Abstract:In recent years, with the growth of online services and IoT devices, software log anomaly detection has become a significant concern for both academia and industry. However, at the time of writing this paper, almost all contributions to the log anomaly detection task, follow the same traditional architecture based on parsing, vectorizing, and classifying.This paper proposes OneLog, a new approach that uses a large deep model based on instead of multiple small components. OneLog utilizes a character-based convo… Show more
“…Guo et al [38] are the only authors to consider federated learning, where learning takes place in a distributed manner across multiple systems. Hashemi et al [42] also go into this direction as they combine multiple data sets to evaluate whether this affects the performance of their model. We believe that federated learning could be an interesting topic for future publications as there exist many real-world scenarios where log data is monitored in distributed machines but orchestration of deployed detectors takes place centrally [106].…”
Section: Discussionmentioning
confidence: 99%
“…Some authors also use custom embedding models based on deep learning; we refer to their output as Deep Encoded Embeddings (DE). This includes a combination of character-, event-and sequence-based embeddings [42], attention mechanisms using MLPs and CNNs [45], and token counts with label information fed into VAEs [1].…”
“…Other metrics that are more specific to deep learning applications are the number of model parameters [38], [61] and time to train models or run the detection (ER-3) [29], [32], [37], [47], [52], [68]. Some authors also assess characteristics of their approaches that go beyond standard anomaly detection evaluations, for example, whether training on combinations of multiple data sets improves the overall performance of classification [42] or whether their approaches are robust against changes of log patterns over time [17], [42], [44].…”
Automatic log file analysis enables early detection of relevant incidents such as system failures. In particular, selflearning anomaly detection techniques capture patterns in log data and subsequently report unexpected log event occurrences to system operators without the need to provide or manually model anomalous scenarios in advance. Recently, an increasing number of approaches leveraging deep learning neural networks for this purpose have been presented. These approaches have demonstrated superior detection performance in comparison to conventional machine learning techniques and simultaneously resolve issues with unstable data formats. However, there exist many different architectures for deep learning and it is nontrivial to encode raw and unstructured log data to be analyzed by neural networks. We therefore carry out a systematic literature review that provides an overview of deployed models, data pre-processing mechanisms, anomaly detection techniques, and evaluations. The survey does not quantitatively compare existing approaches but instead aims to help readers understand relevant aspects of different model architectures and emphasizes open issues for future work.
“…Guo et al [38] are the only authors to consider federated learning, where learning takes place in a distributed manner across multiple systems. Hashemi et al [42] also go into this direction as they combine multiple data sets to evaluate whether this affects the performance of their model. We believe that federated learning could be an interesting topic for future publications as there exist many real-world scenarios where log data is monitored in distributed machines but orchestration of deployed detectors takes place centrally [106].…”
Section: Discussionmentioning
confidence: 99%
“…Some authors also use custom embedding models based on deep learning; we refer to their output as Deep Encoded Embeddings (DE). This includes a combination of character-, event-and sequence-based embeddings [42], attention mechanisms using MLPs and CNNs [45], and token counts with label information fed into VAEs [1].…”
“…Other metrics that are more specific to deep learning applications are the number of model parameters [38], [61] and time to train models or run the detection (ER-3) [29], [32], [37], [47], [52], [68]. Some authors also assess characteristics of their approaches that go beyond standard anomaly detection evaluations, for example, whether training on combinations of multiple data sets improves the overall performance of classification [42] or whether their approaches are robust against changes of log patterns over time [17], [42], [44].…”
Automatic log file analysis enables early detection of relevant incidents such as system failures. In particular, selflearning anomaly detection techniques capture patterns in log data and subsequently report unexpected log event occurrences to system operators without the need to provide or manually model anomalous scenarios in advance. Recently, an increasing number of approaches leveraging deep learning neural networks for this purpose have been presented. These approaches have demonstrated superior detection performance in comparison to conventional machine learning techniques and simultaneously resolve issues with unstable data formats. However, there exist many different architectures for deep learning and it is nontrivial to encode raw and unstructured log data to be analyzed by neural networks. We therefore carry out a systematic literature review that provides an overview of deployed models, data pre-processing mechanisms, anomaly detection techniques, and evaluations. The survey does not quantitatively compare existing approaches but instead aims to help readers understand relevant aspects of different model architectures and emphasizes open issues for future work.
With the advent of technology and the development of more complex software systems, the size of logs generated by these systems has increasingly risen so that the anomaly detection for remediating common errors has been more difficult than ever. The cloud emergence in the information technology (IT) industry has led to the immigration of enterprises toward it, which has extended the application of cloud management stacks such as OpenStack. By using the OpenStack platform, users can access resource infrastructure and manage virtual machines (VMs). The anomaly detection in OpenStack logs is not realized conveniently due to the substantial size of logs, and it is required to automate this process. Since there is no appropriate open‐source dataset for OpenStack logs, we have generated 25,000 logs by injecting three types of anomalies to propose a more efficient technique in terms of performance and time in detecting anomalies in OpenStack logs relative to recent studies by proper OpenStack log parsing and analyzing these logs by data mining algorithms. To this end, compared to the previous research study, we could improve the anomaly detection performance in terms of F1 score, recall, and precision by 9%, 4%, and 14%, respectively, and decrease the running time relative to the log size by at least 30 s.
Log data store event execution patterns that correspond to underlying workflows of systems or applications. While most logs are informative, log data also include artifacts that indicate failures or incidents. Accordingly, log data are often used to evaluate anomaly detection techniques that aim to automatically disclose unexpected or otherwise relevant system behavior patterns. Recently, detection approaches leveraging deep learning have increasingly focused on anomalies that manifest as changes of sequential patterns within otherwise normal event traces. Several publicly available data sets, such as HDFS, BGL, Thunderbird, OpenStack, and Hadoop, have since become standards for evaluating these anomaly detection techniques, however, the appropriateness of these data sets has not been closely investigated in the past. In this paper we therefore analyze six publicly available log data sets with focus on the manifestations of anomalies and simple techniques for their detection. Our findings suggest that most anomalies are not directly related to sequential manifestations and that advanced detection techniques are not required to achieve high detection rates on these data sets.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.