Graph Neural Networks based Log Anomaly Detection and Explanation

Event logs are widely used to record the status of high-tech systems, making log anomaly detection important for monitoring those systems. Most existing log anomaly detection methods take a log event count matrix or log event sequences as input, exploiting quantitative and/or sequential relationships between log events to detect anomalies. Unfortunately, only considering quantitative or sequential relationships may result in low detection accuracy. To alleviate this problem, we propose a graph-based method for unsupervised log anomaly detection, dubbed Logs2Graphs, which first converts event logs into attributed, directed, and weighted graphs, and then leverages graph neural networks to perform graph-level anomaly detection. Specifically, we introduce One-Class Digraph Inception Convolutional Networks, abbreviated as OCDiGCN, a novel graph neural network model for detecting graph-level anomalies in a collection of attributed, directed, and weighted graphs. By coupling the graph representation and anomaly detection steps, OCDiGCN can learn a representation that is especially suited for anomaly detection, resulting in a high detection accuracy. Importantly, for each identified anomaly, we additionally provide a small subset of nodes that play a crucial role in OCDiGCN's prediction as explanations, which can offer valuable cues for subsequent root cause diagnosis. Experiments on five benchmark datasets show that Logs2Graphs performs at least on par with state-of-the-art log anomaly detection methods on simple datasets while largely outperforming state-of-the-art log anomaly detection methods on complicated datasets.


Introduction
Modern high-tech systems, such as cloud computers or lithography machines, typically consist of a large number of components.Over time these systems have become larger and more complex, making manual system operation and maintenance hard or even infeasible [17].Therefore, automated system operation and maintenance is highly desirable.To achieve this, system logs are universally used to record system states and important events.By analysing these logs, faults and potential risks can be identified, and remedial actions may be taken to prevent severe problems.System logs are usually semi-structured texts though, and identifying anomalies through log anomaly detection is often challenging.
Since both industry and academia show great interest in identifying anomalies from logs, a plethora of log anomaly detection methods have been proposed.Existing log anomaly detection methods can be roughly divided into three categories: quantitative-based, sequence-based, and graph-based methods.Specifically, quantitative-based methods, such as OCSVM [33] and PCA [41], utilise a log event count matrix to detect anomalies, and are therefore unable to capture semantic information of and sequential information between log events.Meanwhile, sequencebased methods, including DeepLog [7] and LogAnomaly [23], aim to detect anomalies by taking sequential (and sometimes semantic) information into account.They cannot consider the full structure among log events though.In contrast, graph-based methods, such as GLAD-PAW [38] and GLAD [16], convert logs to graphs and exploit semantic information as well as the structure among log events, exhibiting the following three advantages over the former two categories of methods [13]: 1) they are able to identify problems for which the structure among events is crucial, such as performance degradation; 2) they are capable of providing contextual log messages corresponding to the identified problems; and 3) they can provide the 'normal' operation process in the form of a graph, helping endusers find root-causes and take remedial actions.However, graph-based methods like GLAD transform log events into undirected graphs though, which may fail to capture important information on the order among log events.Moreover, most existing graph-based methods perform graph representation and anomaly detection separately, leading to suboptimal detection accuracy.
Moreover, as highlighted by Li et al. [19], with the growing adoption of anomaly detection algorithms in safetycritical domains, there is a rising demand for providing explanations for the decisions made within those domains.This requirement, driven by ethical considerations and regulatory mandates, underscores the importance of accountability and transparency in such contexts.Moreover, in practical applications, the attainment of precise anomaly explanations contributes to the timely isolation and diagnosis of anomalies, which can mitigate the impact of anomalies by facilitating early intervention [43].However, to our knowledge, most existing log anomaly detection methods focus exclusively on accurate detection without giving explanations.
To overcome these limitations, we propose Logs2Graphs, a graph-based unsupervised log anomaly detection approach for which we design a novel one-class graph neural network.Specifically, Logs2Graphs first utilises off-the-shelf methods to learn a semantic embedding for each log event, and then assigns log messages to different groups.Second, Logs2Graphs converts each group of log messages into an attributed, directed, and weighted graph, with each node representing a log event, the node attributes containing its semantic embedding, directed edges representing how an event is followed by other events, and the corresponding edge weights indicating the number of times the events follow each other.Third, by coupling the graph representation learning and anomaly detection objectives, we introduce One-Class Digraph Inception Convolutional Networks (OCDiGCN) as a novel method to detect anomalous graphs from a set of graphs.As a result, Logs2Graphs leverages the rich and expressive power of attributed, directed, and edge-weighted graphs to represent logs, followed by using graph neural networks to effectively detect graph-level anomalies, taking into account both semantic information of log events and structure information (including sequential information as a special case) among log events.Importantly, by decomposing the anomaly score of a graph into individual nodes and visualizing these nodes based on their contributions, we provide understandable explanations for identified anomalies.
Overall, our contributions can be summarised as follows: (1) We introduce Logs2Graphs, which formalises log anomaly detection as a graph-level anomaly detection problem and represents log sequences as directed graphs to capture more structure information than previous approaches; (2) We introduce OCDiGCN, a general end-to-end unsupervised graph-level anomaly detection method for attributed, directed and edge-weighted graphs.By coupling the graph representation and anomaly detection objectives, we improve the potential for accurate anomaly detection over existing approaches; (3) For each detected anomaly, we identify important nodes as explanations, offering cues for subsequent root cause diagnosis; (4) We empirically compare our approach to eight state-of-the-art log anomaly detection methods on five benchmark datasets, showing that Logs2Graphs performs at least on par with and often better than its competitors.

