Graph Neural Networks based Log Anomaly Detection and Explanation

Abstract

Event logs are widely used to record the status of high-tech systems, making log anomaly detection important for monitoring those systems. We propose a graph-based method for unsupervised log anomaly detection, dubbed Logs2Graphs, which first converts event logs into attributed, directed, and weighted graphs, and then leverages graph neural networks to perform graph-level anomaly detection. Specifically, we introduce OCDiGCN, a novel graph neural network model for detecting graph-level anomalies in a collection of attributed, directed, and weighted graphs. By coupling the graph representation and anomaly detection steps, OCDiGCN can learn a representation that is especially suited for anomaly detection, resulting in a high detection accuracy. For each detected anomaly, we provide a subset of nodes that are crucial in OCDiGCN's predictions, offering useful insights for root cause diagnosis. Experiments on five benchmark datasets show that Logs2Graphs matches or exceeds current top log anomaly detection methods on simple datasets and largely outperforms them on complex ones.