Few-Shot Log Anomaly Detection Based on Matching Networks
Authors: 
Chunjing Han, Bohai Guan, Tong Li, Di Kang, Jifeng Qin, Yulei WuAuthors Info & Claims
Pages 2909 - 2925
Abstract
In order to address the problem of log anomaly detection in scenarios with limited labeled log datasets, this paper proposes Log-MatchNet, a novel few-shot log anomaly detection method. To tackle issues such as unstructured log data, diversity, and evolution over time, we employ structured processing and log parsing to convert log content information and template ID into vectors. Feature extraction is performed using the BERT model. Additionally, by integrating multiple datasets and conducting post-training on the BERT model for domain adaptation, we obtain <inline-formula> <tex-math notation="LaTeX">$BERT\_{}Post$ </tex-math></inline-formula>, a module with universal feature extraction capabilities in the log domain. Compared to <inline-formula> <tex-math notation="LaTeX">$BERT_{base}$ </tex-math></inline-formula> and CyBERT, our method demonstrates superior performance in log anomaly detection, especially in situations with limited labeled datasets. With only 2 annotated normal logs and 2 annotated abnormal logs, <inline-formula> <tex-math notation="LaTeX">$BERT\_{}Post$ </tex-math></inline-formula> achieves a remarkable 16.14% increase in F1-score. Addressing the challenge of imbalanced data, we introduce a matching network that learns the similarity scores between input and prototype vectors, showcasing strong generalization capabilities with an average accuracy of 99.6%. In few-shot scenarios, our method, Log-MatchNet outperforms traditional methods and Proto-Siamese network in terms of F1-score. In an unstable log evolution environment, our method exhibits robustness against noisy data, achieving an F1-score of 81.2% even with 20% injected noise. Compared to LogAnMeta, our approach yields a 31.71% increase in F1-score. Experimental results demonstrate the effectiveness of Log-MatchNet in detecting anomalies in the presence of limited labeled log data and its robust performance in log evolution scenarios.
References
[1]
M. Du, F. Li, G. Zheng, and V. Srikumar, “DeepLog: Anomaly detection and diagnosis from system logs through deep learning,” in Proc. ACM SIGSAC Conf. Comput. Commun. Security, 2017, pp. 1285–1298. [Online]. Available: https://api.semanticscholar.org/CorpusID:4232579
[2]
H. Xu, B. Liu, L. Shu, and P. Yu, “Open-world learning and application to product classification,” in Proc. World Wide Web Conf., 2019, pp. 3413–3419. [Online]. Available: https://doi.org/10.1145/3308558.3313644
[3]
M. Astekin, H. Zengin, and H. Sözer, “Evaluation of distributed machine learning algorithms for anomaly detection from large-scale system logs: A case study,” in Proc. IEEE Int. Conf. Big Data (Big Data), 2018, pp. 2071–2077.
[4]
X. Zhanget al., “Robust log-based anomaly detection on unstable log data,” in Proc. 27th ACM Joint Meeting Eur. Softw. Eng. Conf. Symp. Found. Softw. Eng., 2019, pp. 807–817.
[5]
W. Menget al., “LogAnomaly: Unsupervised detection of sequential and quantitative anomalies in unstructured logs,” in Proc. Int. Joint Conf. Artif. Intell., 2019, pp. 4739–4745. [Online]. Available: https://api.semanticscholar.org/CorpusID:199466044
[6]
S. Yinget al., “An improved KNN-based efficient log anomaly detection method with automatically labeled samples,” ACM Trans. Knowl. Discov. Data, vol. 15, no. 3, p. 34, Apr. 2021. [Online]. Available: https://doi.org/10.1145/3441448
[7]
S. Kabinna, C.-P. Bezemer, W. Shang, M. D. Syer, and A. E. Hassan, “Examining the stability of logging statements,” Empir. Softw. Eng., vol. 23, pp. 290–333, Feb. 2018.
[8]
M. Fink, “Object classification from a single example utilizing class relevance metrics,” in Proc. Adv. Neural Inf. Process. Syst., vol. 17, 2004, pp. 1–8.
[9]
L. Fei-Fei, R. Fergus, and P. Perona, “One-shot learning of object categories,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 28, no. 4, pp. 594–611, Apr. 2006.
[10]
T. Mikolov, K. Chen, G. Corrado, and J. Dean, “Efficient estimation of word representations in vector space,” 2013, arXiv:1301.3781.
[11]
J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova, “Bert: Pre-training of deep bidirectional transformers for language understanding,” 2018, arXiv:1810.04805.
[12]
T.-F. Yenet al., “Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks,” in Proc. 29th Annu. Comput. Security Appl. Conf., 2013, pp. 199–208.
[13]
A. Oprea, Z. Li, T.-F. Yen, S. H. Chin, and S. Alrwais, “Detection of early-stage enterprise infection by mining large-scale log data,” in Proc. 45th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw., 2015, pp. 45–56.
[14]
M. Cinque, D. Cotroneo, and A. Pecchia, “Event logs for the analysis of software failures: A rule-based approach,” IEEE Trans. Softw. Eng., vol. 39, no. 6, pp. 806–821, Jun. 2013.
[15]
Z. Liu, T. Qin, X. Guan, H. Jiang, and C. Wang, “An integrated method for anomaly detection from massive system logs,” IEEE Access, vol. 6, pp. 30602–30611, 2018.
[16]
F. Liu, Y. Wen, D. Zhang, X. Jiang, X. Xing, and D. Meng, “Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within enterprise,” in Proc. ACM SIGSAC Conf. Comput. Commun. Security, 2019, pp. 1777–1794.