Related Work
Graph-based log anomaly detection methods usually comprise five steps: log parsing, log grouping, graph construction, graph representation learning, and anomaly detection.In this paper we focus on graph representation learning, log anomaly detection, and explanation, thus only revisiting related work in these fields.

Graph Representation Learning
Graph-level representation learning methods, such as GIN [40] and Graph2Vec [24], are able to learn a mapping from graphs to vectors.Further, graph kernel methods, including Weisfeiler-Lehman (WL) [35] and Propagation Kernels (PK) [25], can directly provide pairwise distances between graphs.Both types of methods can be combined with off-the-shelf anomaly detectors, such as OCSVM [33] and iForest [21], to perform graph-level anomaly detection.
To improve on these naïve approaches, efforts have been made to develop graph representation learning methods especially for anomaly detection.For instance, OC-GIN [48] and GLAM [49] combine the GIN [40] representation learning objective with the SVDD objective [36] to perform graph-level representation learning and anomaly detection in an end-to-end manner.GLocalKD [22] performs random distillation of graph and node representations to learn 'normal' graph patterns.Further, OCGTL [30] combines neural transformation learning and one-class classification to learn graph representations for anomaly detection.Although these methods are unsupervised or semi-supervised, they can only deal with attributed, undirected, and unweighted graphs.
iGAD [47] considers graph-level anomaly detection as a graph classification problem and combines attribute-aware graph convolution and substructure-aware deep random walks to learn graph representations.However, iGAD is a supervised method, and can only handle attributed, undirected, and unweighted graphs.CODEtect [26] takes a pattern-based modelling approach using the minimum description length principle and identifies anomalous graphs based on motifs.CODEtect can (only) deal with labelled, directed, and edge-weighted graphs, but is computationally very expensive.In contrast, we introduce a general unsupervised method for graph-level anomaly detection that can handle attributed, directed and edge-weighted graphs.

Log Anomaly Detection and Explanation
Log anomaly detection methods can be roughly divided into: 1) traditional, 'shallow' methods, such as principal component analysis (PCA) [41], one-class SVM (OCSVM) [33], isolation forest (iForest) [21], and histogram-based outlier score (HBOS) [11], which take a log event count matrix as input and analyse quantitative relationships; 2) deep learning based methods, such as DeepLog [7], LogAnomaly [23], and AutoEncoder [8], which employ sequences of log events (and sometimes their semantic embeddings) as input, analysing sequential information and possibly semantic information of log events to identify anomalies; and 3) graph-based methods, such as TCFG [13] and GLAD-PAW [38], which first convert logs into graphs and then perform graph-level anomaly detection.
To our knowledge, only a few works [38,46,39,16] have capitalised on the powerful learning capabilities of graph neural networks for log anomaly detection.GLAD [16] transforms logs into undirected, weighted, and attributed heterogeneous graph, and propose a temporalattentive graph edge anomaly detection model to detect anomalous relations.However, converting logs into undirected graphs may result in loss of important sequential information.Further, DeepTraLog [46] combines traces and logs to generate a so-called Trace Event Graph, which is an attributed and directed graph.On this basis, they train a Gated Graph Neural Networks based Deep Support Vector Data Description model to identify anomalies.However, their approach requires the availability of both traces and logs, and is unable to handle edge weights.In contrast, like LogGD [39] and GLAD-PAW [38], our proposed Logs2Graphs approach is applicable to generic logs by converting logs into attributed, directed, and edgeweighted graphs.However, LogGD is a supervised method that requires fully labelled training data, which is usually impractical and even impossible.Moreover, LogGD and GLAD-PAW [38] are not capable of providing explanations for identified anomalies.In contrast, our proposed algorithm OCDiGCN is a general unsupervised graph-level anomaly detection method for attributed, directed, and edge-weighted graphs, able to provide explanations for identified anomalies.
Although anomaly explanation has received much attention in traditional anomaly detection [19,18], only a few studies [42] considered log anomaly explanation.Specifically, PLELog [42] offers explanations by quantifying the significance of individual log events within an anomalous log sequence, thereby facilitating improved identification of relevant log events by operators.Similarly, our method provides explanations for anomalous log groups by identifying and visualising a small subset of important nodes.

