Applied Soft Computing Journal 153 (2024) 111314

Contents lists available at ScienceDirect

Applied Soft Computing

journal homepage: www.elsevier.com/locate/asoc

A robust Wide & Deep learning framework for log-based anomaly detection
Weina Niu a , Xuhan Liao a , Shiping Huang a , Yudong Li a , Xiaosong Zhang a , Beibei Li b ,∗
a
School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China
b
School of Cyber Science and Engineering, Sichuan University, Chengdu, China

ARTICLE INFO ABSTRACT

Keywords: Log-based anomaly detections have shown huge commercial potential in system maintenance. However,
Log-based anomaly detection existing methods encounter two practical challenges. Firstly, they struggle to maintain consistent performance
Log templates extraction when dealing with evolving logs over time. Secondly, they face difficulties in effectively detecting frequency
Semantic information
anomalies, such as abnormal system resource usage and abnormal system operating frequencies. In this
Multi-features
paper, we propose a robust log-based anomaly detection framework using Wide & Deep learning called
Deep learning
WDLog. Particularly, we enhance the processing of template semantic information by building upon the Drain
algorithm, then we introduce invariant features and statistical features and propose a multi-feature anomaly
detection method based on the Wide & Deep framework. The experimental results on HDFS and BGL datasets
demonstrate the promising performance of WDLog compared to state-of-the-art methods in terms of anomaly
detection effectiveness. Furthermore, WDLog exhibits robustness to evolving logs, achieving F1-scores of over
90% under different degrees of log variation.

1. Introduction
In dynamic and complex environments, system failures are in-
evitable. These failures can manifest in various ways, such as com-
ponents running incorrectly, errors occurring during their interaction,
or intentional attacks on the system. While simple system failures can
often be resolved by restarting the system, complex faults are more
challenging to repair. If these faults are not addressed in a timely
manner, they can have a significant impact on the system. Due to
internal or external reasons, the probability of abnormal operations
and crashes of the terminal system and software system is increasing,
which will have a great negative impact on the user experience and
even cause huge losses. For example, on November 26, 2020, Amazon
Web Services (AWS) experienced a major outage that affected several
companies that depend on AWS cloud services, including Adobe, Roku,
Twilio, and Flickr [1]. On February 24, 2021, several key payment
system services of the Federal Reserve were interrupted, and users were
unable to use any payment services within 4 h, causing disruption to
more than millions of financial transactions [2].
Existing computer systems use logs to record the status of key
points and events during their operation, thereby helping maintenance
personnel debug system performance and troubleshoot. Early log-based
anomaly detection methods mainly rely on experienced experts to find
anomalies, and their efficiency is low. The mainstream methods [3–
6] are to automatically discover abnormal logs through data mining
and machine learning. Although there are differences in the structure
and content of different system logs [7], each log statement can be
described by the pattern of variables and constants. Thus, they first
extract log templates, that is, extract specific log execution information
into general and representative system execution behaviors. However,
the existing methods will lose a lot of key information during the
template extraction process. For example, DeepLog [8] replaced the
original log with the log sequence number after extracting the log
template, and the semantic information is lost.
Moreover, when the system changes, both the content and format
of the log can be affected. The log data is constantly expanding and
updating, which makes the existing detection method not suitable for
dealing with different types and structures of log data, and the accuracy
rate will also decrease when it is applied to new and complex log data.
The primary factor contributing to this is the continuous generation
of system logs in current software systems, particularly in distributed
systems, resulting in a significant volume of log data being generated.
Studies show that about 20%–45% of log statements will change during
their lifetime [9]. For example, log statements that represent the same
system behavior may replace ‘‘down’’ with ‘‘off’’. However, the exist-
ing log anomaly detection method based on machine learning is too
high-fitting, so it is difficult to maintain excellent anomaly detection

∗ Corresponding author.
E-mail address: [email protected] (B. Li).
1
https://github.com/adadadad194/WDLog.

