Log Anomaly Detection Based on Graph Attention Networks and Collaborative Learning

Journal of Information Security Reserach ›› 2026, Vol. 12 ›› Issue (3): 246-.

Previous Articles Next Articles

Log Anomaly Detection Based on Graph Attention Networks and Collaborative Learning

Yu Kun1,3, Zhang Shibin2,4, and Lu Jiazhong1,2,3,4

1(School of Cybersecurity (Xin Gu Industrial College), Chengdu University of Information Technology, Chengdu 610225)
2(Advanced Cryptography and System Security Key Laboratory of Sichuan Province (Chengdu University of Information Technology), Chengdu 610225)
3(SUGON Industrial Control and Security Center, Chengdu 610225)
4(School of Artificial Intelligence, Chengdu University of Information Technology, Chengdu 610225)

Online:2026-03-12 Published:2026-03-12

基于图注意力网络与协作学习的日志异常检测

余坤1,3张仕斌2,4卢嘉中1,2,3,4

1(成都信息工程大学网络空间安全学院(芯谷产业学院)成都610225)
2(先进密码技术与系统安全四川省重点实验室(成都信息工程大学)成都610225)
3(先进微处理器技术国家工程研究中心(工业控制与安全分中心)成都610225)
4(成都信息工程大学人工智能学院成都610225)

通讯作者: 卢嘉中博士，副教授，硕士生导师.主要研究方向为网络安全与机器学习. ljz@cuit.edu.cn
作者简介:余坤硕士研究生.主要研究方向为恶意流量检测. 3230809006@stu.cuit.edu.cn 张仕斌博士，教授.主要研究方向为人工智能及安全. cuitzsb@cuit.edu.cn 卢嘉中博士，副教授，硕士生导师.主要研究方向为网络安全与机器学习. ljz@cuit.edu.cn

Abstract

Abstract: Log anomaly detection plays a crucial role in the field of cybersecurity, yet existing methods still face significant challenges. Supervised learning approaches depend on large amounts of labeled data, making the annotation process timeconsuming and costly. Although unsupervised learning methods do not require labeled data, they struggle to effectively extract key features in complex log environments, which negatively impacts detection performance. To address these issues, this paper proposes a novel knowledge distillation approachcollaborative learningand introduces a log anomaly detection model based on this approach, CoLogGNN. The model first converts log data into a directed graph to comprehensively preserve the structural relationships between logs. During the early stages of training, CoLogGNN performs unsupervised learning on normal samples to explore the intrinsic structure of logs. In the mixedsample training phase, the graph attention network and the graph convolution module collaborate with each other and guide one another. When the graph attention network excels at processing certain samples, it transfers key knowledge to the graph convolutional network through collaborative learning, and vice versa. Through this dynamic mutual learning process, both modules improve their accuracy. Compared to existing models, CoLogGNN achieves effective training using only normal samples, significantly reducing the cost of data annotation. Experimental results on five public datasets demonstrate that the proposed model exhibits superior detection performance, improving the F1score by approximately 5% over previous methods.

Key words: log anomaly detection, knowledge distillation, directed graph, collaborative learning, unsupervised learning

摘要： 日志异常检测在网络安全领域起着关键作用，但现有方法仍存在挑战.监督学习方法依赖大量标注数据，标注过程耗时且成本高.无监督学习方法虽然无需标注，但在复杂日志环境下难以有效提取关键特征，影响检测性能.为了解决这些问题，提出了一种知识蒸馏方法——协作学习，并在此基础上提出了一种基于协作学习的日志异常检测模型CoLogGNN.该模型首先将日志数据转换为有向图，以更全面地保留日志之间的结构信息.在训练初期CoLogGNN模型在正常样本上进行无监督学习，挖掘日志内在结构.在混合样本训练阶段，图注意力网络和图卷积模块相互协作，彼此指导.当图注意力网络在某些样本处理上更具优势时，它会通过协作学习向图卷积网络传递关键知识，反之亦然.通过这种动态的相互学习，2个模块的准确率得以共同提升.相较于其他现有模型，CoLogGNN模型仅依靠正常样本就能完成训练，大大降低了数据标注成本.经过在5个公开数据集的实验验证，该模型展现出显著的检测优势，相比以往方法F1值提高了约5%.

