Improving anomaly detection in software logs through hybrid language modeling and reduced reliance on parser

IF 3.1 2区计算机科学 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Automated Software Engineering Pub Date : 2025-09-29 DOI:10.1007/s10515-025-00548-y

Yicheng Sun, Jacky Keung, Zhen Yang, Shuo Liu, Hi Kuen Yu

{"title":"Improving anomaly detection in software logs through hybrid language modeling and reduced reliance on parser","authors":"Yicheng Sun, Jacky Keung, Zhen Yang, Shuo Liu, Hi Kuen Yu","doi":"10.1007/s10515-025-00548-y","DOIUrl":null,"url":null,"abstract":"<div><p>Anomaly detection in software logs is crucial for development and maintenance, allowing timely identification of system failures and ensuring normal operations. Although recent deep learning advancements in log anomaly detection have shown exceptional performance, the reliance on time-consuming log parsers raises concerns about their necessity for quickly identifying anomalies. Standardized preprocessing methods can mishandle or lose important information. Additionally, the significant imbalance between normal and anomalous log data, along with the scarcity of labeled data, presents a persistent challenge in anomaly detection. We first evaluated the impact of omitting a log parser on anomaly detection models. Subsequently, we propose LogRoBERTa, an innovative anomaly detection model that eliminates the need for a parser. LogRoBERTa creates a stable and diverse labeled training set using the Determinantal Point Process (DPP) method, needing only a small amount of labeled data. The hybrid language model is based on RoBERTa’s architecture, combined with an attention-based BiLSTM. This setup leverages RoBERTa’s strong contextual understanding and BiLSTM’s capability to capture sequential dependencies, enhancing performance in complex log sequences. Experiments on four widely used datasets demonstrate that LogRoBERTa outperforms state-of-the-art benchmark models—including three fully supervised approaches—without relying on a dedicated log parser. Furthermore, its consistently strong performance on low-resource datasets highlights its robustness and generalizability across varying data conditions. These results validate the overall effectiveness of LogRoBERTa’s design and offer a thorough evaluation of the implications of bypassing a log parser. Additionally, our ablation studies and training set construction experiments further confirm the contributions of each individual component to the model’s performance. The study empirically validated that a RoBERTa-based approach effectively handles software log anomaly detection in long and complex log sequences, providing a more efficient and robust solution for omitting a parser compared to existing models.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"33 1","pages":""},"PeriodicalIF":3.1000,"publicationDate":"2025-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Automated Software Engineering","FirstCategoryId":"94","ListUrlMain":"https://link.springer.com/article/10.1007/s10515-025-00548-y","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Anomaly detection in software logs is crucial for development and maintenance, allowing timely identification of system failures and ensuring normal operations. Although recent deep learning advancements in log anomaly detection have shown exceptional performance, the reliance on time-consuming log parsers raises concerns about their necessity for quickly identifying anomalies. Standardized preprocessing methods can mishandle or lose important information. Additionally, the significant imbalance between normal and anomalous log data, along with the scarcity of labeled data, presents a persistent challenge in anomaly detection. We first evaluated the impact of omitting a log parser on anomaly detection models. Subsequently, we propose LogRoBERTa, an innovative anomaly detection model that eliminates the need for a parser. LogRoBERTa creates a stable and diverse labeled training set using the Determinantal Point Process (DPP) method, needing only a small amount of labeled data. The hybrid language model is based on RoBERTa’s architecture, combined with an attention-based BiLSTM. This setup leverages RoBERTa’s strong contextual understanding and BiLSTM’s capability to capture sequential dependencies, enhancing performance in complex log sequences. Experiments on four widely used datasets demonstrate that LogRoBERTa outperforms state-of-the-art benchmark models—including three fully supervised approaches—without relying on a dedicated log parser. Furthermore, its consistently strong performance on low-resource datasets highlights its robustness and generalizability across varying data conditions. These results validate the overall effectiveness of LogRoBERTa’s design and offer a thorough evaluation of the implications of bypassing a log parser. Additionally, our ablation studies and training set construction experiments further confirm the contributions of each individual component to the model’s performance. The study empirically validated that a RoBERTa-based approach effectively handles software log anomaly detection in long and complex log sequences, providing a more efficient and robust solution for omitting a parser compared to existing models.

Abstract Image

查看原文本刊更多论文

通过混合语言建模改进软件日志异常检测，减少对解析器的依赖

软件日志异常检测对于开发和维护至关重要，可以及时发现系统故障，保证系统正常运行。尽管最近深度学习在日志异常检测方面的进展显示出了卓越的性能，但对耗时的日志解析器的依赖引起了人们对其快速识别异常的必要性的担忧。标准化的预处理方法可能会处理不当或丢失重要信息。此外，正常和异常日志数据之间的显著不平衡以及标记数据的稀缺性给异常检测带来了持续的挑战。我们首先评估了忽略日志解析器对异常检测模型的影响。随后，我们提出了LogRoBERTa，这是一种创新的异常检测模型，它消除了对解析器的需求。LogRoBERTa使用确定性点过程（determinal Point Process， DPP）方法创建一个稳定且多样化的标记训练集，只需要少量的标记数据。混合语言模型基于RoBERTa的体系结构，结合了基于注意力的BiLSTM。这种设置利用了RoBERTa强大的上下文理解能力和BiLSTM捕获顺序依赖关系的能力，增强了复杂日志序列中的性能。在四个广泛使用的数据集上进行的实验表明，LogRoBERTa优于最先进的基准模型（包括三种完全监督的方法），而不依赖于专门的日志解析器。此外，它在低资源数据集上始终如一的强大性能突出了它在不同数据条件下的鲁棒性和泛化性。这些结果验证了LogRoBERTa设计的总体有效性，并对绕过日志解析器的影响进行了全面评估。此外，我们的消融研究和训练集构建实验进一步证实了每个单独组件对模型性能的贡献。该研究经验验证了基于roberta的方法有效地处理长而复杂的日志序列中的软件日志异常检测，与现有模型相比，提供了一个更有效和健壮的解决方案，可以省去解析器。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Automated Software Engineering 工程技术-计算机：软件工程

CiteScore

4.80

自引率

11.80%

发文量

审稿时长

>12 weeks

期刊介绍： This journal details research, tutorial papers, survey and accounts of significant industrial experience in the foundations, techniques, tools and applications of automated software engineering technology. This includes the study of techniques for constructing, understanding, adapting, and modeling software artifacts and processes. Coverage in Automated Software Engineering examines both automatic systems and collaborative systems as well as computational models of human software engineering activities. In addition, it presents knowledge representations and artificial intelligence techniques applicable to automated software engineering, and formal techniques that support or provide theoretical foundations. The journal also includes reviews of books, software, conferences and workshops.