Robust log-based anomaly detection on unstable log data

Zhang, Xu; Xu, Yong; Lin, Qingwei; Qiao, Bo; Zhang, Hongyu; Dang, Yingnong; Xie, Chunyu; Yang, Xinsheng; Cheng, Qian; Li, Ze; Chen, Junjie; He, Xiaoting; Yao, Randolph; Lou, Jian-Guang; Chintalapati, Murali; Shen, Furao; Zhang, Dongmei

Title: Robust log-based anomaly detection on unstable log data
Creator: Zhang, Xu; Xu, Yong; Lin, Qingwei; Qiao, Bo; Zhang, Hongyu; Dang, Yingnong; Xie, Chunyu; Yang, Xinsheng; Cheng, Qian; Li, Ze; Chen, Junjie; He, Xiaoting; Yao, Randolph; Lou, Jian-Guang; Chintalapati, Murali; Shen, Furao; Zhang, Dongmei
Relation: ESEC/FSE '19: 27th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Tallinn, Estonia 26-30 August, 2019) p. 807-817
Publisher Link: http://dx.doi.org/10.1145/3338906.3338931
Publisher: Association for Computing Machinery
Resource Type: conference paper
Date: 2019
Description: Logs are widely used by large and complex software-intensive systems for troubleshooting. There have been a lot of studies on log-based anomaly detection. To detect the anomalies, the existing methods mainly construct a detection model using log event data extracted from historical logs. However, we find that the existing methods do not work well in practice. These methods have the close-world assumption, which assumes that the log data is stable over time and the set of distinct log events is known. However, our empirical study shows that in practice, log data often contains previously unseen log events or log sequences. The instability of log data comes from two sources: 1) the evolution of logging statements, and 2) the processing noise in log data. In this paper, we propose a new log-based anomaly detection approach, called LogRobust. LogRobust extracts semantic information of log events and represents them as semantic vectors. It then detects anomalies by utilizing an attention-based Bi-LSTM model, which has the ability to capture the contextual information in the log sequences and automatically learn the importance of different log events. In this way, LogRobust is able to identify and handle unstable log events and sequences. We have evaluated LogRobust using logs collected from the Hadoop system and an actual online service system of Microsoft. The experimental results show that the proposed approach can well address the problem of log instability and achieve accurate and robust results on real-world, ever-changing log data.
Subject: anormaly detection; log analysis; deep learning; log instability; data quality
Identifier: http://hdl.handle.net/1959.13/1443758
Identifier: uon:42098
Identifier: ISBN:9781450355728
Language: eng
Reviewed

Hits: 4065
Visitors: 4060
Downloads: 1

		Thumbnail	File	Description	Size	Format