MLAD: A Unified Model for Multi-system Log Anomaly Detection

TL;DR

MLAD is a unified, scalable anomaly detection model that leverages semantic reasoning and vector space diffusion to improve detection accuracy across multiple systems, addressing transferability and rare anomaly challenges.

Contribution

The paper introduces MLAD, a novel multi-system log anomaly detection model that combines semantic relational reasoning, attention-based keyword significance, and Gaussian mixture modeling.

Findings

MLAD outperforms existing models on three real-world datasets.

It effectively handles rare anomalies and transferability issues.

The model demonstrates improved scalability and accuracy.

Abstract

In spite of the rapid advancements in unsupervised log anomaly detection techniques, the current mainstream models still necessitate specific training for individual system datasets, resulting in costly procedures and limited scalability due to dataset size, thereby leading to performance bottlenecks. Furthermore, numerous models lack cognitive reasoning capabilities, posing challenges in direct transferability to similar systems for effective anomaly detection. Additionally, akin to reconstruction networks, these models often encounter the "identical shortcut" predicament, wherein the majority of system logs are classified as normal, erroneously predicting normal classes when confronted with rare anomaly logs due to reconstruction errors. To address the aforementioned issues, we propose MLAD, a novel anomaly detection model that incorporates semantic relational reasoning across multiple systems. Specifically, we employ Sentence-bert to capture the similarities between log sequences and convert them into highly-dimensional learnable semantic vectors. Subsequently, we revamp the formulas of the Attention layer to discern the significance of each keyword in the sequence and model the overall distribution of the multi-system dataset through appropriate vector space diffusion. Lastly, we employ a Gaussian mixture model to highlight the uncertainty of rare words pertaining to the "identical shortcut" problem, optimizing the vector space of the samples using the maximum expectation model. Experiments on three real-world datasets demonstrate the superiority of MLAD.