https://doi.org/10.1016/j.asoc.2024.111314
Received 23 July 2023; Received in revised form 15 January 2024; Accepted 19 January 2024
Available online 30 January 2024
1568-4946/© 2024 Elsevier B.V. All rights reserved.
W. Niu et al.
accuracy after the log statement changes. Furthermore, existing meth-
ods struggle to identify anomalies that do not result in changes in the
execution flow.
We propose a robust log-based anomaly detection method using
Wide & Deep learning, called WDLog,1 to address the above problems.
First, the semantic embedding and clustering are added on the basis
of the log template extraction algorithm Drain. Then, we extract tem-
poral features, invariant features, and statistical features from the log
template sequences. Next, we train a GRU model based on the attention
mechanism using temporal features and a Gradient Boosting Decision
Tree (GBDT) model that combines invariant features with statistical
features. Finally, we utilize Wide & Deep [10] and multi-features to
detect anomaly logs.
The main contributions of this paper include the following:
(1) We design an optimized log template extraction algorithm,
which generates log templates through embedding and clustering on
the basis of Drain, thus effectively reducing its sensitivity to word
changes, and improving the robustness of the algorithm.
(2) We propose a log-based anomaly detection method combined
with multi-features and Wide & Deep framework. We extract temporal
features, invariant features and statistical features based on correlation
from the generated log template sequences, thus enabling the detection
model to deal with different anomalies.
(3) We conduct different experiments on two public datasets with
different characteristics (HDFS and BGL). The experimental results
demonstrate that WDLog achieves better detection performance and
stronger robustness compared with well-known solutions.
The remainder of this paper is arranged as follows. Related work
is described in Section 2. Section 3 elaborates on the proposed WDLog
framework. Experimental results are shown in Section 4. Section 5 is
discussion. Our conclusions are drawn in Section 6.
2. Related work
2.1. Log template extraction
Log template extraction is used to classify system logs in a specific
way. The variable part of the same type of log is replaced with ‘‘*’’
or other proper words, special symbols, etc., and integrated with the
constant part to obtain the log template. The mainstream log extraction
methods are mainly based on frequent pattern mining, clustering, and
heuristics.
The method based on regular expressions [11] is the simplest and
most direct way to extract log templates. This method parses logs
based on rules that are manually written by experts and adapted to
specific logs. However, this method makes it difficult to effectively
deal with massive log data. Therefore, regular expressions are often
used as an auxiliary technology to extract log templates together with
other algorithms. For example, the Drain algorithm [12] used regular
expressions to preprocess log data to optimize processing time and then
constructed a log parsing tree based on the processed data to extract log
templates.
A log template is an expression pattern that frequently appears in
logs. Therefore, the log can be distinguished by counting the frequency
of occurrence of some items of different statements in the log. Typical
methods of applying this technique include SLCT [13], LogCluster [14],
and Logram [15]. These methods first traverse the log data and then
construct frequent item sets. After that, the log messages are catego-
rized into the generated clusters, and finally, the log templates are
extracted from the clusters.
To capture common parts of logs, similar logs can be clustered
together and common tags shared across each cluster can be identified
as log templates. Compared with pattern mining-based methods, this
1
https://github.com/adadadad194/WDLog.
2
Applied Soft Computing 153 (2024) 111314
method can extract common parts on local clusters of similar logs in-
stead of global log datasets. Typical methods of applying this technique
include LKE [16], LogSig [17], SHISO [18], and LenMa [19].
Unlike general text data, log messages have some unique char-
acteristics. Therefore, the log template can be extracted by adopting
a method that adapts to the log structure and content characteris-
tics. Classical applications of heuristics include AEL [20], POP [21],
IPLOM [22], and Drain [12]. Specifically, AEL [20] grouped log mes-
sages by comparing occurrences between constant and variable tokens.
IPLoM [22] grouped log messages based on message length, token
position, and mapping relationship based on an iterative partitioning
strategy. Spell [23] parsed logs in a stream based on the longest com-
mon subsequence algorithm. Based on the prefix tree idea, Drain [12]
constructed a fixed-depth tree structure to represent log messages and
efficiently extract common templates.
However, the Drain algorithm cannot effectively deal with the
updated log. For example, when the system is updated, it is likely
to replace some old phrases with more commonly used synonymous
phrases when recording logs. These logs should belong to the same
template, but Drain may classify them into multiple templates, resulting
in redundancy. Not only increase the training time, but also the new
template number may cause recognition anomalies.
2.2. Log-based anomaly detection
Although the supervised log anomaly detection method has better
overall performance, it needs a well-marked and labeled dataset, which
is time-consuming. Researchers have tried to solve the problem of dif-
ficult dataset collection and labeling for supervised learning methods.
For example, Meng et al. [24] proposed a framework for modeling
log streams as natural language sequences, called LogAnomaly, whose
basic idea was to convert log templates into vectors, and classify log
templates by calculating the spatial distance of the vectors. This method
only needs a small number of normal log datasets to train the proposed
deep learning model, and then to detect abnormal log data. However,
this method cannot adapt to the scenario where log templates increase
due to the continuous update of the system. Aiming at the problem
that old anomaly detection methods fail over time, Zhang et al. [25]
proposed a new log anomaly detection method, called LogRobust. This
method semanticized the content of the log template instead of directly
representing the template with a number, which reduces the loss of
information and enables it to handle new logs with minor changes.
Compared with supervised anomaly detection methods, unsuper-
vised anomaly detection methods do not need to pre-label the dataset.
However, due to the lack of labeling information, its overall perfor-
mance is relatively poor. Because anomaly labels are often unavail-
able in practice, unsupervised methods are much more practical in
real-world service systems. Researchers have proposed many anomaly
detection models based on unsupervised methods. For example, Du
et al. [8] proposed the DeepLog framework that processed log infor-
mation as a natural language sequence and automatically learned log
patterns from normal execution flow. DeepLog detected anomalies by
determining whether incoming log events violate the prediction results
of the stacked LSTM model. But the method still has the problem
of low precision caused by the evolution of log sentences over time.
Concerning this problem, Yin et al. [26] proposed an unsupervised
anomaly detection model called LogCL, which can automatically learn
the characteristics of log data and compare the learned characteristics.
They used CNN and Bi-LSTM models to automatically extract log fea-
tures and identify abnormal logs through clustering algorithms. In order
to better analyze and understand logs, Vaarandi et al. [14] proposed
a log clustering and pattern mining algorithm called logCluster. The
algorithm can group log data, cluster similar logs together, classify
them into a cluster, and extract frequent event patterns from them.
Semi-supervised anomaly detection methods only need to use part
of the labeled data and most of the unlabeled data to complete the
W. Niu et al.
Fig. 1. The framework of WDLog.
training. It has the advantages of both the unsupervised method and
the supervised method, so it has good performance at a relatively small
cost. For instance, Lin et al. [27] introduced a novel and practical
log-based anomaly detection approach called PLELog. This method
employed semi-supervised learning to eliminate the time-consuming
manual labeling process and integrated historical anomaly knowledge
through probabilistic label estimation, leveraging the advantages of
supervised approaches. Aiming at the problem of semi-supervised log
anomaly detection, where the only training data available are nor-
mal logs from a baseline period, Yen et al. [28] proposed a model
called ‘‘CausalConvLSTM’’. The model combined the convolutional neu-
ral network (CNN) [29] and the long short-term memory network
(LSTM) [30], which can effectively model and predict time series data,
thereby realizing log anomaly detection. This method used a two-stage
training method. The first stage was supervised training, using labeled
normal log data for training, and using the cross-entropy loss function
to optimize the model. The second stage was semi-supervised training,
which uses unlabeled log data for training and uses a semi-supervised
loss function to optimize the model. This method can effectively detect
abnormal information in logs and has high accuracy and robustness.
Many research studies have been conducted in the field of log
template extraction and log anomaly detection, yielding promising
results. However, most of these studies have primarily focused on the
time series aspect of the logs, overlooking certain invariant features
and statistical characteristics of the logs. This limited utilization of log
information in anomaly detection has led to incomplete coverage and
gaps in the detection of anomalies.
3. The proposed WDLog framework
WDLog mainly contains two modules: log template extraction and
anomaly detection, as shown in Fig. 1. The log template extraction
relies on an optimized version of Drain to obtain the log templates;
anomaly detection combines temporal features, invariant features, and
statistical features with Wide & Deep framework to comprehensively
evaluate anomaly logs.
3
Applied Soft Computing 153 (2024) 111314
3.1. Log template extraction
Log template extraction mainly includes three modules: log pre-
processing, original template generation, and template compression.
The objective of log pre-processing is to eliminate strings that cannot
be recognized by the algorithm in the log data. This step involves
replacing certain portions of the content in the log statements with
a designated mask. Original template generation mainly builds a log
parsing tree according to the format and content characteristics of the
pre-processed logs and then generates initial log templates based on
the parsing tree structure and its leaf node distribution. The core of
template compression is to convert initial log templates into semantic
vectors and cluster them.
3.1.1. Log pre-processing
Log statements usually contain compound words consisting of more
than two words and special symbols. An Out of Vocabulary (OOV)
exception occurs without replacing these words that are not recognized
by the dictionary. The log statement also contains some strings with a
fixed format and high frequency, such as IP addresses, IP port numbers,
fixed-length hexadecimal strings, etc. Replacing it with a constant cor-
responding to the semantics can not only express the real semantics of
the log statement more effectively but also speed up the parsing speed
and reduce the difficulty of parsing, thereby improving the generation
speed of the parsing tree and the accuracy of classification. Thus, log
pre-processing consists of three main steps:
Step 1: Analyzing the linguistic characteristics of log files, identi-
fying the strings that can be replaced and meet the requirements, and
constructing a substitution table that corresponds the strings with their
semantics, as shown in Table 1.
Step 2: Identifying the words in the log file based on the vocabulary
list. If any unrecognized words are found, add an out-of-vocabulary
(OOV) entry to the substitution table.
Step 3: Constructing corresponding regular expressions based on
the identified strings. Performing a global search on the log file to
find string variables that match the regular expressions, and replacing
the original string variables with the replacement words from the
substitution table. The main procedure is described in Algorithm 1.
W. Niu et al. Applied Soft Computing 153 (2024) 111314

Algorithm 1 Regular Expression Matching Algorithm Algorithm 2 Template generation