Problem Statement
Before we state the log anomaly detection problem, we first introduce notation and definitions regarding event logs and graphs.Event logs.Logs are used to record system status and important events, and are usually collected and stored centrally as log files.A log file typically consists of many log messages.Each log message is composed of three components: a timestamp, an event type (log event or log template), and additional information (log parameters).Log parsers are used to extract log events from log messages.
Further, log messages can be grouped into log groups (a.k.a.log sequences) using certain criteria.Specifically, if a log identifier is available for each log message, one can group log messages based on such identifiers.Otherwise, one can use a fixed or sliding window to group log messages.Besides, counting the occurrences of each log event within a log group yields an event count vector.Consequently, for a log file consisting of many log groups, one can obtain an event count matrix.The process of generating an event count matrix (or other feature matrix) is known as feature extraction.Extracted features are often used as input to an anomaly detection algorithm to identify log anomalies, i.e., log messages or log groups that deviate from what is considered 'normal'.Graphs.We consider an attributed, directed, and edgeweighted graph G = (V, E, X, Y), where V = {v 1 , ..., v |V| } denotes the set of nodes and E = {e 1 , ..., e |E| } ⊆ V × V represents the set of edges.If (v i , v j ) ∈ E, then there is an edge from node v i to node v j .Moreover, X ∈ R |V|×d is the node attribute matrix, with the i-th row representing the attributes of node v i , and d is the number of attributes.Besides, Y ∈ N |E|×|E| is the edge-weight matrix, where Y ij represents the weight of the edge from node v i to v j .
Equivalently, G can be described as (A, X, Y), with adjacency matrix A ∈ R |V|×|V| , where indicates whether there is an edge from node v i to node v j , for i, j ∈ {1, ..., |V|}.

Graph-based Log Anomaly Detection
Given a set of log files, we let L = {L 1 , ..., L |L| } denote the set of unique log events.We divide the log messages into M log groups Q = {q 1 , ..., q m , ..., q M }, where q m = {q m1 , ..., q mn , ..., q mN } is a log group and q mn a log message.
For each log group q m , we construct an attributed, directed, and edge-weighted graph G m = (V m , E m , X m , Y m ) to represent the log messages and their relationships.Specifically, each node v i ∈ V m corresponds to exactly one log event L ∈ L (and vice versa).Further, an edge e ij ∈ E m indicates that log event i is at least once immediately followed by log event j in q m .Attributes x i ∈ X m represent the semantic embedding of log event i, and y ij ∈ Y m is the weight of edge e ij , representing the number of times event i was immediately followed by event j.In this manner, we construct a set of log graphs {G 1 , ..., G m , ..., G M }.
We use these definitions to define graph-based log anomaly detection: Problem 1 (Graph-based Log Anomaly Detection).Given a set of attributed, directed, and weighted graphs that represent logs, find those graphs that are notably different from the majority of graphs.
What we mean by 'notably different' will have to be made more specific when we define our method, but we can already discuss what types of anomalies can potentially be detected.Most methods aim to detect two types of anomalies: • A log group (here a graph) is considered a quantitative anomaly if the occurrence frequencies of some events in the group are higher or lower than expected from what is commonly observed.For example, if a file is opened (event A) twice, it should normally also be closed (event B) twice.In other words, the number of event occurrences #A = #B in a normal pattern and an anomaly is detected if #A ̸ = #B.
• A log group is considered to contain sequential anomalies if the order of certain events violates the normal order pattern.For instance, a file can be closed only after it has been opened in a normal workflow.In other words, the order of event occurrences A → B is considered normal while B → A is considered anomalous.
An advantage of graph-based anomaly detection is that it can detect these two types of anomalies, but also anomalies reflected in the structures of the graphs.Moreover, no unsupervised log anomaly detection approaches represent event logs as attributed, directed, weighted graphs, which allow for even higher expressiveness than undirected graphs (and thus limiting the information loss resulting from the representation of the log files as graphs).
Moreover, P (k) is the k-th order proximity matrix defined as where I ∈ R |V|×|V| is an identity matrix, Ã = A + I, and D denotes the diagonal degree matrix with Dii = j Ãij .
Besides, Ins (P (1) ) (k−1) (P (1)T ) (k−1) is defined as , with Intersect(•) denoting the element-wise intersection of two matrices (see [37] for computation details).In addition, W (k) is the diagonalized weight matrix of P (k) , and Π (1) is the approximate diagonalized eigenvector of P (1) .Particularly, the approximate diagonalized eigenvector is calculated based on personalised PageRank [3], with a parameter α to control the degree of conversion from a digraph to an undirected graph.We omit the details to conserve space, and refer to [37] for more details.
After obtaining the multi-scale features {Z (0) , Z (1) , ..., Z (k) }, DiGCN defines an Inception block as where σ represents an activation function, and Γ(•) denotes a fusion operation, which can be summation, normalisation, and concatenation.In practice, we often adapt a fusion operation that keeps the output dimension unchanged, namely Z ∈ R |V|×f .As a result, the i-th row of Z (namely Z i ) denotes the learned vector representation for node v i in a certain layer.

