Trine: Syslog anomaly detection with three transformer encoders in one generative adversarial network

摘要

System logs provide powerful support for maintaining system security and stability, but the determination of anomalies often relies on sequence context while hiding in the traces under the massive background normal behavior. Recently transformers have shown remarkable success in feature extraction of long sequences and text classification tasks. Thus, we combine our syslog anomaly detection work with implementing multiple application methods in an integrated model. That is, our proposed generative adversarial network based on three transformer encoders, which is called Trine. One of the encoders is used to extract feature representations of the system logs, while the other two respectively serve as a generator and a discriminator for Generative Adversarial Networks to mitigate the class imbalance of the data. We evaluated Trine on two real-world datasets, HDFS and OpenStack. It shows great competitiveness compared with current state-of-the-art models for syslog anomaly detection. The experimental results demonstrate that the best architecture of our model get an F1-score 0.906, at least 27.8% higher than previous methods.