基于双粒度时空建模的日志异常检测方法

doi:10.19678/j.issn.1000-3428.0252847

摘要/Abstract

摘要： 现有日志异常检测技术在语义建模中往往忽略时间上下文信息，模态融合能力不足，并且普遍过度依赖日志解析，这些局限使模型难以捕捉语义内容突变与时间行为异常并存的复杂模式。为解决上述挑战，本文提出了一种无日志解析的端到端检测模型（Log Spatio-Temporal Fusion，LogSTF）。该模型采用语义与时间双分支结构，语义分支获取上下文感知的语义特征，时间分支以时间级与序列级的双粒度建模同时捕捉局部突发与全局演化的时间模式；在此基础上，通过跨模态的双向交叉注意力实现模态融合，显式建立语义与时间之间的细粒度依赖，从而提升对复杂日志行为的建模与判别能力。在HDFS、BGL和Thunderbird三个公开日志数据集上进行实验，结果表明LogSTF在三个数据集上的F1值分别达到99.64%、98.45%和99.67%，与最新的两个基准模型LAnoBERT和LogFormer相比，F1值平均相对提升5.20%和2.03%，通过消融实验验证了时间信息与模态协同对性能提升的关键作用。基于轻量语义扰动下的鲁棒性测试，验证了LogSTF在非理想日志条件下的稳健性与泛化表现。该方法在无需日志解析的前提下，实现了对复合型异常模式的高精度识别。

Abstract: Existing log anomaly detection techniques often neglect temporal contextual information in semantic modeling, exhibit insufficient modality fusion capabilities, and generally over-rely on log parsing. These limitations make it difficult for models to capture complex patterns where sudden semantic content changes coexist with temporal behavioral anomalies. To address these challenges, this paper proposes a model that operates without log parsing (Log Spatio-Temporal Fusion, LogSTF). This model employs a dual-branch architecture for semantic and temporal processing. The semantic branch extracts context-aware semantic features, while the temporal branch models both local bursts and global evolution through dual-granularity at temporal and sequence levels. Building upon this foundation, bidirectional cross-attention achieves modal fusion, explicitly establishing fine-grained dependencies between semantics and time. This enhances the model’s ability to represent and discern complex log behaviors. Experiments conducted on three public log datasets—HDFS, BGL, and Thunderbird— results show LogSTF achieves F1 scores of 99.64%, 98.45%, and 99.67% respectively across the three datasets. Compared to the two state-of-the-art models LAnoBERT and LogFormer, LogSTF demonstrates average relative F1 improvements of 5.20% and 2.03%. Ablation experiments validate the critical role of temporal information and modality collaboration in performance enhancement. Robustness testing under lightweight semantic perturbations validated LogSTF’s stability and generalization capabilities under suboptimal log conditions. This approach achieves high-precision detection of complex anomaly patterns without requiring log parsing.

苏娜, 裴厚清, 徐力 , 王经钧 , 纪淑娟. 基于双粒度时空建模的日志异常检测方法[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0252847.

SU Na, PEI Houqing, XU Li , WANG Jingjun , JI Shujuan. Log Anomaly Detection Method Based on Dual-Granularity Spatio-Temporal Modeling[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0252847.

