Anomaly detection based on system logs plays an important role in intelligent operations, which is a challenging task due to the extremely complex log patterns. Existing methods detect anomalies by capturing the sequential dependencies in log sequences, which ignore the interactions of subsequences. To this end, we propose CSCLog, a Component Subsequence Correlation-Aware Log anomaly detection method, which not only captures the sequential dependencies in subsequences, but also models the implicit correlations of subsequences. Specifically, subsequences are extracted from log sequences based on components and the sequential dependencies in subsequences are captured by Long Short-Term Memory Networks (LSTMs). An implicit correlation encoder is introduced to model the implicit correlations of subsequences adaptively. In addition, Graph Convolution Networks (GCNs) are employed to accomplish the information interactions of subsequences. Finally, attention mechanisms are exploited to fuse the embeddings of all subsequences. Extensive experiments on four publicly available log datasets demonstrate the effectiveness of CSCLog, outperforming the best baseline by an average of 7.41% in Macro F1-Measure.

翻译：基于系统日志的异常检测在智能运维中扮演着重要角色，但由于日志模式极其复杂，该任务充满挑战。现有方法通过捕获日志序列中的时序依赖关系来检测异常，却忽略了子序列间的交互作用。为此，我们提出CSCLog——一种组件子序列关联感知的日志异常检测方法，该方法不仅捕获子序列内部的时序依赖关系，还建模子序列间的隐式关联。具体而言，基于组件从日志序列中提取子序列，并通过长短期记忆网络（LSTM）捕获子序列中的时序依赖关系。引入隐式关联编码器来自适应地建模子序列间的隐式关联。此外，采用图卷积网络（GCN）实现子序列的信息交互。最后，利用注意力机制融合所有子序列的嵌入表示。在四个公开日志数据集上的大量实验证明了CSCLog的有效性，其在宏F1指标上平均超出最优基线方法7.41%。