CSCLog: A Component Subsequence Correlation-Aware Log Anomaly Detection Method

TL;DR

CSCLog is a novel log anomaly detection method that captures both sequential dependencies and implicit correlations among subsequences using LSTMs, GCNs, and attention mechanisms, significantly improving detection accuracy.

Contribution

The paper introduces CSCLog, which models implicit correlations of subsequences in log sequences, enhancing anomaly detection beyond existing sequential dependency methods.

Findings

Outperforms baseline by 7.41% in Macro F1-Measure

Effective modeling of implicit subsequence correlations

Demonstrated on four public log datasets

Abstract

Anomaly detection based on system logs plays an important role in intelligent operations, which is a challenging task due to the extremely complex log patterns. Existing methods detect anomalies by capturing the sequential dependencies in log sequences, which ignore the interactions of subsequences. To this end, we propose CSCLog, a Component Subsequence Correlation-Aware Log anomaly detection method, which not only captures the sequential dependencies in subsequences, but also models the implicit correlations of subsequences. Specifically, subsequences are extracted from log sequences based on components and the sequential dependencies in subsequences are captured by Long Short-Term Memory Networks (LSTMs). An implicit correlation encoder is introduced to model the implicit correlations of subsequences adaptively. In addition, Graph Convolution Networks (GCNs) are employed to accomplish the information interactions of subsequences. Finally, attention mechanisms are exploited to fuse the embeddings of all subsequences. Extensive experiments on four publicly available log datasets demonstrate the effectiveness of CSCLog, outperforming the best baseline by an average of 7.41% in Macro F1-Measure.