State Machine Guided Multi-Relational Synthetic Data from Logs for Anomaly Detection
For practitioners of log-based anomaly detection, this work provides a method to generate realistic synthetic data that captures structural and temporal constraints, addressing the bottleneck of limited labeled data.
The paper proposes a framework that recovers an execution state machine from unstructured logs to generate multi-relational synthetic data, which when used to augment real logs, significantly improves anomaly and bug detection compared to sequence-based baselines and naive oversampling.
Software systems generate massive unstructured logs that record execution behavior, failures, and interactions across components, yet existing log anomaly detection methods treat these logs primarily as flat sequences of templates, overlooking the relational execution structure that governs how events co-occur and evolve over time. We propose a framework that discovers this hidden structure by recovering an execution state machine directly from logs and inducing a corresponding multi-table relational schema connecting traces, events, states, transitions, and parameters. This discovered state machine serves as a generative prior to produce realistic multi-relational synthetic data that preserves structural, temporal, and process constraints while amplifying rare but valid execution behaviors. We assess the fidelity of the generated data through constraint validation, distributional similarity, and process-level metrics, and demonstrate its usefulness by showing that augmenting real logs with the synthetic relational data significantly improves anomaly and bug detection on held-out real datasets compared to sequence-based baselines and naive oversampling. Our results show that execution logs implicitly encode a relational database governed by a latent state machine, and that recovering this structure enables principled synthetic data generation for robust and interpretable anomaly detection.