Try with Simpler -- An Evaluation of Improved Principal Component Analysis in Log-based Anomaly Detection

TL;DR

This paper evaluates an optimized traditional PCA method for log-based anomaly detection, demonstrating it can rival deep learning approaches in effectiveness while being more resource-efficient and stable with limited data.

Contribution

The study introduces a lightweight semantic-based enhancement to PCA, showing traditional methods can be improved to match deep learning performance in anomaly detection.

Findings

Optimized PCA achieves similar detection accuracy as deep learning methods.

The enhanced PCA is more stable with limited training data.

Traditional techniques can be effectively improved with small adaptations.

Abstract

The rapid growth of deep learning (DL) has spurred interest in enhancing log-based anomaly detection. This approach aims to extract meaning from log events (log message templates) and develop advanced DL models for anomaly detection. However, these DL methods face challenges like heavy reliance on training data, labels, and computational resources due to model complexity. In contrast, traditional machine learning and data mining techniques are less data-dependent and more efficient but less effective than DL. To make log-based anomaly detection more practical, the goal is to enhance traditional techniques to match DL's effectiveness. Previous research in a different domain (linking questions on Stack Overflow) suggests that optimized traditional techniques can rival state-of-the-art DL methods. Drawing inspiration from this concept, we conducted an empirical study. We optimized the unsupervised PCA (Principal Component Analysis), a traditional technique, by incorporating lightweight semantic-based log representation. This addresses the issue of unseen log events in training data, enhancing log representation. Our study compared seven log-based anomaly detection methods, including four DL-based, two traditional, and the optimized PCA technique, using public and industrial datasets. Results indicate that the optimized unsupervised PCA technique achieves similar effectiveness to advanced supervised/semi-supervised DL methods while being more stable with limited training data and resource-efficient. This demonstrates the adaptability and strength of traditional techniques through small yet impactful adaptations.