Graph-Based Anomaly Detection for Event Logs
We propose Logs2Graphs, a graph-based log anomaly detection method tailored to event logs.The overall pipeline consists of the usual main steps, i.e., log parsing, log grouping, graph construction, graph representation learning, and anomaly detection, and is illustrated in Figure 1.Note that we couple the graph representation learning and anomaly detection steps to accomplish end-to-end learning once the graphs have constructed.
First, after collecting logs from a system, the log parsing step extracts log events and log parameters from raw log messages.Since log parsing is not the primary focus of this article, we use Drain [12] for this task.Drain is a log parsing technique with fixed depth tree, and has been shown to generally outperform its competitors [51].We make the following assumptions on the log files: • Logs files are written in English; • Each log message contains at least the following information: date, time, operation detail, and log identifier; • The logs contain enough events to make the mined relationships (quantitative, sequential, structural) statistically meaningful, i.e., it must be possible to learn from the logs what the 'normal' behaviour of the system is.
Second, the log grouping step uses the log identifiers to divide the parsed log messages into log groups.Third, for each resulting group of log messages, the graph construction steps builds an attributed, directed, and edgeweighted graph, as described in more detail in Subsection 5.1.Fourth and last, in an integrated step for graph

Graph Construction
We next explain how to construct an attributed, directed, and edge-weighted graph given a group of parsed log messages, and illustrate this in Figure 2.
First, we utilise nodes to represent different log events.As a result, the number of nodes depends on the number of unique log events that occur within the log group.Second, starting from the first line of log messages in chronological order, we add a directed edge from log event L i to L j and set its edge-weight to 1 if the next event after L i is L j .If the corresponding edge already exists, we increase its edge-weight by 1.In this manner, we obtain a labelled, directed, and edge-weighted graph.
However, using only the labels (e.g., open or write) of log events for graph construction may lead to missing important information.That is, we can improve on this by explicitly taking the semantic information of log events into account, by which we mean that we should look at the text of the log event in entirety.Specifically, we generate a vector representation for each log event as follows: 1. Preprocessing: for each log event, we first remove non-character words and stop words, and split compound words into separate words; 2. Word embedding: we use Glove [29], a pre-trained word embedding model with 200 embedding dimensions to generate a vector representation for each word in a log event; 3. Sentence embedding: we generate a vector representation for each log event.Since the words in a sentence are usually not of equal importance, we use Term Frequency-Inverse Document frequency (TF-IDF) [31] to measure the importance of words.As a result, the weighted sum of word embedding vectors composes the vector representation of a log event.
By augmenting the nodes with the vector representations of the log events as attributes, we obtain an attributed, directed, and edge-weighted graph.

OCDiGCN: One-Class Digraph Inception Convolutional Nets
We next describe One-Class Digraph Inception Convolutional Networks, abbreviated as OCDiGCN, a novel method for end-to-end graph-level anomaly detection.We chose to build on Digraph Inception Convolutional Networks (DiGCN) [37] for their capability to handle directed graphs, which we argued previously is an advantage in graph-based log anomaly detection.
Given that DiGCN was designed for node representation learning, we repurpose it for graph representation learning as follows: That is, at the final iteration layer, we utilise a so-called Readout(•) function to aggregate node vector representations to obtain a graph vector representation.Importantly, Readout(•) can be a simple permutation-invariant function such as maximum, sum or mean, or a more advanced graph-level pooling function [44].
Next, note that DiGCN work did not explicitly enable learning edge features (i.e., Y).However, as DiGCN follows the Message Passing Neural Network (MPNN) framework [10], incorporating Y into Equation ( 1) and conducting computations in Equations (2-4) analogously enables learning edge features.Now, given a set of graphs {G 1 , ..., G m , ..., G M }, we can use Equation ( 4) to obtain an explicit vector representation for each graph, respectively.We denote the vector presentation of G m learned by the DiGCN model as DiGCN(G m ; H).
In graph anomaly detection, anomalies are typically identified based on a reconstruction or distance loss [14].In particular, the One-Class Deep SVDD objective [32] is commonly used for two reasons: it can be easily combined with other neural networks, and more importantly, it generally achieves a state-of-the-art performance [27].
To detect anomalies, we thus train a one-class classifier by optimising the following One-Class Deep SVDD objective: where H (l) represents the trainable parameters of DiGCN at the l-th layer, namely (Θ (0)(l) , Θ (1)(l) , ..., Θ (k)(l) ) T , H denotes {H (1) , ..., H (L) }, λ > 0 represents the weightdecay hyperparameter, ∥•∥ 2 is the Euclidean norm, and ∥•∥ F denotes the Frobenius norm.Moreover, o is the center of the hypersphere in the learned representation space.Ruff et al. [32] empirically found that setting o to the average of the network representations (i.e., graph representations in our case) obtained by performing an initial forward pass is a good strategy.Ruff et al. [32] also pointed out, however, that One-Class Deep SVDD classification may suffer from a hypersphere collapse, which will yield trivial solutions, namely mapping all graphs to a fixed center in the representation space.To avoid a hypersphere collapse, the hypersphere center o is set to the average of the network representations, the bias terms in the neural networks are removed, and unbounded activation functions such as ReLU are preferred.After training the model on a set of non-anomalous graphs (or with a very low proportion of anomalies), given a test graph G m , we define its distance to the center in the representation space as its anomaly score, namely Training and hyperparameters: In summary, OCDiGCN is composed of an L-layer DiGCN architecture to learn node representations, plus a Readout(•) function to obtain the graph representation.It is trained in an end-to-end manner via optimising the SVDD objective, which can be optimised using stochastic optimisation techniques such as Adam [15].Overall, OCDiGCN takes a collection of nonanomalous graphs and a set of hyperparameters, which are outlined in Table 2, as inputs.The pseudo-code for Logs2Graphs is given in Algorithm 1.

