[1]卜意磊,李嘉硕,赵 斌,等.基于经验回放的日志异常检测模型的更新[J].南京师大学报(自然科学版),2025,48(05):104-113.[doi:10.3969/j.issn.1001-4616.2025.05.012]
 Bu Yilei,Li Jiashuo,Zhao Bin,et al.Update of A Log Anomaly Detection Model Based on Experience Replay[J].Journal of Nanjing Normal University(Natural Science Edition),2025,48(05):104-113.[doi:10.3969/j.issn.1001-4616.2025.05.012]
点击复制

基于经验回放的日志异常检测模型的更新()

《南京师大学报(自然科学版)》[ISSN:1001-4616/CN:32-1239/N]

卷:
48
期数:
2025年05期
页码:
104-113
栏目:
计算机科学与技术
出版日期:
2025-10-20

文章信息/Info

Title:
Update of A Log Anomaly Detection Model Based on Experience Replay
文章编号:
1001-4616(2025)05-0104-10
作者:
卜意磊1李嘉硕2赵 斌2庞文迪1
(1.江苏省市场监管局数据中心,江苏 南京 210036)
(2.南京师范大学计算机与电子信息学院,江苏 南京 210023)
Author(s):
Bu Yilei1Li Jiashuo2Zhao Bin2Pang Wendi1
(1.Jiangsu Provincial Market Management Bureau Data Center, Nanjing 210036, China)
(2.School of Computer and Electronic Information, Nanjing Normal University, Nanjing 210023, China)
关键词:
异常检测日志分析增量学习深度学习
Keywords:
anomaly detectionlog analysisincremental learningdeep learning
分类号:
TP301
DOI:
10.3969/j.issn.1001-4616.2025.05.012
文献标志码:
A
摘要:
基于日志的异常检测是异常检测问题的重要分支,得到越来越多的关注. 然而,现有研究往往忽略了在长时间检测的场景下,数据分布及模式变化对日志异常检测产生的影响. 为了实现持续性有效检测的目标,本文提出了基于增量学习的日志异常检测模型的更新方法,使用黑暗经验回放策略在原有的先进方法MLog的基础上进行改进. 在利用原有数据充分训练模型的基础上,更新算法使用聚类得到的范例样本和收集的新样本增量更新模型,其中对范例样本应用蒸馏损失,保留更多知识从而减少遗忘. 进一步,为了保留更多已学习到的特征信息,本文方法提取MLog的特征融合层的中间层特征,使用范例样本的类别原始分数和中间特征共同约束模型的更新,实现完整经验重放. 在真实数据集上的实验结果表明,在持续检测需求场景下,本文方法能够有效提高检测模型训练的时间效率,并且获得了与全量训练相近的检测效果.
Abstract:
Anomaly detection based on logs is an important branch of the anomaly detection problem, gaining increasing attention. However, existing studies often overlook the impact of changes in data distribution and patterns in long-term detection scenarios on log anomaly detection. To achieve the goal of sustainable and effective detection, this paper proposes an update method for a log anomaly detection model based on incremental learning, which improves upon the existing advanced method MLog using a Dark Experience Replay(DER)strategy. Building on the existing data to thoroughly train the model, the updating algorithm incrementally updates the model using exemplary samples obtained from clustering and newly collected samples. In this approach, a distillation loss is applied to the exemplary samples to retain more knowledge and reduce forgetting. To retain more learned feature information, this method called Full Experience Replay(FER)extracts the intermediate features from the feature fusion layer of MLog, to utilizes the original class scores of the sample data and the intermediate features to jointly constrain the model's update. Experiments on real dataset show that in scenarios with continuous detection requirements, the method proposed in this paper can effectively improve the training time efficiency of the detection model while achieving detection performance comparable to that of full training.

参考文献/References:

