LogLG: Weakly Supervised Log Anomaly Detection via Log-Event Graph Construction

Fully supervised log anomaly detection methods require a lot of labeled data to achieve promising performance. Thus, how to alleviate the heavy burden of annotating massive unlabeled log data has received much attention. Recently, many semi-supervised log anomaly detection methods have been proposed to reduce the annotation costs with the help of templates parsed from labeled normal data. However, these methods usually consider each keyword independently, which disregard the correlation among keywords in log events and the contextual relationships among log sequences. In this paper, we propose a novel weakly supervised log anomaly detection framework, named LogLG, to explore the semantic connections among keywords from sequences. Specifically, we design an iterative process, where the keywords of unlabeled logs are first extracted to construct a log-event graph in each iteration. Then, we build a subgraph annotator to alter the purpose of generating pseudo labels for unlabeled log sequences into annotating corresponding log-subgraphs. To ameliorate the annotation quality, we adopt a self-supervised task to pre-train a subgraph annotator. After that, a log anomaly detection model is trained with the pseudo labels generated by the subgraph annotator. Conditioned on the classification results, we re-extract the keywords from the classified log sequences and update the log-event graph for the next iteration. Experiments on five benchmarks validate the effectiveness of LogLG for detecting anomalies on unlabeled log data, and demonstrate that LogLG, as the state-of-the-art weakly supervised method, achieves significant improvements compared to existing semi-supervised methods.