Require: 𝑟𝑒𝑔𝑒𝑥𝐿𝑖𝑠𝑡, 𝑙𝑜𝑔𝑠(ℎ𝑑𝑓 𝑠𝐿𝑖𝑠𝑡∕𝑏𝑔𝑙𝐿𝑖𝑠𝑡) Require: 𝑙𝑜𝑔𝑠𝐿𝑖𝑠𝑡, 𝑐𝑜𝑛𝑓 𝑖𝑔
Ensure: 𝑙𝑜𝑔𝑠𝐿𝑖𝑠𝑡 Ensure: 𝑙𝑜𝑔2𝑇 𝑒𝑚𝑝𝑙𝑎𝑡𝑒𝐿𝑖𝑠𝑡
1: 𝑙𝑜𝑔𝑠𝐿𝑖𝑠𝑡 ← 𝑖𝑛𝑖𝑡𝐿𝑖𝑠𝑡() 1: 𝑙𝑜𝑔2𝑇 𝑒𝑚𝑝𝑙𝑎𝑡𝑒𝐿𝑖𝑠𝑡 ← 𝑖𝑛𝑖𝑡𝐿𝑖𝑠𝑡()
2: for 𝑙𝑜𝑔 in 𝑙𝑜𝑔𝑠 do 2: 𝑙𝑒𝑛𝐺𝑟𝑜𝑢𝑝 ← 𝑠𝑒𝑝𝐵𝑦𝐿𝑒𝑛𝑔𝑡ℎ(𝑙𝑜𝑔𝑠𝐿𝑖𝑠𝑡) ⊳ group logs by length
3: for 𝑟𝑒𝑔𝑒𝑥 in 𝑟𝑒𝑔𝑒𝑥𝐿𝑖𝑠𝑡 do 3: 𝑙𝑒𝑛𝐺𝑟𝑜𝑢𝑝 ← 𝑠𝑜𝑟𝑡(𝑙𝑜𝑔𝑠𝐿𝑖𝑠𝑡, 𝑐𝑜𝑛𝑓 𝑖𝑔.𝑚𝑎𝑥𝑔𝑟𝑜𝑢𝑝) ⊳
4: 𝑝𝑟𝑜𝑐𝑒𝑠𝑠𝑒𝑑_𝑙𝑜𝑔 ← 𝑓 𝑖𝑛𝑑𝑅𝑒𝑔𝑒𝑥(𝑙𝑜𝑔, 𝑟𝑒𝑔𝑒𝑥) ⊳ replace words in sort by occurrence frequency, categorize the top n according to the
logs configuration in config and treat the rest as one category
5: 𝑙𝑜𝑔𝑠𝐿𝑖𝑠𝑡 ← 𝑎𝑑𝑑𝐿𝑜𝑔(𝑙𝑜𝑔, 𝑝𝑟𝑜𝑐𝑒𝑠𝑠𝑒𝑑_𝑙𝑜𝑔) 4: for 𝑔𝑟𝑜𝑢𝑝 in 𝑐𝑜𝑛𝑓 𝑖𝑔.𝑑𝑒𝑝𝑡ℎ do
6: return 𝑙𝑜𝑔𝑠𝐿𝑖𝑠𝑡 5: 𝑙𝑒𝑛𝐺𝑟𝑜𝑢𝑝 ← 𝑠𝑒𝑝𝐵𝑦𝑃 𝑟𝑒𝑓 𝑖𝑥(𝑙𝑒𝑛𝐺𝑟𝑜𝑢𝑝) ⊳ Iterate
through classification by word prefix based on the maximum depth
set in config
Table 1
6: for 𝐺𝑟𝑜𝑢𝑝 in 𝑙𝑒𝑛𝐺𝑟𝑜𝑢𝑝 do
Substitution table.
7: 𝐺𝑟𝑜𝑢𝑝 ← 𝑠𝑖𝑚𝑖𝑙𝑎𝑟𝑖𝑡𝑦(𝐺𝑟𝑜𝑢𝑝) ⊳ compute similarity
Substitute word Original string
8: 𝐺𝑟𝑜𝑢𝑝 ← 𝑠𝑒𝑝𝐵𝑦𝑆𝑖𝑚(𝐺𝑟𝑜𝑢𝑝) ⊳ group by similarity
IP port 10.251.110.8:50010
NUM 235 237
9: 𝑙𝑜𝑔2𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒𝐿𝑖𝑠𝑡 ← 𝑔𝑒𝑛𝑒𝑟𝑎𝑡𝑒(𝐺𝑟𝑜𝑢𝑝) ⊳ generate log template
ID blk −2419185540153636210 10: return 𝑙𝑜𝑔2𝑇 𝑒𝑚𝑝𝑙𝑎𝑡𝑒𝐿𝑖𝑠𝑡
HEX 0 × 1808d120
OOV addStoredBlock, <

to calculate the weights of different words instead of directly using

3.1.2. Original template generation
Original template generation consists of two main steps:
Step 1: Constructing the log statement parsing tree based on the
drain algorithm according to factors such as length, similarity, and
word order between log statements. Specifically, the log statements
are first classified according to their lengths; and then each classified
sub-tree is reclassified by means of constant prefix matching in a multi-
threaded concurrent execution manner. To prevent the parsing tree
from becoming excessively large and to avoid excessive construction
time, certain limitations are imposed on the iterations and scale of the
log parsing tree. This is achieved by setting the maximum depth and
the maximum number of leaf nodes.
Step 2: Calculating the similarity to classify the log statements.
The similarity between log statements in a log group is calculated
to identify common patterns and determine log templates. Here we
define the calculation of similarity in Eqs. (1) and (2). EQ is a function
that differentiates words. And the value of Sim indicates the simi-
larity between the two statements. Specifically, we need to calculate
the similarity between each log statement within a log group. If the
similarity between two log statements reaches a threshold value, then
the two objects are of high similarity and will be classified to the same
template, i.e. to the same leaf node as the object already classified. Here
we consider the log statement that is compared first as the classified
object. If the similarity does not reach the threshold, it means that
the compared object and the classified object are so different that they
cannot be the same log template. Therefore the log statement with a
large difference needs to be classified to a new leaf node, indicating an
added classification. Detailed process is described in Algorithm 2.
{ 12: return 𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒2𝑟𝑒𝑝𝑟𝐿𝑖𝑠𝑡
( ) 1 if 𝑤1 = 𝑤2
𝐸𝑄 𝑤1 , 𝑤2 = (1)
0 otherwise
∑𝑛 ( )
𝐸𝑄 seq1 (𝑖), seq2 (𝑖)
𝑆𝑖𝑚(𝑠𝑒𝑞1 , 𝑠𝑒𝑞2 ) = 𝑖=1 (2)
𝑛 Multi-feature log-based anomaly detection mainly contains two
3.1.3. Template compression
Template compression mainly includes two steps: converting log
templates into semantic vectors and clustering them.
Step 1: Decomposing each log template into each word it contains,
then using the pre-trained Glove word vector [31] to get the semantic
vector corresponding to each word, and finally adding the semantic
vectors corresponding to all the words in the sentence together to
form a new 300 dimension template semantic vector. In order to better
represent the template semantic information by the template semantic
vector, we use Term Frequency–Inverse Document Frequency (TF–IDF)
uniform weights.
Step 2: Using Density Based Spatial Clustering of Applications with
Noise (DBSCAN) [32] to cluster the obtained log templates with se-
mantic vectors to achieve template compression. DBSCAN has no re-
quirements on the shape or number of clusters. It divides regions that
match the set density into clusters, and then merges the connected
clusters with high density into the same cluster. To achieve the goal
of clustering clusters, DBSCAN defines two parameters, Epsilon(𝜖) and
minPts. Epsilon(𝜖) indicates the maximum radius of a cluster. MinPts
indicates the number of minimum points within a cluster. A cluster is
only considered to be a cluster if it contains at least minPts of clustered
objects within a radius, otherwise, it is considered to be discrete noise
points. The whole procedure is described in Algorithm 3.
Algorithm 3 Template Compression Algorithm
Require: 𝑙𝑜𝑔2𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒𝐿𝑖𝑠𝑡, 𝑔𝑙𝑜𝑣𝑒.𝑡𝑥𝑡
Ensure: 𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒2𝑟𝑒𝑝𝑟𝐿𝑖𝑠𝑡
1: 𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒2𝑟𝑒𝑝𝑟𝐿𝑖𝑠𝑡 ← initList()
2: for 𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒 in 𝑙𝑜𝑔2𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒𝐿𝑖𝑠𝑡 do
3: 𝑟𝑒𝑝𝑟 ← initFLoatList()
4: for 𝑤𝑜𝑟𝑑 in 𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒 do
5: 𝑇 𝐹 ← CalcTF(𝑤𝑜𝑟𝑑, 𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒)
6: 𝐼𝐷𝐹 ← CalcIDF(𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒, 𝑙𝑜𝑔2𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒𝐿𝑖𝑠𝑡)
7: 𝑇 𝐹 _𝐼𝐷𝐹 ← 𝑇 𝐹 × 𝐼𝐷𝐹
8: 𝑟𝑒𝑝𝑟 ← Add(𝑇 𝐹 _𝐼𝐷𝐹 × toVec(𝑤𝑜𝑟𝑑, glove.txt))
9: 𝑟𝑒𝑝𝑟 ← Add(𝑟𝑒𝑝𝑟)
10: 𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒2𝑟𝑒𝑝𝑟𝐿𝑖𝑠𝑡 ← Add(𝑟𝑒𝑝𝑟𝑇 𝑜𝐿𝑖𝑠𝑡(𝑟𝑒𝑝𝑟))
11: 𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒2𝑟𝑒𝑝𝑟𝐿𝑖𝑠𝑡 ← DBSCAN(𝑡𝑒𝑚𝑝𝑙𝑎𝑡𝑒2𝑟𝑒𝑝𝑟𝐿𝑖𝑠𝑡)
3.2. Anomaly detection
phases: feature extraction and model building. We extract key features
including temporal features, invariant features, and statistical features,
from the log sequence in the feature extraction phase. Then we build a
Wide & Deep model to process these features separately using different
components.
3.2.1. Feature extraction
Since the log generation and collection methods of different systems
are different, it is necessary to select the appropriate sequence segmen-
tation method according to the characteristics of the log. The log events
in HDFS all contain block subjects, which have obvious correlations, so

