Interpretable Spatial–Temporal Graph Convolutional Network for System Log Anomaly Detection

• Published in: Advanced engineering informatics Vol. 62; p. 102803
• Main Authors: Xu, Rucong, Li, Yun
• Format: Journal Article
• Language: English
• Published: Elsevier Ltd 01.10.2024
• Subjects: Computer system security; Graph neural networks; Interpretable artificial intelligence; Log anomaly detection; Interpretable artificial intelligence; Graph neural networks; Computer system security; Log anomaly detection
• ISSN: 1474-0346
• DOI: 10.1016/j.aei.2024.102803

To ensure seamless information flow and operational integrity, computer systems need effectively to manage their system logs, but the expansion in their scale and complexity makes it hard to detect anomalies. Current methodologies exhibit deficiencies, including inefficiencies in handling abnormal sequences, lack of interpretability, and limited consideration of both temporal and spatial information. To improve, this paper develops a semi-supervised graph neural network model termed the Interpretable Spatial–Temporal Graph Convolutional Network (IST-GCN). By integrating temporal and event similarity perspectives, the IST-GCN harnesses directed and undirected graphs to capture the temporal and spatial aspects of system log events. Hence, the IST-GCN offers temporal and spatial interpretability. Further, a lightweight feature regularization technique is developed to enhance interpretability in both time and space domains, and thus facilitates anomaly detection efficiently. Comprehensive testing verifies that the IST-GCN approach surpasses nearly all state-of-the-art methods across five public log anomaly datasets. On average, IST-GCN improves Average Precision (AP) by approximately 3% and ROC AUC (RC) by about 4% compared to the best-performing baseline methods, underscoring its effectiveness and robustness. •Proposing a novel Spatial–Temporal joint modeling method for log anomaly detection.•Designing a lightweight module to provide root cause analysis for abnormal log.•Utilizing semi-supervised learning to overcome the lack of abnormal log data.•Experiments on five real-world datasets show the superiority of the proposed model.