LogGT: Cross-system log anomaly detection via heterogeneous graph feature and transfer learning

Automated system log anomaly detection plays a crucial role in ensuring service reliability. Existing methods incompletely utilize structured log entries, resulting in the loss of key information such as components and time. Besides, due to the limitations of labeled data, models trained by a single system are difficult to apply to other systems. Therefore, we propose a cross-system log anomaly detection method named LogGT, which simultaneously models log events, components and time, leveraging labeled system knowledge to achieve anomaly detection in unlabeled systems. Specifically, we firstly design a heterogeneous graph to accurately represent the interactions between different events and components in the log sequence. Then, in order to avoid noise interference and conduct cross-system semantic analysis, we employ BERT to extract log sentence vectors, and Normalizing Flow is used to optimize them for smoother node embedding. A Graph Transformer Architecture with Time Intervals (GTAT) is proposed to model heterogeneous graphs by integrating time feature, allowing for a comprehensive analyze of execution order and time anomalies. Additionally, we design a semantic weighting method and utilize a novel domain-adapted transfer learning technology to effectively transfer the heterogeneous graph features of the source system to the target system. Experimental results demonstrate that LogGT outperforms five log anomaly detection methods, achieving an average anomaly detection F1-score higher than 0.95. Moreover, the AUC value of GTAT exceeds the sequence model by more than 2.3%.