4
W. Niu et al.
the subject-based independent sequence segmentation method is used.
However, there is no obvious correlation between BGL log statements,
and the log sequence is divided according to the time period, so the
sliding window segmentation method is used. After splitting the log
files into sequences, the next step is to extract the key features in the log
sequences. Logs contain three key features, namely temporal features,
invariant features, and statistical features. For temporal features, the
log events are recorded in the order of occurrence, and the log sequence
is divided based on the generated timestamps. Therefore, the sequence
itself inherently represents the time relationship. Invariant features
refer to the corresponding relationship between paired log events with
causal relationships, where an open event must be followed by a closed
event for normal operation of the system. The normal functioning of
such paired events ensures the overall proper functioning of the system.
For instance, a log event pair consisting of ‘‘start transaction’’ and
‘‘commit’’ is an invariant feature. Statistical features refer to the number
of occurrences of individual events in a log sequence.
Algorithm 4 Feature Extraction Algorithm
Require: 𝑙𝑜𝑔𝑆𝑒𝑞𝑢𝑒𝑛𝑐𝑒, 𝑒𝑣𝑒𝑛𝑡𝑃 𝑎𝑖𝑟𝑠, 𝑒𝑣𝑒𝑛𝑡𝑠
Ensure: 𝑖𝑛𝑣𝑎𝑟𝑖𝑎𝑛𝑡𝐹 𝑒𝑎𝑡𝑢𝑟𝑒, 𝑠𝑡𝑎𝑡𝑖𝑠𝑡𝑖𝑐𝑎𝑙𝐹 𝑒𝑎𝑡𝑢𝑟𝑒, 𝑡𝑒𝑚𝑝𝑜𝑟𝑎𝑙𝐹 𝑒𝑎𝑡𝑢𝑟𝑒
1: 𝑛 ← len(𝑒𝑣𝑒𝑛𝑡𝑃 𝑎𝑖𝑟𝑠), 𝑚 ← len(𝑒𝑣𝑒𝑛𝑡𝑠), 𝑡 ← len(𝑙𝑜𝑔𝑆𝑒𝑞𝑢𝑒𝑛𝑐𝑒)
2: 𝑖𝑛𝑣𝑎𝑟𝑖𝑎𝑛𝑡𝐹 𝑒𝑎𝑡𝑢𝑟𝑒, 𝑠𝑡𝑎𝑡𝑖𝑠𝑡𝑖𝑐𝑎𝑙𝐹 𝑒𝑎𝑡𝑢𝑟𝑒, 𝑡𝑒𝑚𝑝𝑜𝑟𝑎𝑙𝐹 𝑒𝑎𝑡𝑢𝑟𝑒
← initFeatures(𝑛, 𝑚, 𝑡)
3: for 𝑖, 𝑒𝑣𝑒𝑛𝑡𝑃 𝑎𝑖𝑟 in 𝑒𝑣𝑒𝑛𝑡𝑃 𝑎𝑖𝑟𝑠 do
4: 𝑛𝑢𝑚𝑏𝑒𝑟0 = getNumber(𝑙𝑜𝑔𝑆𝑒𝑞𝑢𝑒𝑛𝑐𝑒, 𝑒𝑣𝑒𝑛𝑡𝑃 𝑎𝑖𝑟[0])
5: 𝑛𝑢𝑚𝑏𝑒𝑟1 = getNumber(𝑙𝑜𝑔𝑆𝑒𝑞𝑢𝑒𝑛𝑐𝑒, 𝑒𝑣𝑒𝑛𝑡𝑃 𝑎𝑖𝑟[1])
6: if 𝑛𝑢𝑚𝑏𝑒𝑟0 == 𝑛𝑢𝑚𝑏𝑒𝑟1 then
7: 𝑖𝑛𝑣𝑎𝑟𝑖𝑎𝑛𝑡𝐹 𝑒𝑎𝑡𝑢𝑟𝑒[𝑖] = 1
8: else
9: 𝑖𝑛𝑣𝑎𝑟𝑖𝑎𝑛𝑡𝐹 𝑒𝑎𝑡𝑢𝑟𝑒[𝑖] = 0
10: for 𝑖, 𝑒𝑣𝑒𝑛𝑡 in 𝑒𝑣𝑒𝑛𝑡𝑠 do
11: 𝑠𝑡𝑎𝑡𝑖𝑠𝑡𝑖𝑐𝑎𝑙𝐹 𝑒𝑎𝑡𝑢𝑟𝑒[𝑖] = getNumber(𝑙𝑜𝑔𝑆𝑒𝑞𝑢𝑒𝑛𝑐𝑒, 𝑒𝑣𝑒𝑛𝑡)
12: for 𝑖, 𝑙𝑜𝑔 in 𝑙𝑜𝑔𝑆𝑒𝑞𝑢𝑒𝑛𝑐𝑒 do
13: 𝑡𝑒𝑚𝑝𝑜𝑟𝑎𝑙𝐹 𝑒𝑎𝑡𝑢𝑟𝑒[𝑖] = getEventID(𝑙𝑜𝑔)
14: return 𝑖𝑛𝑣𝑎𝑟𝑖𝑎𝑛𝑡𝐹 𝑒𝑎𝑡𝑢𝑟𝑒, 𝑠𝑡𝑎𝑡𝑖𝑠𝑡𝑖𝑐𝑎𝑙𝐹 𝑒𝑎𝑡𝑢𝑟𝑒, 𝑡𝑒𝑚𝑝𝑜𝑟𝑎𝑙𝐹 𝑒𝑎𝑡𝑢𝑟𝑒
Given a log sequence, the extraction process of its features is shown
in Algorithm 4. For invariant feature, we initialize an n-dimensional
vector 𝑥𝐼𝑛𝑣𝑎𝑟𝑖𝑎𝑛𝑡 (n represents the number of log event pairs). Then
we set the value of 𝑥𝐼𝑛𝑣𝑎𝑟𝑖𝑎𝑛𝑡𝑖 to 1 if the numbers of two events in
the 𝑖th event pair are equal in the log sequence, and 0 otherwise. We
use an m-dimensional vector 𝑥𝑆𝑡𝑎𝑡𝑖𝑠𝑡𝑖𝑐𝑎𝑙 represents the statistical feature
and 𝑥𝑆𝑡𝑎𝑡𝑖𝑠𝑡𝑖𝑐𝑎𝑙 𝑖 represents the number of event-𝑖 in the log sequence.
The temporal feature 𝑥𝑇 𝑒𝑚𝑝𝑜𝑟𝑎𝑙 represents the log sequence itself, and
𝑥𝑇 𝑒𝑚𝑝𝑜𝑟𝑎𝑙 𝑖 is the event ID of the 𝑖th log in log sequence.
These features can be found by experienced technicians, but as the
number of logs grows extremely fast, it is unaffordable to rely solely
on human effort. However, it should be noted that the number and
type of invariant features and statistical features can be large, and not
all of them are equally informative for the anomaly detection task. So
feature filtering is required to select features with positive impacts on
the anomaly detection task. Based on this situation, we use the Pearson
correlation coefficient as an indicator for feature screening, which is
fast and easy to compute and understand. Pearson coefficient can assess
the linear correlation of different variables to identify features that have
a strong correlation, as calculated in Eq. (3). Notice that we calculate
Pearson correlation coefficient between pairs of log events to select
invariant features, and that between log events and labels to select
statistical features. For each event, we will get an array representing
the occurrences of that event in each log sequence.
𝑐𝑜𝑣(𝑥, 𝑦)
𝜌𝑥,𝑦 =
𝜎𝑋 𝜎𝑌
𝐸(𝑋𝑌 ) − 𝐸(𝑋)𝐸(𝑌 ) (3)
= √ √
𝐸(𝑋 2 ) − 𝐸 2 (𝑋) 𝐸(𝑌 2 ) − 𝐸 2 (𝑌 )
5
Applied Soft Computing 153 (2024) 111314
Table 2
Invariant features obtained by setting different thresholds.
Dataset Threshold Invariant features Feature count
(Example ranges)
0.9 1–5, 3–4, 6–7, 8–9, . . . 12
0.8 . . . 6–11, 6–12, 17–32, . . . 14
HDFS
0.7 . . . 14–23, 14–24, 22–25, . . . 21
0.6 . . . 20–22, 20–25, 22–25, . . . 38
0.95 4–7, 13–14, 17–177, 17–204, . . . 625
0.9 . . . 20–33, 20–34, 20–35, . . . 976
BGL
0.85 . . . 21–23, 21–24, 21–25, . . . 1271
0.8 . . . 10–220, 10–261, 13–232, . . . 1581
As for the invariant features, we directly use the arrays of two log
events to compute the Pearson coefficients. The degree of correlation
between different log events can be assessed by the Pearson correlation
coefficient of occurrence numbers between two log events. The invari-
ant feature is actually a linearly correlated relationship and is positively
correlated. For a completely normal log sequence, the Pearson correla-
tion coefficient for the number of occurrences of two log events with
the invariant feature relationship is 1. And we think that the reason
for some abnormalities is that the invariant feature relationship does
not match. However, since not all log files used in the calculation of
Pearson’s correlation coefficient are normal log sequences, the actual
distribution of log sequences in log files consists of a large number
of normal log sequences and a small number of abnormal sequences.
Taking HDFS logs as an example, the abnormal log sequences account
for three percent. Therefore, the Pearson correlation coefficient cannot
reach 1. So we set a threshold value of Pearson correlation coefficient
less than 1 to find the correct invariant feature relationship, while
setting a coefficient of less than 1 also helps to reduce the noise caused
by manual labeling errors.
Filtering statistical features additionally requires obtaining an array
of labels for the log sequences. The Pearson correlation coefficient is
calculated by the occurrences of each log event and the corresponding
actual label of the log sequence. The correlation coefficient represents
how relevant the statistical data is to the normal or abnormal sequence.
And to some extent, the coefficient also indicates the importance of
different statistical data for the anomaly detection algorithm. Statistic
feature filtering is also done by setting thresholds, but the thresh-
olds for statistical features are considered in relation to the needs of
downstream task.
3.2.2. Threshold experiment of feature filtering
In our approach, the selection of the threshold is critical, which
directly determines the features used in the anomaly detection phase.
A high threshold may ignore valuable features, causing the loss of
information and reducing anomaly detection capability. Conversely, a
low threshold will retain redundant features, interfere with the learning
of valuable information, and slow down the training of the model.
The selection of threshold needs to be considered with the specific
application scenario. In our experiments, the dataset and feature type
have a great influence on the threshold setting, and the results are
shown in Tables 2 and 3. When the Pearson coefficient is above 0.9,
both HDFS and BGL can extract a number of invariant features, indicat-
ing the universality of invariant features. And the BGL dataset, which
has more template categories shows even more invariant features.
Compared with the invariant features, statistical features can only be
extracted by setting a lower threshold, which indicates that the direct
correlation between log events and labels is weak, and these features
can only be used to assist other features for anomaly detection.
3.2.3. Model building
To fully use the valuable information in the logs to improve the
