LogOW: A semi-supervised log anomaly detection model in open-world setting

IF 3.7 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Systems and Software Pub Date : 2024-12-03 DOI:10.1016/j.jss.2024.112305

Jingwei Ye , Chunbo Liu , Zhaojun Gu , Zhikai Zhang , Xuying Meng , Weiyao Zhang , Yujun Zhang

{"title":"LogOW: A semi-supervised log anomaly detection model in open-world setting","authors":"Jingwei Ye , Chunbo Liu , Zhaojun Gu , Zhikai Zhang , Xuying Meng , Weiyao Zhang , Yujun Zhang","doi":"10.1016/j.jss.2024.112305","DOIUrl":null,"url":null,"abstract":"<div><div>Log anomaly detection is a method for finding abnormal behavior and faults in systems. However, existing methods face two main challenges: the open-world problem and the cold-start problem. The open-world problem means that the test set may contain new classes that are not in the training set, while the cold-start problem means that the initial training data are scarce, both for normal and abnormal log sequences. Most existing methods assume a closed-world setting and rely on sufficient normal data, which limits their adaptability to new log environments.</div><div>We propose LogOW, a novel log anomaly detection model that can learn from a few normal log sequences. The model finds emerging normal log sequences in the open-world setting through the <strong>open-world sample retrieval</strong> module. Through the <strong>incremental pre-training</strong> module, these log sequences are fine-tuned in an online mode for model parameters.</div><div>First, we train a basic model from normal log sequences using Masked-Language Modeling(MLM). During the testing phase, we then combine the anomaly score and the uncertainty score obtained through a novel dynamic multi-mask to distinguish closed-world normal log sequences from the test set. Next, we cluster the open-world log sequences based on fused sequence and count features, and identify the abnormal ones and the new normal ones. Finally, we update our model with the new normal sequences in the next time period. Experiments on three log datasets and real-world airport logs show that our model outperforms traditional models in the open-world and lack of training data setting.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"222 ","pages":"Article 112305"},"PeriodicalIF":3.7000,"publicationDate":"2024-12-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems and Software","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0164121224003492","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Log anomaly detection is a method for finding abnormal behavior and faults in systems. However, existing methods face two main challenges: the open-world problem and the cold-start problem. The open-world problem means that the test set may contain new classes that are not in the training set, while the cold-start problem means that the initial training data are scarce, both for normal and abnormal log sequences. Most existing methods assume a closed-world setting and rely on sufficient normal data, which limits their adaptability to new log environments.

We propose LogOW, a novel log anomaly detection model that can learn from a few normal log sequences. The model finds emerging normal log sequences in the open-world setting through the open-world sample retrieval module. Through the incremental pre-training module, these log sequences are fine-tuned in an online mode for model parameters.

First, we train a basic model from normal log sequences using Masked-Language Modeling(MLM). During the testing phase, we then combine the anomaly score and the uncertainty score obtained through a novel dynamic multi-mask to distinguish closed-world normal log sequences from the test set. Next, we cluster the open-world log sequences based on fused sequence and count features, and identify the abnormal ones and the new normal ones. Finally, we update our model with the new normal sequences in the next time period. Experiments on three log datasets and real-world airport logs show that our model outperforms traditional models in the open-world and lack of training data setting.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.