Log anomaly detection via Meta Learning and Prototypical Networks for Cross domain generalization

TL;DR

This paper introduces a meta-learning framework combining Prototypical Networks and MAML for cross-domain log anomaly detection, effectively handling data imbalance and domain shifts to improve generalization.

Contribution

The study presents a novel end-to-end meta-learning approach integrating semantic log parsing, drift-based labeling, and prototype-based adaptation for cross-domain anomaly detection.

Findings

Achieved highest mean F1 scores in cross-domain settings.

Effectively handled data imbalance with SMOTE oversampling.

Validated approach's effectiveness through empirical experiments.

Abstract

Log anomaly detection is essential for system reliability, but it is extremely challenging to do considering it involves class imbalance. Additionally, the models trained in one domain are not applicable to other domains, necessitating the need for cross-domain adaptation (such as HDFS and Linux). Traditional detection models often fail to generalize due to significant data drift and the inherent absence of labeled anomalies in new target domains. To handle the above challenges, we proposed a new end-to-end framework based on a meta-learning approach. Our methodology first gets the data ready by combining a Drain3 log parsing mechanism with a dynamic drift-based labeling technique that uses semantic and fuzzy matching to move existing anomaly knowledge from one source to another. BERT-based semantic embeddings are obtained, and the feature selection is invoked to reduce the dimensionality. Later, Model Agnostic Meta-Learning (MAML) and Prototypical Networks models are trained to adapt quickly and effectively. The SMOTE oversampling method is employed to handle imbalances in the data. All the results are obtained by employing the leave-one-out source method, and the corresponding mean F1 scores are reported. Our empirical findings validate that the proposed meta-learning-driven approach yielded the highest mean F1 score and proved to be effective for cross-domain settings.