anomaly detection capability, we propose a Wide & Deep based multi-
feature anomaly detection method. The Wide & Deep architecture is
W. Niu et al.
Table 3
Statistical features obtained by setting different thresholds.
Dataset Threshold Statistical features Feature count
(Example events)
0.5 event3, event4 2
HDFS 0.4 event3, event4, event16, event33 4
0.3 ...event11, event12, event33... 7
0.5 event19, event127 2
BGL 0.4 event19, event127 2 respectively, ℎ𝑖 represents the hidden state at time 𝑖, and 𝑊 𝑧 , 𝑊 𝑟 and
0.3 ...event30, event31, event32... 26
not a specific model, but rather a programmatic idea combining deep
learning and machine learning. This architecture consists of two parts:
Wide and Deep. The Wide part is generally a generalized linear model,
which gives the whole model a strong memory capability and applies
to simple and strongly correlated features. The Deep part, on the
other hand, enables the model to have generalization ability and is
suitable for learning complex features. Our architecture mainly consists
of a Gradient Boosting Decision Tree-Logistic Regression model(GBDT-
LR) [33] on the Wide end and an Attention-Based Gate-Recurrent Unit
(Attention-GRU) model on the Deep end.
In order to make full use of the three different features, we divide
them into different parts of this anomaly detection model approach.
The temporal features will be input to the Deep end, while the invariant
features and statistical features will be input to the Wide end. After ab-
stracting the high-dimensional features on the Wide end and Deep end,
the features are then combined and computed for prediction through
a logistic regression layer. Unlike anomaly detection methods that use
only deep learning or machine learning, our approach combines both
the Deep and Wide ends. This combination allows more features to be
processed by type and exploits more useful information in the logs to
achieve better anomaly detection capabilities. The main components
of the model, namely the Deep and Wide ends, are described in detail
below.
Deep end. We choose the Attention-Based Gated Recurrent Unit Model
as the Deep end for processing the input content. The Gated Recurrent
Unit (GRU) [34] is a modified Recurrent Neural Network (RNN). Com-
pared to the basic RNN structure, the Gated Recurrent Unit (GRU) has
shown improved performance in handling the gradient disappearance
problem and capturing long-term dependencies in sequential data. Also,
GRU has a simpler internal structure and better computational speed
than another improved RNN model, LSTM [30]. However, using GRU
alone is not enough. In a log anomaly detection model, the output of
each GRU unit depends on the current log event and on the memory
of the past. But if a log sequence is too long, there may be cases where
anomalous events far apart have an impact on the current event, which
can affect the validity of the prediction. In order to eliminate this
affection, we use an attention mechanism [35] to reassign weights to
the degree of influence of past memory units on the current output, and
the process is shown in Fig. 2.
The output of each GRU unit depends on the input log event of
this unit and the hidden state of the previous GRU unit. At the same
time, the attention mechanism learns the weight of each output that
contributes to the accuracy of the prediction, increasing the degree of
effective memory and improving the reliability of the prediction results.
Here are some examples that show the effectiveness of the attention
mechanism. Due to the complexity of the log system, the distribution
of log sequences also shows diversity. There may be partially similar log
sequences in the system. Figs. 3 and 4 depict two possible scenarios for
log sequences. There are cases where the same sequence is followed by
a number of different sequences within the system, as shown in Fig. 3.
There are also cases where different sequences are followed by the same
sequence, as shown in Fig. 4. For the above two cases, if the two log
sequences have the same state, i.e., they are both normal or abnormal,
then their common parts contribute more to the model. Otherwise, their
6
Applied Soft Computing 153 (2024) 111314
different parts contribute more to the model. Such potential sequential
relationships can be better learned by using the GRU model based
on the attention mechanism. By learning such timing characteristics,
abnormal execution processes can be identified more accurately.
The calculation process on the Deep end is shown in Formula (4).
In the following formula, 𝑥𝑖 is the log template vector of the 𝑖th log in
log sequence, 𝑧𝑖 and 𝑟𝑖 are the outputs of the update gate and reset gate
𝑊 ℎ are the corresponding weight matrices respectively. 𝑂𝑢𝑡𝑝𝑢𝑡𝐷𝑒𝑒𝑝 is
the final output of the Deep end.
𝑋𝑇 𝑒𝑚𝑝𝑜𝑟𝑎𝑙 = {𝑥1 , 𝑥2 , … 𝑥𝑛 }
𝑧𝑖 = 𝜎(𝑊 𝑧 ⋅ [ℎ𝑖−1 , 𝑥𝑖 ])
𝑟𝑖 = 𝜎(𝑊 𝑟 ⋅ [ℎ𝑖−1 , 𝑥𝑖 ])
ℎ̃𝑖 = 𝑡𝑎𝑛ℎ(𝑊 ℎ ⋅ [𝑟𝑖 ⊙ ℎ𝑖−1 , 𝑥𝑖 ]) (4)
ℎ𝑖 = (1 − 𝑧𝑖 ) ⊙ ℎ̃𝑖 + 𝑧𝑖 ⊙ ℎ𝑖−1
∑
𝑛
𝑂𝑢𝑡𝑝𝑢𝑡𝐷𝑒𝑒𝑝 = 𝑡𝑎𝑛ℎ( 𝜆𝑖 ℎ𝑖 )
𝑖=1
Wide end. We choose the Gradient Boosting Decision Tree-Logistic Re-
gression model (GBDT-LR) as the Wide end. The invariant features and
statistical features are superficial for log anomaly detection. Gradient
Boosting Decision Tree (GBDT) can easily remember such relationships.
Therefore, in the subsequent detection phase, GBDT has the ability to
identify anomalies caused by the invariant and statistical features on
the logs.
The prediction process of GBDT is shown in Eq. (5). X is a combi-
nation of invariant features and statistical features of the log sequence,
which is used as input to the Wide end. 𝐹𝑚 (𝑥) represents the cumulative
output of the first 𝑚 − 1 trees, ℎ𝑚 (𝑥) represents the predicted value of
the leaf node in the 𝑚th tree, and the result obtained after M iterations
is 𝑂𝑢𝑡𝑝𝑢𝑡𝑊 𝑖𝑑𝑒 .
𝑋 = 𝑐𝑜𝑛𝑐𝑎𝑡{𝑋𝐼𝑛𝑣𝑎𝑟𝑖𝑎𝑛𝑡 , 𝑋𝑆𝑡𝑎𝑡𝑖𝑠𝑡𝑖𝑐𝑎𝑙 }
𝐹𝑚 (𝑋) = 𝐹𝑚−1 (𝑋) + ℎ𝑚 (𝑋) (5)
𝑂𝑢𝑡𝑝𝑢𝑡𝑊 𝑖𝑑𝑒 = 𝐹𝑀 (𝑋)
Furthermore, the integration of Logistic Regression (LR) on top of
GBDT has proven to be a significant improvement. This approach adds
only a layer of computation to the GBDT algorithm and achieves a more
comprehensive prediction by taking multiple features into account. Our
method uses GBDT to abstract the invariant and statistical features and
recombine the useful information to obtain new features that have a
more positive impact on the outcome. Then as shown in formula (6),
the LR layer combines all original features (including invariant features
and statistical features) with newly generated features as input and
predicts the final result.
𝐼𝑛𝑝𝑢𝑡𝐿𝑅 = 𝑐𝑜𝑛𝑐𝑎𝑡{𝑂𝑢𝑡𝑝𝑢𝑡𝐷𝑒𝑒𝑝 , 𝑋𝐼𝑛𝑣𝑎𝑟𝑖𝑎𝑛𝑡 , 𝑋𝑆𝑡𝑎𝑡𝑖𝑠𝑡𝑖𝑐𝑎𝑙 , 𝑂𝑢𝑡𝑝𝑢𝑡𝑊 𝑖𝑑𝑒 }
(6)
𝑅𝑒𝑠𝑢𝑙𝑡 = 𝐿𝑅(𝐼𝑛𝑝𝑢𝑡𝐿𝑅 )
Note that the Wide end is trained before training of the Deep end
and Logistic Regression. We first train the GBDT using the invariant
and statistical features with the corresponding labels. Then we use the
trained GBDT as Wide end to get the synthetic features 𝑂𝑢𝑡𝑝𝑢𝑡𝑊 𝑖𝑑𝑒
which is part of the Logistic Regression’s input. At last, we apply
backward propagation and gradient descent to train the Deep end and
Logistic Regression simultaneously.
4. Experimental evaluation
In this section, we present the experiments conducted to validate
the effectiveness of the WDLog framework. We begin by describing
our experimental setup in Section 4.1. Next, in Section 4.2, we dis-
cuss the comparative methods employed and the performance metrics
utilized. Subsequently, in Section 4.3, we outline the model settings
and experimental parameters employed in our study. The impact of
W. Niu et al. Applied Soft Computing 153 (2024) 111314

