A2Log: Attentive Augmented Log Anomaly Detection

TL;DR

A2Log introduces an unsupervised log anomaly detection method using self-attention and data augmentation to effectively identify anomalies without requiring prior anomaly examples, outperforming existing approaches.

Contribution

The paper presents A2Log, a novel unsupervised anomaly detection technique that sets decision boundaries without anomaly examples, leveraging self-attention and data augmentation.

Findings

Outperforms existing unsupervised methods on multiple datasets

Achieves comparable results to supervised baselines using only normal data

Demonstrates effectiveness in industry and public datasets

Abstract

Anomaly detection becomes increasingly important for the dependability and serviceability of IT services. As log lines record events during the execution of IT services, they are a primary source for diagnostics. Thereby, unsupervised methods provide a significant benefit since not all anomalies can be known at training time. Existing unsupervised methods need anomaly examples to obtain a suitable decision boundary required for the anomaly detection task. This requirement poses practical limitations. Therefore, we develop A2Log, which is an unsupervised anomaly detection method consisting of two steps: Anomaly scoring and anomaly decision. First, we utilize a self-attention neural network to perform the scoring for each log message. Second, we set the decision boundary based on data augmentation of the available normal training data. The method is evaluated on three publicly available datasets and one industry dataset. We show that our approach outperforms existing methods. Furthermore, we utilize available anomaly examples to set optimal decision boundaries to acquire strong baselines. We show that our approach, which determines decision boundaries without utilizing anomaly examples, can reach scores of the strong baselines.