zhang,Xianbo Zhang,Feng Lin,Chao Wang,Xingye Cai

DOI: https://doi.org/10.1109/seai55746.2022.9832400

2022-01-01

Abstract:Logs are widely used in IT industry and the anomaly detection of logs is essential to identify the running status of systems. Conventional methods solving this problem require sophisticated rule-based regulations and intensive labor input. In this paper, we propose a new model based on natural language processing techniques. In order to modify the feature extraction and to improve the vector quality of log templates, Part-of-Speech (PoS) and Named Entity Recognition (NER) are employed in our model, which leads to the less involvement of regulation-based rule and a modification of the template vector thanks to the weight vector by NER. The PoS property of each token in the template is firstly analyzed, which also reduces labor involvement and helps for better weight allocation. The weight investigation on tokens of the template is introduced to modify the template vector. And the final detection based on the modified vector of templates is realized by deep neural networks (DNNs). The effectiveness of our model is tested on three datasets, and compared with two state-of-the-art models. The evaluation results prove that our model achieves better log anomaly detection.

Yihan Zhou,Yan Chen,Xuanming Rao,Yukang Zhou,Yuxin Li,Chao Hu

DOI: https://doi.org/10.3390/math12172758

IF: 2.4

2024-09-06

Mathematics

Abstract:Computer systems and applications generate large amounts of logs to measure and record information, which is vital to protect the systems from malicious attacks and useful for repairing faults, especially with the rapid development of distributed computing. Among various logs, the anomaly log is beneficial for operations and maintenance (O&M) personnel to locate faults and improve efficiency. In this paper, we utilize a large language model, ChatGPT, for the log parser task. We choose the BERT model, a self-supervised framework for log anomaly detection. BERT, an embedded transformer encoder, with a self-attention mechanism can better handle context-dependent tasks such as anomaly log detection. Meanwhile, it is based on the masked language model task and next sentence prediction task in the pretraining period to capture the normal log sequence pattern. The experimental results on two log datasets show that the BERT model combined with an LLM performed better than other classical models such as Deelog and Loganomaly.

mathematics

Wei Guan,Jian Cao,Shiyou Qian,Jianqi Gao

2024-11-13

Abstract:Software systems often record important runtime information in logs to help with troubleshooting. Log-based anomaly detection has become a key research area that aims to identify system issues through log data, ultimately enhancing the reliability of software systems. Traditional deep learning methods often struggle to capture the semantic information embedded in log data, which is typically organized in natural language. In this paper, we propose LogLLM, a log-based anomaly detection framework that leverages large language models (LLMs). LogLLM employs BERT for extracting semantic vectors from log messages, while utilizing Llama, a transformer decoder-based model, for classifying log sequences. Additionally, we introduce a projector to align the vector representation spaces of BERT and Llama, ensuring a cohesive understanding of log semantics. Unlike conventional methods that require log parsers to extract templates, LogLLM preprocesses log messages with regular expressions, streamlining the entire process. Our framework is trained through a novel three-stage procedure designed to enhance performance and adaptability. Experimental results across four public datasets demonstrate that LogLLM outperforms state-of-the-art methods. Even when handling unstable logs, it effectively captures the semantic meaning of log messages and detects anomalies accurately.

Software Engineering,Artificial Intelligence

Lin, Zaichao

DOI: https://doi.org/10.1007/s11280-023-01174-y

2023-06-14

World Wide Web

Abstract:With versatility and complexity of computer systems, warning and errors are inevitable. To effectively monitor system's status, system logs are critical. To detect anomalies in system logs, deep learning is a promising way to go. However, abnormal system logs in the real world are often difficult to collect, and effectively and accurately categorize the logs is an even time-consuming project. Thus, the data incompleteness is not conducive to the deep learning for this practical application. In this paper, we put forward a novel semi-supervised dual branch model that alleviate the need for large scale labeled logs for training a deep system log anomaly detector. Specifically, our model consists of two homogeneous networks that share the same parameters, one is called weak augmented teacher model and the other is termed as strong augmented student model. In the teacher model, the log features are augmented with small Gaussian noise, while in the student model, the strong augmentation is injected to force the model to learn a more robust feature representation with the guidance of teacher model provided soft labels. Furthermore, to further utilize unlabeled samples effectively, we propose a flexible label screening strategy that takes into account the confidence and stability of pseudo-labels. Experimental results show favorable effect of our model on prevalent HDFS and Hadoop Application datasets. Precisely, with only 30% training data labeled, our model can achieve the comparable results as the fully supervised version.

computer science, information systems, software engineering