ZeroLog: Zero-Label Generalizable Cross-System Log-based Anomaly Detection

TL;DR

ZeroLog introduces a novel zero-label, cross-system anomaly detection method that leverages meta-learning and unsupervised domain adaptation to identify anomalies without any labeled logs, achieving high accuracy across diverse systems.

Contribution

It proposes ZeroLog, a system-agnostic meta-learning approach that enables effective anomaly detection across systems without requiring labeled target logs.

Findings

ZeroLog achieves over 80% F1-score without target labels.

It outperforms existing zero-label methods in cross-system anomaly detection.

ZeroLog's performance is comparable to state-of-the-art methods trained with labeled logs.

Abstract

Log-based anomaly detection is an important task in ensuring the stability and reliability of software systems. One of the key problems in this task is the lack of labeled logs. Existing works usually leverage large-scale labeled logs from mature systems to train an anomaly detection model of a target system based on the idea of transfer learning. However, these works still require a certain number of labeled logs from the target system. In this paper, we take a step forward and study a valuable yet underexplored setting: zero-label cross-system log-based anomaly detection, that is, no labeled logs are available in the target system. Specifically, we propose ZeroLog, a system-agnostic representation meta-learning method that enables cross-system log-based anomaly detection under zero-label conditions. To achieve this, we leverage unsupervised domain adaptation to perform adversarial training between the source and target domains, aiming to learn system-agnostic general feature representations. By employing meta-learning, the learned representations are further generalized to the target system without any target labels. Experimental results on three public log datasets from different systems show that ZeroLog reaches over 80% F1-score without labels, comparable to state-of-the-art cross-system methods trained with labeled logs, and outperforms existing methods under zero-label conditions.