Anomaly Explanation
Our anomaly explanation method can be regarded as a decomposition method [45], that is, we build a score decomposition rule to distribute the prediction anomaly score to the input space.Concretely, a graph G m is identified as anomalous if and only if its graph-level representation has a large distance to the hyper-sphere center (Equation 6).Further, the graph-level representation is obtained via a Readout(•) function applied on the node-level representations (Equation 4).Therefore, if the Readout(•) function is attributable (such as the sum or the mean), we can easily obtain the a small subset of important nodes (in the penultimate layer) whose node embeddings contribute the most to the distance.Specifically, the importance score of node v j (in the penultimate layer) in a graph G m is defined as where score(G m ) is defined in Equation 6and score(G m \ {Z j }) is the anomaly score by removing the embedding vector of v j (namely Z j ) when applying the Readout function to obtain the graph-level representation.
Next, for each important node (with a high importance score) in the penultimate layer, we extend the LRP (Layerwise Relevance Propagation) algorithm [2] to obtain a minor set of important nodes in the input layer (this is not the contribution of our paper and we simply follow the practice in [34,5]).If certain of these nodes are connected by edges, the resulting subgraphs can provide more meaningful explanations.As the LRP method generates explanations utilizing the hidden features and model weights directly, its explanation outcomes are deemed reliable and trustworthy [19].

Experiments
We perform extensive experiments to answer the following questions: The five datasets that we use, summarised in Table 1, were chosen for three reasons: 1) they are commonly used for the evaluation of log anomaly detection methods; 2) they contain ground truth labels that can be used to calculate evaluation metrics; and 3) they include log identifiers that can be used for partitioning log messages into groups.For each group of log messages in a dataset, we label the group as anomalous if it contains at least one anomaly.More details are given as follows: • HDFS [41] consists of Hadoop Distributed File System logs obtained by running 200 Amazon EC2 nodes.These logs contain block id, which can be used to group log events into different groups.Moreover, these logs are manually labeled by Hadoop experts.
• Hadoop [20] was collected from a Hadoop cluster consisting of 46 cores over 5 machines.The Con-tainerID variable is used to divide log messages into different groups.
• BGL, Spirit, and Thunderbird contain system logs collected from the BlueGene/L (BGL), Spirit, and Thunderbird supercomputing systems located at Sandia National Labs, respectively.For those datasets, each log message was manually inspected by engineers and labelled as normal or anomalous.For BGL, we use all log messages, and group log messages based on the Node variable.For Spirit and Thunderbird, we only use the first 1 million and first 5 million log messages for evaluation, respectively.Furthermore, for these two datasets, the User is used as log identifier to group log messages.However, considering that an ordinary user may generate hundreds of thousands of logs, we regard every 100 consecutive logs of each user as a group.If the number of logs is less than 100, we also consider it as a group.
We choose these methods as baselines because they are often regarded to be representatives of traditional machine learning-based (PCA, OCSVM, IForest, HBOS) and deep learning-based approaches (DeepLog, LogAnomaly and AutoEncoder), respectively.All methods are unsupervised or semi-supervised methods that do not require labelled anomalous samples for training the models.

