Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ZeroLog: Zero-Label Generalizable Cross-System Log-based Anomaly Detection

Xinlong Zhao, Tong Jia, Minghua He, Ying Li, Gang Huang

TL;DR

ZeroLog addresses zero-label cross-system log-based anomaly detection by learning system-agnostic representations through unsupervised domain adaptation and transferring them via meta-learning. It integrates a GRU-based log-embedding backbone with a domain-adversarial objective and a meta-task training regime to achieve robust generalization without target labels. On three public datasets (HDFS, BGL, OpenStack), ZeroLog attains F1-scores over 80% in zero-label settings and often surpasses methods that rely on target-system annotations, while maintaining strong source-domain performance. The approach offers practical impact for cold-start deployments, reducing labeling overhead and enabling reliable cross-system anomaly detection across diverse software environments.

Abstract

Log-based anomaly detection is an important task in ensuring the stability and reliability of software systems. One of the key problems in this task is the lack of labeled logs. Existing works usually leverage large-scale labeled logs from mature systems to train an anomaly detection model of a target system based on the idea of transfer learning. However, these works still require a certain number of labeled logs from the target system. In this paper, we take a step forward and study a valuable yet underexplored setting: zero-label cross-system log-based anomaly detection, that is, no labeled logs are available in the target system. Specifically, we propose ZeroLog, a system-agnostic representation meta-learning method that enables cross-system log-based anomaly detection under zero-label conditions. To achieve this, we leverage unsupervised domain adaptation to perform adversarial training between the source and target domains, aiming to learn system-agnostic general feature representations. By employing meta-learning, the learned representations are further generalized to the target system without any target labels. Experimental results on three public log datasets from different systems show that ZeroLog reaches over 80% F1-score without labels, comparable to state-of-the-art cross-system methods trained with labeled logs, and outperforms existing methods under zero-label conditions.

ZeroLog: Zero-Label Generalizable Cross-System Log-based Anomaly Detection

TL;DR

ZeroLog addresses zero-label cross-system log-based anomaly detection by learning system-agnostic representations through unsupervised domain adaptation and transferring them via meta-learning. It integrates a GRU-based log-embedding backbone with a domain-adversarial objective and a meta-task training regime to achieve robust generalization without target labels. On three public datasets (HDFS, BGL, OpenStack), ZeroLog attains F1-scores over 80% in zero-label settings and often surpasses methods that rely on target-system annotations, while maintaining strong source-domain performance. The approach offers practical impact for cold-start deployments, reducing labeling overhead and enabling reliable cross-system anomaly detection across diverse software environments.

Abstract

Log-based anomaly detection is an important task in ensuring the stability and reliability of software systems. One of the key problems in this task is the lack of labeled logs. Existing works usually leverage large-scale labeled logs from mature systems to train an anomaly detection model of a target system based on the idea of transfer learning. However, these works still require a certain number of labeled logs from the target system. In this paper, we take a step forward and study a valuable yet underexplored setting: zero-label cross-system log-based anomaly detection, that is, no labeled logs are available in the target system. Specifically, we propose ZeroLog, a system-agnostic representation meta-learning method that enables cross-system log-based anomaly detection under zero-label conditions. To achieve this, we leverage unsupervised domain adaptation to perform adversarial training between the source and target domains, aiming to learn system-agnostic general feature representations. By employing meta-learning, the learned representations are further generalized to the target system without any target labels. Experimental results on three public log datasets from different systems show that ZeroLog reaches over 80% F1-score without labels, comparable to state-of-the-art cross-system methods trained with labeled logs, and outperforms existing methods under zero-label conditions.

Paper Structure

This paper contains 19 sections, 7 equations, 4 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminary
  3. System Logs and Log Events
  4. Scenario Specification for Zero‑Label Cross‑System Log‑Based Anomaly Detection
  5. Method
  6. Overview
  7. System-Agnostic Representation Meta-Learning
  8. ZeroLog Network
  9. Experiments
  10. Experimental Setup
  11. Evaluation on Zero-label Setting
  12. Parameter Sensitivity Analysis
  13. Evaluation on Source System
  14. Ablation Studies
  15. Run Time Analysis
  16. ...and 4 more sections

Figures (4)

  • Figure 1: HDFS, BGL and OpenStack Logs.
  • Figure 2: The proposed zero-label generalizable cross-system log-based anomaly detection pipeline for ZeroLog. ZeroLog pipeline comprises two stages: log processing and system-agnostic representation meta-learning. In the log processing stage, raw logs are parsed into log events. Subsequently, the parsed log events from different systems undergo a globally consistent semantic embedding process to generate log event embeddings. Finally, in the meta-learning stage, the ZeroLog network leverages the sequences of log event embeddings to predict whether the log sequences are normal or anomalous.
  • Figure 3: The ZeroLog network architecture.
  • Figure 4: Experimental study on the proportion of used source domain data.