A Comparative Study of Semantic Log Representations for Software Log-based Anomaly Detection

TL;DR

This paper benchmarks various semantic log representation methods for anomaly detection, introduces QTyBERT to balance effectiveness and efficiency, and demonstrates its competitive performance on multiple datasets.

Contribution

It provides a comprehensive benchmark of existing methods and proposes QTyBERT, a novel semantic log representation that balances detection accuracy and computational efficiency.

Findings

BERT-based methods are more effective but slower for log embedding generation.

Static word embeddings are efficient but less effective for anomaly detection.

QTyBERT achieves a good balance between effectiveness and efficiency, comparable to BERT.

Abstract

Recent deep learning (DL) methods for log anomaly detection increasingly rely on semantic log representation methods that convert the textual content of log events into vector embeddings as input to DL models. However, these DL methods are typically evaluated as end-to-end pipelines, while the impact of different semantic representation methods is not well understood. In this paper, we benchmark widely used semantic log representation methods, including static word embedding methods (Word2Vec, GloVe, and FastText) and the BERT-based contextual embedding method, across diverse DL models for log-event level anomaly detection on three publicly available log datasets: BGL, Thunderbird, and Spirit. We identify an effectiveness--efficiency trade off under CPU deployment settings: the BERT-based method is more effective, but incurs substantially longer log embedding generation time, limiting its practicality; static word embedding methods are efficient but are generally less effective and may yield insufficient detection performance. Motivated by this finding, we propose QTyBERT, a novel semantic log representation method that better balances this trade-off. QTyBERT uses SysBE, a lightweight BERT variant with system-specific quantization, to efficiently encode log events into vector embeddings on CPUs, and leverages CroSysEh to enhance the semantic expressiveness of these log embeddings. CroSysEh is trained unsupervisedly using unlabeled logs from multiple systems to capture the underlying semantic structure of the BERT model's embedding space. We evaluate QTyBERT against existing semantic log representation methods. Our results show that, for the DL models, using QTyBERT-generated log embeddings achieves detection effectiveness comparable to or better than BERT-generated log embeddings, while bringing log embedding generation time closer to that of static word embedding methods.