Log data store event execution patterns that correspond to underlying workflows of systems or applications. While most logs are informative, log data also include artifacts that indicate failures or incidents. Accordingly, log data are often used to evaluate anomaly detection techniques that aim to automatically disclose unexpected or otherwise relevant system behavior patterns. Recently, detection approaches leveraging deep learning have increasingly focused on anomalies that manifest as changes of sequential patterns within otherwise normal event traces. Several publicly available data sets, such as HDFS, BGL, Thunderbird, OpenStack, and Hadoop, have since become standards for evaluating these anomaly detection techniques, however, the appropriateness of these data sets has not been closely investigated in the past. In this paper we therefore analyze six publicly available log data sets with focus on the manifestations of anomalies and simple techniques for their detection. Our findings suggest that most anomalies are not directly related to sequential manifestations and that advanced detection techniques are not required to achieve high detection rates on these data sets.
翻译:日志数据存储了与系统或应用程序底层工作流相对应的事件执行模式。虽然大多数日志具有信息性,但日志数据也包含指示故障或事件的痕迹。因此,日志数据常被用于评估旨在自动揭示意外或相关系统行为模式的异常检测技术。近年来,基于深度学习的检测方法日益聚焦于在正常事件轨迹中表现为序列模式变化的异常。HDFS、BGL、Thunderbird、OpenStack和Hadoop等若干公开数据集已成为评估这些异常检测技术的标准,然而,这些数据集的适用性此前并未得到细致研究。本文针对六个公开日志数据集展开分析,重点考察异常的表现形式及其检测的简单技术。研究结果表明,大多数异常与序列表现形式无直接关联,且无需采用高级检测技术即可在这些数据集上实现高检测率。