In spite of the rapid advancements in unsupervised log anomaly detection techniques, the current mainstream models still necessitate specific training for individual system datasets, resulting in costly procedures and limited scalability due to dataset size, thereby leading to performance bottlenecks. Furthermore, numerous models lack cognitive reasoning capabilities, posing challenges in direct transferability to similar systems for effective anomaly detection. Additionally, akin to reconstruction networks, these models often encounter the "identical shortcut" predicament, wherein the majority of system logs are classified as normal, erroneously predicting normal classes when confronted with rare anomaly logs due to reconstruction errors. To address the aforementioned issues, we propose MLAD, a novel anomaly detection model that incorporates semantic relational reasoning across multiple systems. Specifically, we employ Sentence-bert to capture the similarities between log sequences and convert them into highly-dimensional learnable semantic vectors. Subsequently, we revamp the formulas of the Attention layer to discern the significance of each keyword in the sequence and model the overall distribution of the multi-system dataset through appropriate vector space diffusion. Lastly, we employ a Gaussian mixture model to highlight the uncertainty of rare words pertaining to the "identical shortcut" problem, optimizing the vector space of the samples using the maximum expectation model. Experiments on three real-world datasets demonstrate the superiority of MLAD.

翻译：摘要：尽管无监督日志异常检测技术取得了快速发展，当前主流模型仍需针对单个系统数据集进行特定训练，导致训练成本高昂，且因数据集规模限制而扩展性不足，进而引发性能瓶颈。此外，多数模型缺乏认知推理能力，难以直接迁移至相似系统实现有效异常检测。同时，类似重建网络的模型常遭遇“恒等捷径”困境——由于多数系统日志被归类为正常，当面对稀有异常日志时，模型因重建误差而错误预测为正常类别。为解决上述问题，本文提出MLAD，一种融合跨系统语义关系推理的新型异常检测模型。具体而言，我们采用Sentence-bert捕捉日志序列间的相似性，将其转化为高维可学习语义向量；进而重构注意力层公式，以识别序列中每个关键词的重要性，并通过适当的向量空间扩散对多系统数据集的整体分布进行建模。最后，针对“恒等捷径”问题中稀有词的不确定性，采用高斯混合模型突出其置信度，并借助最大期望模型优化样本向量空间。在三个真实数据集上的实验证明了MLAD的优越性。