FusionLog: Cross-System Log-based Anomaly Detection via Fusion of General and Proprietary Knowledge

TL;DR

FusionLog introduces a zero-label, cross-system log anomaly detection method that fuses general and proprietary knowledge, achieving high accuracy without labeled target logs by leveraging semantic similarity and collaborative knowledge distillation.

Contribution

The paper presents FusionLog, a novel approach that combines general and proprietary knowledge for zero-label cross-system anomaly detection, addressing limitations of existing transfer learning methods.

Findings

Achieves over 90% F1-score in zero-label settings.

Significantly outperforms existing cross-system anomaly detection methods.

Effectively fuses general and proprietary knowledge for improved detection.

Abstract

Log-based anomaly detection is critical for ensuring the stability and reliability of web systems. One of the key problems in this task is the lack of sufficient labeled logs, which limits the rapid deployment in new systems. Existing works usually leverage large-scale labeled logs from a mature web system and a small amount of labeled logs from a new system, using transfer learning to extract and generalize general knowledge across both domains. However, these methods focus solely on the transfer of general knowledge and neglect the disparity and potential mismatch between such knowledge and the proprietary knowledge of target system, thus constraining performance. To address this limitation, we propose FusionLog, a novel zero-label cross-system log-based anomaly detection method that effectively achieves the fusion of general and proprietary knowledge, enabling cross-system generalization without any labeled target logs. Specifically, we first design a training-free router based on semantic similarity that dynamically partitions unlabeled target logs into 'general logs' and 'proprietary logs.' For general logs, FusionLog employs a small model based on system-agnostic representation meta-learning for direct training and inference, inheriting the general anomaly patterns shared between the source and target systems. For proprietary logs, we iteratively generate pseudo-labels and fine-tune the small model using multi-round collaborative knowledge distillation and fusion based on large language model (LLM) and small model (SM) to enhance its capability to recognize anomaly patterns specific to the target system. Experimental results on three public log datasets from different systems show that FusionLog achieves over 90% F1-score under a fully zero-label setting, significantly outperforming state-of-the-art cross-system log-based anomaly detection methods.