Research on Log Anomaly Detection Method Integrating Semantic Features

Journal of Information Security Reserach ›› 2026, Vol. 12 ›› Issue (4): 383-.

Research on Log Anomaly Detection Method Integrating Semantic Features

Chen Hanwen1, Zhang Le1, Chi Yaping1, Jiang Bo2, and Wang Zhiqiang1

1(School of Cyberspace Security, Beijing Electronics Science & Technology Institute, Beijing 100070)
2(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100089)

Online:2026-04-07 Published:2026-04-07

融合语义特征的日志异常检测方法研究

陈瀚文1章乐1池亚平1姜波2王志强1

1(北京电子科技学院网络空间安全系北京100070)
2(中国科学院信息工程研究所北京100089)

通讯作者: 池亚平硕士，教授.主要研究方向为网络安全防护、云计算安全. chiyp_besti@163.com
作者简介:陈瀚文硕士研究生.主要研究方向为日志解析、日志异常检测. hanwen_chen@foxmail.com 章乐博士，讲师.主要研究方向为深度强化学习、计算机视觉、理论计算机科学. lezhang12@tsinghua.org.cn 池亚平硕士，教授.主要研究方向为网络安全防护、云计算安全. chiyp_besti@163.com 姜波博士，副研究员.主要研究方向为网络威胁分析、态势感知. jiangbo@iie.ac.cn. 王志强博士，副教授.主要研究方向为漏洞挖掘及攻防. wangzq@besti.edu.cn
基金资助:
中央高校基本科研业务费专项资金项目(3282024050)；国家重点研发计划项目(2023YFC2206402)

Abstract

Abstract: With the continuous expansion of system functionalities, the volume of system logs has grown exponentially, presenting substantial challenges to conventional anomaly detection approaches. Deep learningbased log anomaly detection techniques have gradually become a research hotspot due to their powerful feature extraction capabilities. This study proposes a semisupervised log anomaly detection model LogSem, which integrates semantic features. By introducing log content vectors that contain semantic information of the main log content and incorporating masked log key prediction tasks and hypersphere volume minimization tasks for semisupervised learning, the model deeply explores the semantic features of logs. Experiments conducted on three mainstream datasets show that the proposed method outperforms the LogBERT baseline model in terms of the F1 score. Furthermore, this study explores and verifies the feasibility of addressing the outofvocabulary problem through semisupervised learning.

Key words: log anomaly detection, log analysis, deep learning, semisupervised learning, BERT model

摘要： 随着系统应用功能的不断扩展，系统日志规模迅速增长，给传统的异常检测方法带来巨大的挑战.基于深度学习的日志异常检测技术因其强大的特征提取能力逐渐成为研究热点.提出一种融合语义特征的半监督日志异常检测模型LogSem.通过引入包含日志主体内容语义信息的日志内容向量，并结合掩码日志键预测任务与超球体体积最小化任务，对数据集进行半监督学习，深度挖掘日志的语义特征.在3个主流数据集上的实验表明，该方法的F1分数优于LogBERT基准模型.此外，研究探索并验证了通过半监督学习解决未登录词问题的可行性.

关键词: 日志异常检测, 日志解析, 深度学习, 半监督学习, BERT模型

CLC Number:

TP181

陈瀚文, 章乐, 池亚平, 姜波, 王志强, . 融合语义特征的日志异常检测方法研究[J]. 信息安全研究, 2026, 12(4): 383-.

