PULL: Reactive Log Anomaly Detection Based On Iterative PU Learning

TL;DR

PULL is an iterative, attention-based deep learning method for reactive log anomaly detection that leverages estimated failure windows instead of labeled data, achieving high accuracy across multiple datasets.

Contribution

It introduces a novel weak supervision objective and iterative PU learning strategy for anomaly detection without requiring labeled training data.

Findings

Outperforms ten benchmark baselines

Achieves F1-score > 0.99 in detecting anomalies

Effective across diverse datasets

Abstract

Due to the complexity of modern IT services, failures can be manifold, occur at any stage, and are hard to detect. For this reason, anomaly detection applied to monitoring data such as logs allows gaining relevant insights to improve IT services steadily and eradicate failures. However, existing anomaly detection methods that provide high accuracy often rely on labeled training data, which are time-consuming to obtain in practice. Therefore, we propose PULL, an iterative log analysis method for reactive anomaly detection based on estimated failure time windows provided by monitoring systems instead of labeled data. Our attention-based model uses a novel objective function for weak supervision deep learning that accounts for imbalanced data and applies an iterative learning strategy for positive and unknown samples (PU learning) to identify anomalous logs. Our evaluation shows that PULL consistently outperforms ten benchmark baselines across three different datasets and detects anomalous log messages with an F1-score of more than 0.99 even within imprecise failure time windows.