PULL: Reactive Log Anomaly Detection Based On Iterative PU Learning
This addresses the challenge of time-consuming labeled data acquisition for IT service monitoring, offering a reactive solution with high accuracy, though it is incremental in applying PU learning to logs.
The paper tackles the problem of detecting failures in IT services using log anomaly detection without labeled training data, proposing PULL, an iterative method that achieves an F1-score of over 0.99 across three datasets and outperforms ten baselines.
Due to the complexity of modern IT services, failures can be manifold, occur at any stage, and are hard to detect. For this reason, anomaly detection applied to monitoring data such as logs allows gaining relevant insights to improve IT services steadily and eradicate failures. However, existing anomaly detection methods that provide high accuracy often rely on labeled training data, which are time-consuming to obtain in practice. Therefore, we propose PULL, an iterative log analysis method for reactive anomaly detection based on estimated failure time windows provided by monitoring systems instead of labeled data. Our attention-based model uses a novel objective function for weak supervision deep learning that accounts for imbalanced data and applies an iterative learning strategy for positive and unknown samples (PU learning) to identify anomalous logs. Our evaluation shows that PULL consistently outperforms ten benchmark baselines across three different datasets and detects anomalous log messages with an F1-score of more than 0.99 even within imprecise failure time windows.