Evaluation Metrics
The Area Under Receiver Operating Characteristics Curve (ROC AUC) and the Area Under the Precision-Recall Curve (PRC AUC) are widely used to quantify the detection accuracy of anomaly detection [1].This is mainly because they can provide a single value that summarizes the overall performance of the anomaly detection model across various thresholds.In contrast, other metrics such as Precision, Recall and F1-score depend on choosing a threshold to determine whether an instance is anomalous or normal.Consequently, different thresholds can result in different values.Therefore, we employ ROC AUC and PRC AUC to evaluate and compare the different log anomaly detection methods.PRC AUC is also known as Average Precision (AP).For both ROC AUC and PRC AUC, values closer to 1 indicate better performance.

Model Implementation and Configuration
Traditional machine learning based approaches-such as PCA, OCSVM, iForest, and HBOS-usually first transform logs into log event count vectors, and then apply traditional anomaly detection techniques to identify anomalies.For these methods, we utilise their open-source implementations provided in PyOD [50].Meanwhile, for deep learning methods DeepLog, LogAnomaly, and Au-toEncoder, we use their open-source implementations in Deep-Loglizer [6].For these methods, we use their default hyperparameter values.
For all deep learning based methods, the experimental design adopted in this study follows a train/validation/test strategy with a distribution of 70% : 5% : 25% for normal instances.Specifically, the model was trained using 70% of normal instances, while 5% of normal instances and an equal number of abnormal instances were employed for validation (i.e., hyperparameter tuning).The remaining 25% of normal instances and the remaining abnormal instances were used for testing.Table 2 summarises the hyperparameters involved in OCDiGCN as well as their recommended values.
We implemented and ran all algorithms in Python 3.8 (using PyTorch [28] and PyTorch Geometric [9] libraries when applicable), on a workstation equipped with an Intel i7-11700KF CPU and Nvidia RTX3070 GPU.For reproducibility, all code and datasets are released on GitHub. 2

Comparison to the state of the art
We first compare Logs2Graphs to the state of the art.We have the following main observations according to the results in Table 3: • In terms of ROC AUC, Logs2Graphs achieves the best performance against its competitors on three out of five datasets.Particularly, Logs2Graphs outperforms the closet competitor on BGL with 9.6% and delivers remarkable results (i.e., an ROC AUC larger than 0.99) on Spirit and Thunderbird.Similar observations can be made for Average Precision.
• Deep learning based methods generally outperform the traditional machine learning based methods.One possible reason is that traditional machine learning based methods only leverage log event count vectors as input, which makes them unable to capture and exploit sequential relationships between log events and the semantics of the log templates.
• The performance of (not-graph-based) deep learning methods is often inferior to that of Log2Graphs on the more complex datasets, i.e., BGL, Spirit, and Thunderbird, which all contain hundreds or even thousands of log templates.This suggests that LSTMbased models may not be well suited for logs with a large number of log templates.One possible reason is that the test dataset contains many unprecedented log templates, namely log templates that are not present in the training dataset.
• In terms of ROC AUC score, all methods except for OCSVM and AutoEncoder achieve impressive results (with RC > 0.91) on HDFS.One possible reason is that HDFS is a relatively simple log dataset that contains only 48 log templates.Concerning AP, PCA and LSTM-based DeepLog achieve impressive results (with AP > 0.89) on HDFS.Meanwhile, Logs2Graphs obtains a competitive performance (with AP = 0.87) on HDFS.

Directed vs. undirected graphs
To investigate the practical added value of using directed log graphs as opposed to undirected log graphs, we convert the logs to attributed, undirected, and edgeweighted graphs, and apply GLAM [49], a graph-level anomaly detection method for undirected graphs.We use the same graph construction method as for Logs2Graphs, except that we use undirected edges.Similar to our method, GLAM also couples the graph representation learning and anomaly detection objectives by optimising a single SVDD objective.The key difference with OCDiGCN is that GLAM leverages GIN [40], which can only tackle undirected graphs, while OCDiGCN utilises DiGCN [37] that is especially designed for directed graphs.
The results in Table 3 indicate that GLAM's detection performance is comparable to that of most competitors.

HDFS
However, it consistently underperforms on all datasets, except for Hadoop, when compared to Logs2Graphs.Given that the directed vs undirected representation of the log graphs is the key difference between the methods, a plausible explanation is that directed graphs have the capability to retain the temporal sequencing of log events, whereas undirected graphs lack this ability.Consequently, GLAM may encounter difficulties in detecting sequential anomalies and is outperformed by Logs2Graphs.

Node Labels vs. Node Attributes
To investigate the importance of using semantic embeddings of log events as node attributes, we replace the node semantic attributes with one-hot-encoding of node labels (i.e., using an integer to represent a log event).The performance comparisons in terms of ROC AUC for Logs2Graphs are depicted in Figure 3, which shows that using semantic embeddings is always superior to using node labels.Particularly, it can lead to a substantial performance improvement on the Hadoop, Spirit and HDFS datasets.The PRC AUC results show a similar behaviour and thus are omitted.