关键词: 日志异常检测, 知识蒸馏, 有向图, 协作学习, 无监督学习

CLC Number:

TP393.08

余坤, 张仕斌, 卢嘉中, . 基于图注意力网络与协作学习的日志异常检测[J]. 信息安全研究, 2026, 12(3): 246-.

References

［1］Velikovi P, Cucurull G, Casanova A, et al. Graph attention networks［J］. arXiv preprint, arXiv:1710.10903, 2018［2］Yun S, Jeong M, Kim R, et al. Graph transformer networks［J］. Advances in Neural Information Processing Systems, 2019, 32:［3］Cinque M, Della C R, Moscato V, et al. A graphbased approach to detect unexplained sequences in a log［J］. Expert Systems with Applications, 2021, 171: 114556［4］Ma X, Keung J, He P, et al. A semisupervised approach for industrial anomaly detection via selfadaptive clustering［J］. IEEE Trans on Industrial Informatics, 2024, 20(2): 16871697［5］Yang L, Chen J, Wang Z, et al. Semisupervised logbased anomaly detection via probabilistic label estimation［C］ Proc of the 43rd IEEEACM Int Conf on Software Engineering (ICSE). Piscataway, NJ: IEEE, 2021: 14481460［6］Wang J, Zhao C, He S, et al. LogUAD: Log unsupervised anomaly detection based on Word2Vec［J］. Computer Systems Science and Engineering, 2022, 41(3): 12071222［7］Lu J Z, Wang C L, Huang Y Y, et al. An adversarial example defense algorithm for intelligent driving［J］. IEEE Network, 2024, 38(6): 98105［8］Zhang C, Peng X, Sha C, et al. DeepTraLog: Tracelog combined microservice anomaly detection through graphbased deep learning［C］ Proc of the 44th Int Conf on Software Engineering. New York: ACM, 2022: 623634［9］Lu J Z, Chen K, Zhuo Z L, et al. A temporal correlation and traffic analysis approach for APT attacks detection［J］. Cluster Computing, 2019, 22(增刊3): S7347S7358［10］Lu J Z, Lan J, Huang Y Y, et al. Antiattack intrusion detection model based on MPNN and traffic spatiotemporal characteristics［J］. Journal of Grid Computing, 2023, 21(4): 6074［11］张浩和, 韩刚, 杨甜甜, 等. 工业互联网中融入域适应的混合神经网络加密恶意流量检测［J］. 信息安全研究, 2025, 11(5): 457464［12］Han N, Lu S, Wang D, et al. Skdlog: Selfknowledge distillationbased CNN for abnormal log detection［C］ Proc of the 2022 IEEE Smartworld, Ubiquitous Intelligence & Computing, Scalable Computing & Communications, Digital Twin, Privacy Computing, Metaverse, Autonomous & Trusted Vehicles. Piscataway, NJ: IEEE, 2022: 796805［13］Chen R, Zhang S, Li D, et al.Logtransfer: Crosssystem log anomaly detection for software systems with transfer learning［C］ Proc of the 31st IEEE Int Symp on Software Reliability Engineering (ISSRE). Piscataway, NJ: IEEE, 2020: 3747［14］Hinton G, Vinyals O, Dean J. Distilling the knowledge in a neural network［J］. arXiv preprint, arXiv:1503.02531, 2015［15］He P, Zhu J, Zheng Z, et al. Drain: An online log parsing approach with fixed depth tree［C］ Proc of 2017 IEEE Int Conf on Web Services (ICWS). Piscataway, NJ: IEEE, 2017: 3340

[1]	. Encrypted Traffic Detection Method Based on Knowledge Distillation [J]. Journal of Information Security Reserach, 2025, 11(8): 702-.
[2]	. A DiForest Algorithm for Detecting Abnormal Docker Container [J]. Journal of Information Security Reserach, 2025, 11(12): 1156-.

Log Anomaly Detection Based on Graph Attention Networks and Collaborative Learning

基于图注意力网络与协作学习的日志异常检测

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 2

Recommended Articles

Metrics