Fig. 2. Attention based GRU.

Table 4
Dataset sequence distribution.
Dataset Number of Number of
normal sequence abnormal sequence
training set 333 792 11 244
HDFS validation set 55 635 1871
testing set 168 796 3723
Fig. 3. Same sequence followed by different sequences. training set 24 146 27 200
BGL validation set 4012 4545
testing set 12 116 13 558

contains one or more block_id. In our experiments, the HDFS dataset is

Fig. 4. Different sequences followed by the same sequence.
parameter settings on WDLog is examined in Section 4.4. We analyze
the anomaly detection performance of the proposed WDLog method,
along with other advanced methods, on multiple datasets in Section 4.5.
Finally, in Section 4.6, we showcase the effectiveness of the WDLog
architecture through ablation experiments.
4.1. Experimental setup
divided into 575,061 log sequences according to block_id, and then is
divided as the training set, verification set, and testing set according to
the ratio of 6:1:3.
(2) BGL: It is collected over 7 months by a supercomputer deployed
at Lawrence Livermore National Laboratory. It contains a total of
4,747,963 log records, of which 348,460 log records are abnormal. In
our experiments, the BGL dataset uses a sliding window to extract the
log sequence, where the window size is set to 120, and then the training
set, validation set, and testing set are divided according to the ratio of
6:1:3.
Details of these two open datasets in our experiments are given in
Table 4.