Robustness to Contamination
To investigate the robustness of Logs2Graphs when the training dataset is contaminated (namely integrating anomalous graphs in training data), we report its performance in terms of ROC AUC under a wide range of contamination levels.Figure 4 shows that the performance of Logs2Graphs decreases with an increase of contamination in the training data.The PRC AUC results show a similar behaviour and thus are omitted.Hence, it is important to ensure that the training data contains only normal graphs (or with a very low proportion of anomalies).

Ability to Detect Structural Anomalies and Recognise
Unseen Normal Instances To showcase the effectiveness of different neural networks in detecting structural anomalies, we synthetically generate normal and anomalous directed graphs as shown in Figure 5.As Deeplog, LogAnomaly and AutoEncoder require log sequences as inputs, we convert directed graphs into sequences by sequentially presenting the endpoints pair of each edge.Moreover, for GLAM we convert directed graphs into undirected graphs by turning each directed edge into an undirected edge.
Moreover, to investigate their capability of recognising unseen but structurally equivalent normal instances, we generate the following normal log sequences based on the synthetic normal graph as training data:  The results in Table 4 indicate that Logs2Graphs, Deeplog and LogAnomaly can effectively detect structural anomalies, while AutoEncoder and GLAM fail in some cases.However, log sequences based methods, namely Deeplog, LogAnomaly and AutoEncoder, can lead to high false positive rates due to their inability of recognising unseen but structurally equivalent normal instances.

Anomaly Explanation
Figure 6 provides an example of log anomaly explanation with the HDFS dataset.For each detected anomalous log graph (namely a group of logs), we first quantify the importance of nodes according to the description in Section 5.3.Next, we visualise the anomalous graph by assigning darker shade of red to more important nodes.In this example, the node "WriteBlock(WithException)" contributes the most to the anomaly score of an anomalous log group and thus is highlighted in red.

Sensitivity Analysis
We examine the effects of three hyperparameters in OCDiGCN on the detection performance.
The Number of Convolutional Layers: L is a potentially important parameter as it determines how many convolutional layers to use in OCDiGCN. Figure 7 (top row) depicts PRC AUC and ROC AUC for the five benchmark datasets when L is varied from 1 to 5. We found that L = 1 yields consistently good performance.As the value of L is increased, there is only a slight enhancement in the resulting performance or even degradation, while the associated computational burden increases substantially.We thus recommend to set L = 1.The Embedding Dimension d: From Table 7 (middle row) , one can see that d = 128 yields good performance on Spirit, Hadoop, HDFS and Thunderbird, while further increasing d obtains negligible performance improvement or even degradation.However, an increase of d on BGL leads to substantially better performance.One possible reason is that BGL is a complex dataset wherein anomalies and normal instances are not easily separable on lower dimensions.
The Proximity Parameter k: As this parameter increases, a node can gain more information from its further neighbours.Figure 7 (bottom row) contrasts the detection performance when k is set to 1 and 2, respectively.Particularly, we construct one Inception Block when k = 2, using concatenation to fuse the results.
We observe that there is no large improvement in performance when using a value of k = 2 in comparison to k = 1.It is important to recognize that a node exhibits 0th-order proximity with itself and 1st-order proximity with its immediately connected neighbors.If k = 2, a node can directly aggregate information from its 2nd-order neighbours.As described in Table 1, graphs generated from logs usually contain a limited number of nodes, varying to 6 to 34.Therefore, there is no need to utilise the Inception Block, which was originally designed to handle large graphs in [37].

Runtime Analysis
Traditional machine learning methods, including PCA, OCSVM, IForest and HBOS, usually perform log anomaly detection in a transductive way.In other words, they require the complete dataset beforehand and do not follow a train-and-test strategy.In contrast, neural network based methods, such as DeepLog, LogAnomaly, AutoEncoder, and Logs2Graphs, perform log anomaly detection in an inductive manner, namely following a train-and-test strategy.Figure 8 shows that most computational time demanded by Logs2Graphs is allocated towards the graph generation phase.In contrast, the training and testing phases require a minimal time budget.The graph generation phase can be amenable to parallelisation though, thereby potentially reducing the overall processing time.As a result, Logs2Graphs shows great promise in performing online log anomaly detection.Meanwhile, other neural networks based models-such as DeepLog, LogAnomaly, and AutoEncoder-demand considerably more time for the training and testing phases.

