GLAD: Content-aware Dynamic Graphs For Log Anomaly Detection

TL;DR

GLAD is a novel graph-based framework that leverages content-aware dynamic log graphs and advanced neural models to improve anomaly detection by capturing complex relational patterns in system logs.

Contribution

GLAD introduces a unified approach combining log semantics, relational, and sequential patterns with a prompt-based field extraction and a GNN-transformer model for relational anomaly detection.

Findings

Effective detection of relational anomalies in logs.

Outperforms existing methods on three datasets.

Captures content, structural, and temporal features.

Abstract

Logs play a crucial role in system monitoring and debugging by recording valuable system information, including events and states. Although various methods have been proposed to detect anomalies in log sequences, they often overlook the significance of considering relations among system components, such as services and users, which can be identified from log contents. Understanding these relations is vital for detecting anomalies and their underlying causes. To address this issue, we introduce GLAD, a Graph-based Log Anomaly Detection framework designed to detect relational anomalies in system logs. GLAD incorporates log semantics, relational patterns, and sequential patterns into a unified framework for anomaly detection. Specifically, GLAD first introduces a field extraction module that utilizes prompt-based few-shot learning to identify essential fields from log contents. Then GLAD constructs dynamic log graphs for sliding windows by interconnecting extracted fields and log events parsed from the log parser. These graphs represent events and fields as nodes and their relations as edges. Subsequently, GLAD utilizes a temporal-attentive graph edge anomaly detection model for identifying anomalous relations in these dynamic log graphs. This model employs a Graph Neural Network (GNN)-based encoder enhanced with transformers to capture content, structural and temporal features. We evaluate our proposed method on three datasets, and the results demonstrate the effectiveness of GLAD in detecting anomalies indicated by varying relational patterns.