[17]
W. Menget al., “Device-agnostic log anomaly classification with partial labels,” in Proc. IEEE/ACM 26th Int. Symp. Qual. Service (IWQoS), 2018, pp. 1–6.
[18]
J. Wang, C. Zhao, S. He, Y. Gu, O. Alfarraj, and A. Abugabah, “LogUAD: Log unsupervised anomaly detection based on Word2Vec,” Comput. Syst. Sci. Eng., vol. 41, pp. 1207–1222, Jan. 2022.
[19]
Y. Xie, H. Zhang, B. Zhang, M. A. Babar, and S. Lu, “LogDP: Combining dependency and proximity for log-based anomaly detection,” 2021, arXiv:2110.01927.
[20]
A. Sarkar, T. Sen, S. Kundu, A. Sarkar, and A. Wazed, “LogAnMeta: Log anomaly detection using meta learning,” 2022, arXiv:2212.10992.
[21]
A. Vaswaniet al., “Attention is all you need,” in Proc. 31st Int. Conf. Neural Inf. Process. Syst., 2017, pp. 6000–6010.
[22]
S. He, T. Deng, B. Chen, R. Sherratt, and J. Wang, “Unsupervised log anomaly detection method based on multi-feature,” Comput., Mater. Continua, vol. 76, pp. 517–541, Jan. 2023.
[23]
S. He, Y. Lei, Y. Zhang, K. Xie, and P. K. Sharma, “Parameter-efficient log anomaly detection based on pre-training model and LORA,” in Proc. IEEE 34th Int. Symp. Softw. Rel. Eng. (ISSRE), Oct. 2023, pp. 207–217.
[24]
E. J. Huet al., “LoRA: Low-rank adaptation of large language models,” 2021, arXiv:2106.09685.
[25]
K. Ameri, M. Hempel, H. Sharif, J. Lopez Jr., and K. Perumalla, “CyBERT: Cybersecurity claim classification by fine-tuning the BERT language model,” J. Cybersecurity Privacy, vol. 1, no. 4, pp. 615–637, 2021. [Online]. Available: https://www.mdpi.com/2624-800X/1/4/31
[26]
Y. Wang, Q. Yao, J. T. Kwok, and L. M. Ni, “Generalizing from a few examples: A survey on few-shot learning,” ACM Comput. Surveys, vol. 53, no. 3, pp. 1–34, 2020.
[27]
T. Dopierre, C. Gravier, and W. Logerais, “A neural few-shot text classification reality check,” 2021, arXiv:2101.12073.
[28]
P. He, J. Zhu, Z. Zheng, and M. R. Lyu, “Drain: An online log parsing approach with fixed depth tree,” in Proc. IEEE Int. Conf. Web Services (ICWS), 2017, pp. 33–40.
[29]
J. Zhuet al., “Tools and benchmarks for automated log parsing,” in Proc. IEEE/ACM 41st Int. Conf. Softw. Eng. Softw. Eng. Pract. (ICSE-SEIP), 2019, pp. 121–130.
[30]
P. He, J. Zhu, S. He, J. Li, and M. R. Lyu, “An evaluation study on log parsing and its use in log mining,” in Proc. 46th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw. (DSN), 2016, pp. 654–661.
[31]
S. Gururanganet al., “Don’t stop pretraining: Adapt language models to domains and tasks,” in Proc. 58th Annu. Meeting Assoc. Comput. Linguist., Jul. 2020, pp. 8342–8360. [Online]. Available: https://aclanthology.org/2020.acl-main.740
[32]
H. Xu, B. Liu, L. Shu, and P. S. Yu, “BERT post-training for review reading comprehension and aspect-based sentiment analysis,” 2019, arXiv:1904.02232.
[33]
“Hugging face transformers documentation.” Accessed: Jan. 2, 2024. [Online]. Available: https://huggingface.co/docs/transformers/tasks
[34]
R. Geng, B. Li, Y. Li, X. Zhu, P. Jian, and J. Sun, “Induction networks for few-shot text classification,” 2019, arXiv:1902.10482.
[35]
H. Guo, S. Yuan, and X. Wu, “LogBert: Log anomaly detection via bert,” in Proc. Int. Joint Conf. Neural Netw. (IJCNN), 2021, pp. 1–8.
[36]
W. Menget al., “LogClass: Anomalous log identification and classification with partial labels,” IEEE Trans. Netw. Service Manag., vol. 18, no. 2, pp. 1870–1884, Jun. 2021.
[37]
W. Xu, L. Huang, A. Fox, D. Patterson, and M. Jordan, “Online system problem detection by mining patterns of console logs,” in Proc. 9th IEEE Int. Conf. Data Min., 2009, pp. 588–597.
[38]
A. Oliner and J. Stearley, “What supercomputers say: A study of five system logs,” in Proc. 37th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw. (DSN), 2007, pp. 575–584.
Recommendations
Robust log-based anomaly detection on unstable log data
ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringLogs are widely used by large and complex software-intensive systems for troubleshooting. There have been a lot of studies on log-based anomaly detection. To detect the anomalies, the existing methods mainly construct a detection model using log event ...
Log-based anomaly detection without log parsing
ASE '21: Proceedings of the 36th IEEE/ACM International Conference on Automated Software EngineeringSoftware systems often record important runtime information in system logs for troubleshooting purposes. There have been many studies that use log data to construct machine learning models for detecting system anomalies. Through our empirical study, we ...
Impact of log parsing on deep learning-based anomaly detection
AbstractSoftware systems log massive amounts of data, recording important runtime information. Such logs are used, for example, for log-based anomaly detection, which aims to automatically detect abnormal behaviors of the system under analysis by ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
1932-4537 © 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.
Publisher
IEEE Press
Publication History
Published: 08 February 2024
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 16 Nov 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in