Threats to Validity
We have discerned several factors that may pose a threat to the validity of our findings.
Limited Datasets.Our experimental protocol entails utilizing five publicly available log datasets, which have been commonly employed in prior research on logbased anomaly detection.However, it is important to acknowledge that these datasets may not fully encapsulate the entirety of log data characteristics.To address this limitation, our future work will conduct experiments on additional datasets, particularly those derived from industrial settings, in order to encompass a broader range of real-world scenarios.
Limited Competitors.This study focuses solely on the experimental evaluation of eight competing models, which are considered representative and possess publicly accessible source code.However, it is worth noting that certain models such as GLAD-PAW did not disclose their source code and it requires non-trivial efforts to re-implement these models.Moreover, certain models such as CODEtect require several months to conduct the experiments on our limited computing resources.For these reasons, we exclude them from our present evaluation.In subsequent endeavors, we intend to re-implement certain models and attain more computing resources to test more models.
Purity of Training Data.The purity of training data is usually hard to guarantee in practical scenarios.Although Logs2Graphs is shown to be robust to very small contamination in the training data, it is critical to improve the model robustness by using techniques such as adversarial training [4] in the future.
Graph Construction.The graph construction process, especially regarding the establishment of edges and assigning edge weights, adheres to a rule based on connecting consecutive log events.However, this rule may be considered overly simplistic in certain scenarios.Therefore, application-specific techniques will be explored to construct graphs in the future.

Conclusions
We introduced Logs2Graphs, a new approach for unsupervised log anomaly detection.It first converts log files to attributed, directed, and edge-weighted graphs, translating the problem to an instance of graph-level anomaly detection.Next, this problem is solved by OCDiGCN, a novel method based on graph neural networks that performs graph representation learning and graph-level anomaly detection in an end-to-end manner.Important properties of OCDiGCN include that it can deal with directed graphs and do unsupervised learning.
Extensive results on five benchmark datasets reveal that Logs2Graphs is at least comparable to and often outperforms state-of-the-art log anomaly detection methods such as DeepLog and LogAnomaly.Furthermore, a comparison to a similar method for graph-level anomaly detection on undirected graphs demonstrates that using directed log graphs leads to better detection accuracy in practice.

Declaration of competing interest
The author(s) declared no potential conficts of interest with respect to the research, authorship and/or publication of this article.

Figure 1 :
Figure1: The Logs2Graphs pipeline.We use attributed, directed, and weighted graphs for representing the log files with high expressiveness, and integrate representation learning and anomaly detection for accurate anomaly detection.We use off-the-shelf methods for log parsing, log grouping, and graph construction.

# 3 Figure 2 :
Figure 2: The construction of an attributed, directed, and edgeweighted graph from a group of log messages.

Algorithm 1 2 : 4 : 5 : 6 :
Pseudo-code of Logs2Graphs Input: Training dataset D tr , testing dataset D ts , model θ Output: Predicted labels and explanations for D ts 1: Dtr , Dts ← Drain parse(D tr ), Drain parse(D ts ) Group Dtr and Dts based on log identifier → Obtain grouped dataset Dtr and Dts 3: Construct graphs using Dtr and Dts → Obtain graph sets Q tr and Q ts Train the OCDiGCN model using Equation (5) with Q tr → Obtain trained model θ Use θ to predict anomalies in Q ts → Obtain a set of anomalies {Q 1 , ..., Q n } Generate explanations for

Figure 3 :
Figure 3: The comparative performance analysis of Logs2Graphs, measured by ROC AUC, demonstrating the distinction between utilizing node semantic attributes and node labels.
) and C → D → A → B → C (1000), and the following as test dataset: D → A → B → C → D (1000).

Figure 6 :
Figure 6: Example of anomaly explanation with HDFS (the log event templates are simplified for better visualisation).

Figure 8 :
Figure 8: Runtime for all eight methods on all datasets, wherein HDFS, BGL, and Thunderbird have been downsampled to 10,000 graphs.Runetimes are averaged over 10 repetitions.We report the training time per epoch for neural network based methods.

Table 1 :
[12]ary of datasets.#Eventsrefersto the number of log event templates obtained using log parser Drain[12].#Groups means the number of generated graphs.#Anomalies represents the number of anomalous graphs.#Nodes denotes the average number of nodes in generated graphs.#Edges indicates the average number of edges in the generated graphs.

Table 2 :
Description of hyperparameters involved in OCDiGCN.Range indicates the values that we have tried on validation data, and boldfaced values are the values suggested to use in experiments.Particularly, for the embedding dimensions: 300 is suggested for BGL and 128 for others.For the batch sizes: 32 is suggested for HDFS and 128 for others.For the training epochs: 100 for BGL and Thunderbird, 200 for HDFS, 300 for Hadoop and 500 for Spirit are suggested.

Table 4 :
ROC AUC results (higher is better) of detecting structural anomalies and False Positive Rate (lower is better) of recognising unseen normal instances.S1: Reverse Edge Direction; S2: Change Edge Endpoint; S3: Delete Edge; S4: Add Edge; N1: Unseen normal instances.