References

［1］蒋忠元, 陶梅悦, 赵晓庆, 等. 基于启发式规则的流式在线日志解析方法［J］. 通信学报, 2024, 45(4): 95113［2］Jiang Z, Liu J, Huang J, et al. A largescale evaluation for log parsing techniques: How far are we?［C］ Proc of the 33rd ACM SIGSOFT Int Symp on Software Testing and Analysis. New York: ACM, 2024: 223234［3］Guo H, Yuan S, Wu X. LogBERT: Log anomaly detection via BERT［C］ Proc of the 2021 Int Joint Conf on Neural Networks. Piscataway, NJ: IEEE, 2021: 18［4］Chai X, Zhang H, Zhang J, et al. Log sequence anomaly detection based on template and parameter parsing via BERT［J］. IEEE Trans on Dependable and Secure Computing, 2024, 22(2): 11501167［5］Le V, Zhang H. Logbased anomaly detection without log parsing［C］ Proc of the 36th IEEEACM Int Conf on Automated Software Engineering. Piscataway, NJ: IEEE, 2022: 492504［6］Fu Y, Liang K, Xu J, MLog: Mogrifier LSTMbased log anomaly detection approach using semantic representation［J］. IEEE Trans on Services Computing, 2023, 16(5): 35373549［7］Han X, Yuan S, Trabelsi M, LogGPT: Log anomaly detection via GPT［C］ Proc of the 2023 IEEE Int Conf on Big Data, Sorrento, Piscataway, NJ: IEEE, 2023: 11171122［8］Meng W, Liu Y, Zhu Y, et al. Loganomaly: Unsupervised detection of sequential and quantitative anomalies in unstructured logs［C］ Proc of the 28th Int Joint Conf on Artificial Intelligence. San Francisco, CA: Morgan Kaufmann, 2019: 47394745［9］Ruff L, Vandermeulen R, Goernitz N, et al. Deep oneclass classification［C］ Proc of the 35th Int Conf on Machine Learning. New York: ACM, 2018: 43934402［10］Du M, Li F, Zheng G, et al. DeepLog: Anomaly detection and diagnosis from system logs through deep learning［C］ Proc of the 2017 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2017: 12851298［11］Nedelkoski S, Bogatinovski J, Acker A, et al. Selfattentive classificationbased anomaly detection in unstructured logs［C］ Proc of the 2020 IEEE Int Conf on Data Mining. Sorrento. Los Alamitos, CA: IEEE Computer Society, 2020: 11961201

[1]	. Anomaly Traffic Detection Based on Improved Bidirectional TCN Model in Software Defined Network [J]. Journal of Information Security Reserach, 2026, 12(4): 303-.
[2]	. Research on Adaptive Hierarchical Neural Network Backdoor Defense Method [J]. Journal of Information Security Reserach, 2026, 12(4): 359-.
[3]	. Log Anomaly Detection Based on Graph Attention Networks and Collaborative Learning [J]. Journal of Information Security Reserach, 2026, 12(3): 246-.
[4]	. Research on Twostage Network Intrusion Detection Method for Outofdistribution Traffic Data [J]. Journal of Information Security Reserach, 2026, 12(3): 265-.
[5]	. Smart Contract Vulnerabilities Based on Differential Evolutionary Algorithms and Solution Time Prediction Detection#br# [J]. Journal of Information Security Reserach, 2026, 12(1): 24-.
[6]	. Internet of Things Intrusion Detection Model Based on Federated Learning [J]. Journal of Information Security Reserach, 2025, 11(9): 788-.
[7]	. Fake News Detection Model Based on Crossmodal Attention Mechanism and#br# Weaksupervised Contrastive Learning#br# [J]. Journal of Information Security Reserach, 2025, 11(8): 693-.
[8]	. Encrypted Traffic Detection Method Based on Knowledge Distillation [J]. Journal of Information Security Reserach, 2025, 11(8): 702-.
[9]	. Deep Learningbased Method for Encrypted Website Fingerprinting [J]. Journal of Information Security Reserach, 2025, 11(4): 304-.
[10]	. Research on Dataenhanced Multimodal False Information #br# Detection Framework#br# [J]. Journal of Information Security Reserach, 2025, 11(4): 377-.
[11]	. Privacypreserving Federated Learning Research Based on #br# Confused Modulo Projection Homomorphic Encryption#br# [J]. Journal of Information Security Reserach, 2025, 11(3): 198-.
[12]	. Design of Adversarial Attack Scheme Based on YOLOv8 Object Detector [J]. Journal of Information Security Reserach, 2025, 11(3): 221-.
[13]	. Fake Face Detection Method Based on ConvNeXt [J]. Journal of Information Security Reserach, 2025, 11(3): 231-.
[14]	. Research on Deep Learningbased Spatiotemporal Feature Fusion Network Intrusion Detection Model [J]. Journal of Information Security Reserach, 2025, 11(2): 122-.
[15]	. A Malicious TLS Traffic Detection Method with Multimodal Features [J]. Journal of Information Security Reserach, 2025, 11(2): 130-.