  • 袁紫依,张昊星,张媛媛,伍高飞,张玉清.基于大语言模型的小样本日志异常检测[J].信息安全学报,2024,9(6):17-27    [点击复制]
  • YUAN Ziyi,ZHANG Haoxing,ZHANG Yuanyuan,WU Gaofei,ZHANG Yuqing.Few-Shot Log Anomaly Detection via Large Language Models[J].Journal of Cyber Security,2024,9(6):17-27   [点击复制]
袁紫依1,2, 张昊星3, 张媛媛3, 伍高飞1,2, 张玉清1,2,4
(1.西安电子科技大学 广州研究院 广州 中国 510555;2.中国科学院大学国家计算机网络入侵防范中心 北京 中国 101408;3.中国信息通信研究院安全研究所 北京 中国 100191;4.海南大学网络空间安全学院 海口 中国 570228)
关键词:  异常检测  深度学习  大语言模型  ChatGPT
Few-Shot Log Anomaly Detection via Large Language Models
YUAN Ziyi1,2, ZHANG Haoxing3, ZHANG Yuanyuan3, WU Gaofei1,2, ZHANG Yuqing1,2,4
(1.Guangzhou Institute of Technology, Xidian University, Guangzhou 510555, China;2.National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing 101408, China;3.Security Research Institute of China Academy of Information and Communications Technology, Beijing 100191, China;4.College of Cyberspace Security, Hainan University, Haikou 570228, China)
With the increase of system complexity, the scale of log grows larger, making it impractical to analyze them manually. Some researchers have proposed deep learning methods combined with log anomaly detection. However, these methods face several challenges, existing log anomaly detection methods based on deep learning often have issues such as high training cost. Additionally, they rely heavily on high-quality training data and need to be retrained regularly. Recently, Large Language Models have shown promising results in various domains such as machine translation, language understanding and so on. In our work, we combine Large Language Models with log anomaly detection. By leveraging the rich pre-training knowledge of Large Language Models, we propose an efficient log anomaly detection method in few-shot scenarios without fine-tuning. The method employs hierarchical clustering to extract a small, diverse, and representative collection of normal log messages as a candidate set, which can reflect a wide range of normal log patterns. Additionally, we propose explanation-based prompt learning, which is used to explain each normal log in the candidate set, this method can enhance the model’s understanding of normal log patterns. According to the characteristics of log datasets, a specific prompt template for different log datasets is constructed by using the chain of thought strategy. Therefore, the specific prompt template proposed in this paper can also effectively detect log anomalies in zero-shot scenarios. Compared with the existing log anomaly detection methods, the method only requires a very small amount of training data and can achieve high accuracy, which greatly reduces the cost of model training. When the log is updated on a large scale, there is no need to retrain the model. To evaluate the performance of the method, we use two public datasets to verify the effectiveness of the model. The F1 scores of the proposed method on BGL and Spirit datasets reach 81.54% and 96.55% respectively, and the recall scores on two datasets reach 95.00% and 97.77% respectively. The proposed method has high recall scores and F1 scores on two datasets. The results demonstrate that the proposed method is able to effectively achieve log anomaly detection with only a very small amount of training data.
Key words:  anomaly detection  deep learning  large language model  ChatGPT