The experiments were written in Python 3.9, modeled in PyTorch

1.11.0 environment, and conducted on a Windows-OS-based device,
whose main parameters are:
CPU: AMD Ryzen 7 5800H with Radeon 3.20 GHz
Graphics Card: GTX3060
Memory: 16G RAM
We choose two datasets with different characteristics from the open
source project Loghub [36]: Hadoop Distributed File System (HDFS)
and BlueGene/L (BGL). HDFS datasets are generated in an HDFS cluster
using a baseline workload, where anomalies are identified and labeled
manually during the log generation process based on manually devel-
oped rules. BGL (Blue Gene/L) dataset is a supercomputing system log
dataset collected by Lawrence Livermore National Laboratory (LLNL).
The difference is that log information in the HDFS dataset can be
divided into log sequences by unique block IDs, while logs in the BGL
dataset do not contain block IDs and are divided into log sequences by
sliding windows.
The main characteristics of each dataset are as follows:
(1) HDFS: It is obtained by running map-reduce tasks for 38.7 h on
more than 2000 Amazon EC2 nodes. It contains a total of 11,172,157
log records which includes 284,818 abnormal records. Each log record
4.2. Comparative methods and performance metrics
Several known log-based anomaly detection methods are also se-
lected for experimental comparison with WDLog (DeepLog,
LogAnomaly, PLELog, and LogCluster). We adopt the Precision, Recall,
and F1-score (F1) as the evaluation metrics, which are typically used
in this field.
𝑃 𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 = 𝑇 𝑃 ∕(𝑇 𝑃 + 𝐹 𝑃 )
𝑅𝑒𝑐𝑎𝑙𝑙 = 𝑇 𝑃 ∕(𝑇 𝑃 + 𝐹 𝑁) (7)
𝐹 1 = 2 ∗ 𝑃 𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 ∗ 𝑅𝑒𝑐𝑎𝑙𝑙∕(𝑃 𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 + 𝑅𝑒𝑐𝑎𝑙𝑙)
4.3. Model settings
The primary model settings and experimental parameters for WD-
Log on HDFS and BGL datasets are presented in Table 5. The values
were carefully tested and determined as described in Section 4.4. For
the comparative models, their parameters are set based on the refer-
ences, and further fine-tuned using the optimal test results obtained in
our study.

7
W. Niu et al. Applied Soft Computing 153 (2024) 111314

Table 5
Model settings for HDFS and BGL.
Parameter HDFS BGL
Depth 4 4
Similarity 0.6 0.5
Hidden States 150 150
GRU Layers 4 4
Estimators 150 150

Fig. 7. Performances on different sizes of hidden states.

Fig. 5. Number of generated log templates on HDFS.
log statements in the HDFS dataset (10 million) and the BGL dataset
(millions), the impact of redundant templates on accuracy is minimal.
However, the presence of redundant templates does affect the total
number of template types, and having too many templates can increase
the time overhead and resource consumption of downstream tasks.
Therefore, it is important to find an optimal parameter selection that
strikes a balance.
Based on the experimental results, setting Depth = 4 and Similar-
ity = 0.6 is found to be the best parameter configuration for HDFS
logs, while Depth = 4 and Similarity = 0.5 are optimal for BGL logs.
This choice of parameters ensures a reasonable number of extracted
templates while maintaining accuracy.

4.4.2. Parameters for anomaly detection

Fig. 6. Number of generated log templates on BGL.
4.4. Parameter sensitivity experiment
4.4.1. Parameters for log template extraction
When generating log parse trees, the choice of similarity threshold
and parse tree depth can significantly impact the accuracy of log
template extraction. To investigate this, we performed experiments on
HDFS logs and BGL logs datasets, adjusting the similarity threshold and
parse tree depth to observe their effects on the number of generated log
templates. The experimental results are depicted in Figs. 5 and 6.
Based on the observation of the content of generated templates
and the number of log statements associated with different parameter
settings, it was found that the number of log statements classified to
redundant templates for HDFS logs is only a few dozen, and for BGL
logs, it is only a few hundred. In comparison to the large number of
By adjusting the number of hidden states and GRU layers in the deep
structure, as well as the number of estimators in the wide structure,
the performance of the log anomaly detection model can be evaluated
under various parameter settings. This analysis helps understand the
impact of these settings on the model’s performance and identifies the
most effective configuration for accurate anomaly detection.
To assess the influence of the number of hidden states, an exper-
iment was conducted by varying the hidden states parameter while
keeping other parameters at their default values. The F1-score was
measured for different values of hidden states, such as 50, 100, 150,
200, 250, and 300. The results, depicted in Fig. 7, show the relationship
between the number of hidden states and the corresponding F1-score.
The results show that the F1-score exhibits a gradual increase fol-
lowed by a gradual decrease as the number of hidden states increases.
This observation indicates that a higher number of hidden states allows
the model to capture more refined features from the training set,
leading to improved performance. However, when the number becomes
excessively large, it can lead to overfitting and a decline in performance
on the test set. Therefore, there exists an optimal range of hidden states
that balances model complexity and generalization ability, ensuring the
best anomaly detection performance.
Similarly, experiments were conducted to evaluate the impact of
GRU layers on anomaly detection performance. The GRU layers were
varied from 1 to 6, while other parameters were kept at their default
values. The experimental results, shown in Fig. 8, demonstrate that
both GRU layers and hidden states significantly influence the model’s
performance, highlighting their importance in determining the model’s
effectiveness.
Furthermore, the number of estimators in the wide structure was
also investigated. Estimators were set to values of 50, 100, 150, 200,

