Beyond Window-Based Detection: A Graph-Centric Framework for Discrete Log Anomaly Detection

TL;DR

This paper introduces TempoLog, a graph-centric framework that uses multi-scale temporal graph networks to improve discrete log anomaly detection by capturing dynamic relationships without fixed windows.

Contribution

The paper presents a novel graph-based approach, TempoLog, which constructs continuous-time dynamic graphs for more accurate and efficient anomaly detection in event logs.

Findings

Achieves state-of-the-art accuracy on public datasets.

Outperforms existing methods in detection speed and precision.

Effectively captures multi-scale temporal dependencies.

Abstract

Detecting anomalies in discrete event logs is critical for ensuring system reliability, security, and efficiency. Traditional window-based methods for log anomaly detection often suffer from context bias and fuzzy localization, which hinder their ability to precisely and efficiently identify anomalies. To address these challenges, we propose a graph-centric framework, TempoLog, which leverages multi-scale temporal graph networks for discrete log anomaly detection. Unlike conventional methods, TempoLog constructs continuous-time dynamic graphs directly from event logs, eliminating the need for fixed-size window grouping. By representing log templates as nodes and their temporal relationships as edges, the framework dynamically captures both local and global dependencies across multiple temporal scales. Additionally, a semantic-aware model enhances detection by incorporating rich contextual information. Extensive experiments on public datasets demonstrate that our method achieves state-of-the-art performance in event-level anomaly detection, significantly outperforming existing approaches in both accuracy and efficiency.