OneLog: Towards End-to-End Training in Software Log Anomaly Detection

TL;DR

OneLog introduces an end-to-end deep learning approach using character-level CNNs for software log anomaly detection, achieving state-of-the-art results and demonstrating strong generalization across multiple datasets.

Contribution

The paper presents OneLog, a novel single neural network model that replaces traditional multi-stage architectures for log anomaly detection, incorporating character-level information for improved accuracy.

Findings

State-of-the-art performance on six datasets.

Multi-project training enhances detection accuracy.

Cross-project anomaly detection is feasible.

Abstract

With the growth of online services, IoT devices, and DevOps-oriented software development, software log anomaly detection is becoming increasingly important. Prior works mainly follow a traditional four-staged architecture (Preprocessor, Parser, Vectorizer, and Classifier). This paper proposes OneLog, which utilizes a single Deep Neural Network (DNN) instead of multiple separate components. OneLog harnesses Convolutional Neural Networks (CNN) at the character level to take digits, numbers, and punctuations, which were removed in prior works, into account alongside the main natural language text. We evaluate our approach in six message- and sequence-based data sets: HDFS, Hadoop, BGL, Thunderbird, Spirit, and Liberty. We experiment with Onelog with single-, multi-, and cross-project setups. Onelog offers state-of-the-art performance in our datasets. Onelog can utilize multi-project datasets simultaneously during training, which suggests our model can generalize between datasets. Multi-project training also improves Onelog performance making it ideal when limited training data is available for an individual project. We also found that cross-project anomaly detection is possible with a single project pair (Liberty and Spirit). Analysis of model internals shows that one log has multiple modes of detecting anomalies and that the model learns manually validated parsing rules for the log messages. We conclude that character-based CNNs are a promising approach toward end-to-end learning in log anomaly detection. They offer good performance and generalization over multiple datasets. We will make our scripts publicly available upon the acceptance of this paper.