NLLog: Lightweight, Explainable SOC Anomaly Detection via Log-to-Language Rewriting
For security operations center analysts, NLLog provides an explainable, lightweight anomaly detection pipeline that bridges rigid log formats and human comprehension.
NLLog rewrites system logs into natural-language sentences and uses TF-IDF weighting with tree ensembles to detect anomalies, achieving low false-positive rates and commodity-hardware latency on HDFS, BGL, and AIT datasets, outperforming two baselines.
System-generated logs underpin security monitoring, yet their rigid template-based format hinders both automated analysis and human comprehension. We present NLLog (Natural-Language Log), a lightweight pipeline that deterministically rewrites parsed templates into WHO-WHAT-SEVERITY sentences, pools them with term-frequency-inverse-document-frequency weighting, classifies sessions with tree ensembles, and back-projects evidence with TreeSHAP for analyst review. On Hadoop Distributed File System (HDFS) and Blue Gene/L (BGL) corpora, NLLog exceeds two reproduced matched-protocol baselines; across HDFS, BGL, and the AIT Alert Data Set, it sustains low false-positive rates with commodity-hardware latency suitable for security operations center triage. Coverage, sparse-versus-dense, faithfulness, and adversarial ablations show that fallback sufficiency is corpus-dependent, that an enrollment-time coverage check can surface refinement requirements before deployment, and that an auditable deterministic rewrite combined with lightweight dense encoding provides a measurable representation layer for log-anomaly detection and triage.