参考文献

[1] Du M, Li F, Zheng G, et al. Deeplog: Anomaly detection and diagnosis from system logs through deep learning[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017: 1285-1298.
[2] Le V H, Zhang H. Log-based anomaly detection without log parsing[C]//2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 2021: 492-504.
[3] Meng W, Liu Y, Zhu Y, et al. Loganomaly: Unsupervised detection of sequential and quantitative anomalies in unstructured logs[C]//IJCAI. 2019, 19(7): 4739-4745.
[4] Gong K, Luo S, Pan L, et al. LogETA: Time-aware cross-system log-based anomaly detection with inter-class boundary optimization[J]. Future Generation Computer Systems, 2024, 157: 16-28.
[5] 尹春勇,张小虎.基于Transformer和Text-CNN的日志异常检测[J].计算机工程与科学,2025,47(03):448-458. YIN C, ZHANG X. Log anomaly detection based on Transformer and Text-CNN[J]. Computer Engineering & Science, 2025, 47(03): 448-458.
[6] Wu X, Li H, Khomh F. What information contributes to log-based anomaly detection? Insights from a configurable transformer-based approach[J]. Automated Software Engineering, 2025, 32(2): 58.
[7] Devlin J, Chang M W, Lee K, et al. Bert: Pre-training of deep bidirectional transformers for language understanding[C]//Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics, 2019: 4171-4186.
[8] Lin T Y, Goyal P, Girshick R, et al. Focal loss for dense object detection[C]//Proceedings of the IEEE International Conference on Computer Vision. 2017: 2980-2988.
[9] Wittkopp T, Wiesner P, Scheinert D, et al. Loglab: attention-based labeling of log data anomalies via weak supervision[C]//International Conference on Service Oriented Computing. Cham: Springer International Publishing, 2021: 700-707.
[10] 余佳妮,胡朝霞,蒋从锋.一种基于多特征的日志事件异常检测方法研究[J].计算机工程与科学,2024,46(09):1587-1597. Yu, J., Hu, Z., & Jiang, C. Research on a log event anomaly detection method based on multi-features[J]. Computer Engineering and Science, 2024,46(09), 1587-1597.
[11] Huang S, Liu Y, Fung C, et al. Hitanomaly: Hierarchical transformers for anomaly detection in system log[J]. IEEE Transactions on Network and Service Management, 2020, 17(4): 2064-2076.
[12] LIU Y, REN S, WANG X, et al. Temporal logical attention network for log-based anomaly detection in distributed systems[J]. Sensors (Basel, Switzerland), 2024, 24(24): 7949.
[13] Xie Y, Zhang H, Babar M A. LogGD: Detecting Anomalies from System Logs with Graph Neural Net-works[C]//2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS). IEEE, 2022: 299-310.
[14] 陈旭,张硕,景永俊,等.混合特征平衡图注意力网络日志异常检测模型[J].计算机工程与应用,2025,61(01):308-320. Chen, X., Zhang, S., Jing, Y., et al. A hybrid-feature balanced graph attention network for log anomaly detection[J]. Computer Engineering and Applications, 2025,61(01), 308-320.
[15] Xu K, Wang Y, Yang L, et al. Clouddet: Interactive visual analysis of anomalous performances in cloud computing systems[J]. IEEE Transactions on Visualization and Computer Graphics, 2019, 26(1): 1107-1117.
[16] LI X, CHEN P, JING L, et al. SwissLog: Robust Anomaly Detection and Localization for Interleaved Unstructured Logs[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(4): 2762-2780.
[17] TULI S, CASALE G, JENNINGS N R. TranAD: Deep transformer networks for anomaly detection in multivariate time series data[J]. Proceedings of the VLDB Endowment, 2022, 15(6): 1201-1214.
[18] He P, Zhu J, Zheng Z, et al. Drain: An online log parsing approach with fixed depth tree[C]//2017 IEEE International Conference on Web Services (ICWS). IEEE, 2017: 33-40.
[19] Du M, Li F. Spell: Streaming parsing of system event logs[C]//2016 IEEE 16th International Conference on Data Mining (ICDM). IEEE, 2016: 859-864.
[20] Guo H, Yuan S, Wu X. Logbert: Log anomaly detection via bert[C]//2021 International Joint Conference on Neural Networks (IJCNN). IEEE, 2021: 1-8.
[21] Zhang X, Xu Y, Lin Q, et al. Robust log-based anomaly detection on unstable log data[C]//Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 2019: 807-817.
[22] Fu Y, Yan M, Xu Z, et al. An empirical study of the impact of log parsers on the performance of log-based anomaly detection[J]. Empirical Software Engineering, 2023, 28(1): 6.
[23] Xiao R, Li W, Lu J, et al. Contexlog: Non-parsing log anomaly detection with all information preservation and enhanced contextual representation[J]. IEEE Transactions on Network and Service Management, 2024, 21(4): 4750-4762.
[24] Han X, Yuan S, Trabelsi M. Loggpt: Log anomaly detection via gpt[C]//2023 IEEE International Conference on Big Data (BigData). IEEE, 2023: 1117-1122.
[25] Zhu J, He S, He P, et al. Loghub: A large collection of system log datasets for ai-driven log analytics[C]//2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE). IEEE, 2023: 355-366.
[26] Lee Y, Kim J, Kang P. LAnoBERT: System log anomaly detection based on bert masked language model[J]. Applied Soft Computing, 2023, 146: 110689.
[27] Guo H, Yang J, Liu J, et al. LogFormer: A pre-train and tuning pipeline for log anomaly detection[C]//Proceedings of the AAAI Conference on Artificial Intelligence. 2024, 38(1): 135-143.

选择文件类型/文献管理软件名称

选择包含的内容