A Taxonomy of Anomalies in Log Data

TL;DR

This paper introduces a taxonomy for log data anomalies, analyzes their characteristics, and evaluates various anomaly detection algorithms on benchmark datasets, highlighting the effectiveness of deep learning methods especially for contextual anomalies.

Contribution

It presents a novel taxonomy tailored for log data anomalies and an analysis method applied to benchmark datasets, aiding in selecting suitable detection algorithms.

Findings

Deep learning approaches outperform data mining methods across anomaly types.

The most common anomaly type is also the easiest to detect.

Deep learning excels in identifying contextual anomalies.

Abstract

Log data anomaly detection is a core component in the area of artificial intelligence for IT operations. However, the large amount of existing methods makes it hard to choose the right approach for a specific system. A better understanding of different kinds of anomalies, and which algorithms are suitable for detecting them, would support researchers and IT operators. Although a common taxonomy for anomalies already exists, it has not yet been applied specifically to log data, pointing out the characteristics and peculiarities in this domain. In this paper, we present a taxonomy for different kinds of log data anomalies and introduce a method for analyzing such anomalies in labeled datasets. We applied our taxonomy to the three common benchmark datasets Thunderbird, Spirit, and BGL, and trained five state-of-the-art unsupervised anomaly detection algorithms to evaluate their performance in detecting different kinds of anomalies. Our results show, that the most common anomaly type is also the easiest to predict. Moreover, deep learning-based approaches outperform data mining-based approaches in all anomaly types, but especially when it comes to detecting contextual anomalies.