DeepEAD: Explainable Anomaly Detection from System Logs | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >ICC 2023 - IEEE International...

DeepEAD: Explainable Anomaly Detection from System Logs

PDF
Xinda Wang; Kyeong Jin Kim; Ye Wang; Toshiaki Koike-Akino; Kieran Parsons
All Authors

Abstract:

System logs record rich information for system events. Practical anomaly detection from system logs should be able to address three challenges: 1) understanding complicat...Show More

Metadata

Abstract:

System logs record rich information for system events. Practical anomaly detection from system logs should be able to address three challenges: 1) understanding complicated attributes in event logs; 2) extracting complex context relations among events; and 3) providing concrete explanations to human analysts. In this paper, we develop an attention-equipped encoder-decoder system to capture context from system logs for explainable anomaly detection. For each target event, we collect its nearby events in chronological order as its context events. Instead of using a recurrent neural network-based encoder like previous works, we adopt a Transformer-based encoder to extract complex relations among context events and their attributes. Then, a context vector is generated and passed to the decoder, where an attention matrix is learned and used to weigh the context events for detecting the anomalies. Evaluation on the large-scale real-world Los Alamos National Laboratory dataset shows that, compared with existing works, our methods can provide fine-grained one-to-one attention to help explain the importance of each attribute in the context events to the prediction, without sacrificing detection performance.
Published in: ICC 2023 - IEEE International Conference on Communications
Date of Conference: 28 May 2023 - 01 June 2023
Date Added to IEEE Xplore: 23 October 2023
ISBN Information:
Electronic ISSN: 1938-1883
DOI: 10.1109/ICC45041.2023.10279563
Conference Location: Rome, Italy
Contents

I. Introduction

Available in almost all computer systems, logs are used to record various events for monitoring, administration, and debugging, which provide a good source of information for analyzing and identifying anomalies. Since modern IT infrastructure systems continuously generate an overwhelming amount of event logs and attacks are evolving and becoming more complex [1], automated anomaly detectors are usually applied to flag potential anomalies. Then, detected events will be handed over to human analysts for further analysis [2]. However, as reported in FireEye M-Trends 2021 [3], the median time for organizations to identify incidents by the help of anomaly detectors is 24 days, yielding too much time to attackers for conducting malicious activities. This is due to two major weaknesses of existing anomaly detectors: high false-positive rate and lack of explanations in detection results.

Contact IEEE to Subscribe
More Like This
Transformer Fault Prognosis Using Deep Recurrent Neural Network Over Vibration Signals

IEEE Transactions on Instrumentation and Measurement

Published: 2021

Analysis of high order recurrent neural networks for analog decoding

2012 7th International Symposium on Turbo Codes and Iterative Information Processing (ISTC)

Published: 2012

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.