[1]LE V H,ZHANG H. Log-based anomaly detection with deep learning:How far are we?[C]//Proceedings of the 44th International Conference on Software Engineering. Pittsburgh,PA,USA:ICSE,2022:1356-1367.
[2]张颖君,刘尚奇,杨牧,等. 基于日志的异常检测技术综述[J]. 网络与信息安全学报,2020,6(6):1-12.
[3]XIAO T,QUAN Z,WANG Z J,et al. Loader:A log anomaly detector based on transformer[J]. IEEE transactions on services computing,2023,16(5):3479-3492.
[4]ZHANG L,JIA T,JIA M,et al. Multivariate log-based anomaly detection for distributed database[C]//Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. Barcelona,Spain:KDD,2024:4256-4267.
[5]HUANG S,LIU Y,FUNG C,et al. Improving log-based anomaly detection by pre-training hierarchical transformers[J]. IEEE transactions on computers,2023,72(9):2656-2667.
[6]QI J,LUAN Z,HUANG S,et al. Logencoder:Log-based contrastive representation learning for anomaly detection[J]. IEEE transactions on network and service management,2023,20(2):1378-1391.
[7]MENG W,LIU Y,ZHU Y,et al. Loganomaly:Unsupervised detection of sequential and quantitative anomalies in unstructured logs[C]//Proceedings of the 28th International Joint Conference on Artificial Intelligence. Macao,China:2019,19(7):4739-4745.
[8]刘春波,梁孟孟,侯晶雯,等. 面向不稳定日志的一致性异常检测方法[J]. 湖南大学学报(自然科学版),2022,49(4):89-99.
[9]DU M,LI F,ZHENG G,et al. Deeplog:Anomaly detection and diagnosis from system logs through deep learning[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. USA:CCS,2017:1285-1298.
[10]HAN S,WU Q,ZHANG H,et al. Log-based anomaly detection with robust feature extraction and online learning[J]. IEEE transactions on information forensics and security,2021,16:2300-2311.
[11]WANG X,SONG J,ZHANG X,et al. LogOnline:A semi-supervised log-based anomaly detector aided with online learning mechanism[C]//2023 38th IEEE/ACM International Conference on Automated Software Engineering(ASE). Echternach,Luxembourg:IEEE,2023:141-152.
[12]孙文举,李清勇,张靖,等. 基于深度神经网络的增量学习研究综述[J]. 数据分析与知识发现,2025(1):1-30.
[13]BUZZEGA P,BOSCHINI M,PORRELLO A,et al. Dark experience for general continual learning:a strong,simple baseline[J]. Advances in neural information processing systems,2020,33:15920-15930.
[14]YAN Q,GONG D,LIU Y,et al. Learning bayesian sparse networks with full experience replay for continual learning[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. USA:CVPR,2022:109-118.
[15]LI Z,SHI J,VAN LEEUWEN M. Graph neural networks based log anomaly detection and explanation[C]//Proceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering:Companion Proceedings. Lisbon,Portugal:ICSE Companion,2024:306-307.
[16]SCHWARZ J,CZARNECKI W,LUKETINA J,et al. Progress & compress:A scalable framework for continual learning[C]//Proceedings of the 35th International Conference on Machine Learning. Stockholm,Sweden:PMLR,2018:4528-4537.
[17]ZENKE F,POOLE B,GANGULI S. Continual learning through synaptic intelligence[C]//Proceedings of the 34th International Conference on Machine Learning. Sydney,Australia:PMLR,2017:3987-3995.
[18]RUSU A A,RABINOWITZ N C,DESJARDINS G,et al. Progressive neural networks[J/OL]. arxiv preprint arxiv:1606.04671,2016.
[19]CHENG D,JI Y,GONG D,et al. Continual all-in-one adverse weather removal with knowledge replay on a unified network structure[J]. IEEE transactions on multimedia,2024(26):8184-8196.
[20]MO J,ZOU R,HUA Y. Multi-level foreground prompt for incremental object detection[J]. IEEE access,2024(113):4048-4066.
[21]FU Y,LIANG K,XU J. MLog:Mogrifier LSTM-based log anomaly detection approach using semantic representation[J]. IEEE transactions on services computing,2023,16(5):3537-3549.
[22]ZHU J,HE S,HE P,et al. Loghub:A large collection of system log datasets for ai-driven log analytics[C]//2023 IEEE 34th International Symposium on Software Reliability Engineering(ISSRE). Florence,Italy:ISSRE,2023:355-366.

相似文献/References:

[1]李致远,朱求志,吴永焜,等.基于小波分析的无线传感网实时异常检测算法[J].南京师大学报(自然科学版),2014,37(01):87.
 Li Zhiyuan,Zhu Qiuzhi,Wu Yongkun,et al.Wavelet Analysis-Based Real-Time Anomaly Detection Algorithm for Wireless Sensor Network[J].Journal of Nanjing Normal University(Natural Science Edition),2014,37(05):87.
[2]戚小莎,曾 静,吉根林.双交叉注意力自编码器改进视频异常检测[J].南京师大学报(自然科学版),2023,46(01):110.[doi:10.3969/j.issn.1001-4616.2023.01.015]
 Qi Xiaosha,Zeng Jing,Ji Genlin.Improved Video Anomaly Detection with Dual Criss-Cross Attention Auto Encoder[J].Journal of Nanjing Normal University(Natural Science Edition),2023,46(05):110.[doi:10.3969/j.issn.1001-4616.2023.01.015]

备注/Memo

备注/Memo:
收稿日期:2024-11-03.
基金项目:江苏省市场监管局科技计划项目(KJ2025043).
通讯作者:赵斌,博士,副教授,研究方向:大数据分析与挖掘. E-mail:zhaobin@njnu.edu.cn
更新日期/Last Update: 2025-10-20