8
W. Niu et al. Applied Soft Computing 153 (2024) 111314

Table 6
Performance of different methods.
Log Method Precision Recall F1 Score
DeepLog [8] 0.945 0.900 0.922
LogAnomaly [24] 0.860 0.898 0.878
HDFS PLELog [27] 0.957 0.888 0.921
LogCluster [14] 1.000 0.836 0.911
WDLog 0.979 0.925 0.951
DeepLog [8] 0.907 0.956 0.931
LogAnomaly [24] 0.972 0.941 0.956
BGL PLELog [27] 0.967 0.978 0.973
LogCluster [14] 0.914 0.642 0.754
WDLog 0.994 0.978 0.986

abnormal logs and normal logs is typically characterized by substantial

Fig. 8. Performances on different numbers of GRU layers.
Fig. 9. Performances on different numbers of estimators.
250, and 300, while other parameters remained unchanged. The results,
presented in Fig. 9, indicate that increasing the number of estimators
positively contributes to the F1-score of anomaly detection, but the
effect exhibits a slower rate of change. Estimators are associated with
the level of feature abstraction, and a higher value allows for finer
abstraction of features, leading to improved anomaly detection. Addi-
tionally, the experiments reveal that the impact of increasing estimators
is more significant for HDFS logs compared to BGL logs, suggesting that
HDFS logs benefit more from increased feature abstraction due to their
characteristics.
4.5. Comparative experiment
4.5.1. Anomaly detection performance
To evaluate the anomaly detection capability of WDLog, we con-
ducted a comparative analysis with well-known solutions in the field,
including DeepLog, LogAnomaly, PLELog, and LogCluster. The experi-
mental results are presented in Table 6.
The results indicate that LogCluster achieves the highest accuracy
in identifying abnormal logs in the HDFS dataset. However, its per-
formance is not as strong when applied to the BGL dataset. The main
reason for this discrepancy lies in the nature of LogCluster as a semantic
clustering algorithm. In the case of HDFS, the distinction between
differences, making it relatively easy for LogCluster to separate them
effectively. However, when it comes to the BGL dataset, LogCluster
faces challenges in distinguishing certain normal logs that fall within
the marginal range during the clustering process of abnormal logs. This
difficulty arises from the larger number of template categories in BGL
and the relatively smaller differences between these templates. Conse-
quently, LogCluster’s clustering results on BGL may be compromised,
leading to suboptimal performance in anomaly detection.
DeepLog, LogAnomaly and PLELog are models based on log tem-
poral features. When extracting log templates, Deeplog only utilizes
template types and does not consider the semantic features of tem-
plates, which means that template semantic information is not used to
represent templates. LogAnomaly introduces an innovative approach
that specifically targets the distinctions between near-synonyms and
antonyms in log statements. It further delves into the semantic differ-
ences between log statements, and uses vectors with semantic informa-
tion to represent log templates, resulting in remarkable performance
on both the BGL and HDFS datasets. Notably, LogAnomaly exhibits
exceptional performance in terms of the F1-score on the BGL dataset,
indicating the substantial amount of untapped information present
in log statements that can be effectively leveraged. PLELog, on the
other hand, extracts semantic vectors of log templates by using a pre-
trained model, Glove, which allows mining more semantic information
in log templates, and achieves a better performance. For anomaly
detection, DeepLog and LogAnomaly adopt LSTM to learn the temporal
information in log templates, while PLELog employs the GRU model.
Both methods can effectively extract the hidden information in the
log template vectors. The only difference is that the GRU model has
a simpler construction, which can shorten the training time. These
approaches demonstrate strong overall performance, reaffirming the
significance of temporal features as a crucial foundation for effective
anomaly detection.
Compared with the above methods, WDLog combines Glove with
clustering technique DBSCAN to compress templates, which enhances
the robustness to resist small changes of logs in real environment.
During the anomaly detection phase, WDLog takes a comprehensive
approach by considering a broader range of log features and their
potential characteristics for identification. It incorporates the features
of GRU and GDBT by adopting the Wide & Deep framework. Besides the
temporal features, our model further considers the invariant features
and statistical features in the log sequences to improve the performance
of anomaly detection. As a result, WDLog delivers outstanding perfor-
mance on both datasets, showcasing excellent recall and F1-score that
surpasses other approaches.
4.5.2. Robustness
To assess the robustness of WDLog and other methods in the context
of iterative changes in log updates, we conducted experiments by
injecting iterated HDFS logs and BGL logs at various percentages (0%,
5%, 10%, 15%, and 20%). These new logs represent different degrees
of normal post-iteration logs. The performance of each method was

9
W. Niu et al. Applied Soft Computing 153 (2024) 111314

Table 7
Time consumption of different methods on HDFS and BGL.
Method HDFS BGL
Training Testing Training Testing
DeepLog [8] 1 h 50 m 20 m 44 m 7 m
LogAnomaly [24] 4 h 40 m 477 m 4 h 20 m 39 m
PLELog [27] 43 m 42 s 24 m 10 s
LogCluster [14] 19 m 23 s 41 s 40 s
WDLog 53 m 51 s 30 m 12 s

Table 8
Ablation results on HDFS and BGL.
Dataset Scheme Precision Recall F1 Score
without Attention 0.981 0.803 0.883
without Wide 0.973 0.895 0.932
HDFS
without Deep 0.975 0.716 0.825
WDLog 0.979 0.925 0.951
without Attention 0.978 0.904 0.940
without Wide 0.979 0.955 0.967
BGL
without Deep 0.979 0.782 0.869
Fig. 10. Robustness of different methods on changing HDFS and BGL logs.
WDLog 0.994 0.978 0.986

evaluated using the F1-score, and the results were visualized in a box
plot depicted in Fig. 10.
DeepLog heavily relies on the temporal features of logs for anomaly
detection. It employs log template tags to represent log statements
as time series. However, when logs change, new log statements are
categorized into new template tags. Unless DeepLog is retrained, it
struggles to handle the new time series correctly. Hence, DeepLog
exhibits the highest box plot height and demonstrates poor robustness.
LogCluster and LogAnomaly both rely on semantic information for
anomaly detection. However, LogCluster performs better when logs
change because LogAnomaly divides logs into more fine-grained cate-
gories, thereby amplifying the impact of semantic changes and reducing
robustness. On the other hand, PLELog utilizes both semantic and
temporal features for anomaly detection. While both semantics and
temporal sequences may change during log iteration, PLELog effec-
tively handles log changes with good robustness. However, PLELog
relies on a limited set of features, and if these features change during
log iteration, the anomaly detection performance will be significantly
affected.
WDLog is crafted to tackle the problem of evolving logs, particularly
during template extraction. It replaces log statements with template
semantics to minimize sensitivity to variations introduced by evolving
logs. On the other hand, the DBSCAN used for template clustering is
able to classify the logs into the correct templates even when there are
minor changes in the logging system, such as synonym substitutions,
abbreviations, and so on. Different from traditional approaches, WDLog
incorporates invariant and statistical features in its anomaly detec-
tion process. This comprehensive strategy enhances the framework’s
robustness to the dynamic nature of evolving logs.
4.5.3. Time consumption
Time consumption is a key indicator for evaluating anomaly de-
tection systems and plays a vital role in anomaly detection systems.
Real-life scenarios where fast and effective response is critical. Our
evaluation carefully breaks down the time consumption into two key
components: training time, a metric that reflects how efficiently WDLog
adapts to the specific characteristics of the log data during the training
phase, and test time, which focuses on how efficiently WDLog detects
anomalies in the log data. The experimental data are shown in the
Table 7. In general, all the current log anomaly detection methods only
take a short time to train and test, which can satisfy the daily anomaly
detection tasks.
It is clear that the least time-consuming method is the cluster-
ing method LogCluster, while the LSTM-based methods DeepLog and
LogAnomaly consume much more time than the GRU-based method
PLELog and the WDLog in this paper.
The clustering methods mainly focus on the selection of clustering
indexes. And the whole clustering process is relatively simple and costs
little time. The GRU model is a simplification of the LSTM model. The
input, output and forgetting gates of LSTM are reduced to the reset and
update gates of GRU, which reduces a large part of the computation
process and costs less time.
Compared with PLELog, which also uses the GRU model, our
method adds semantic clustering in the preprocessing stage, and a Wide
end in the anomaly detection stage to perform anomaly detection task
together. The overall complexity and computation increase to some
extent, but compared with PLELog which only has the Deep end, the
training phase only increases by 10 min, and the testing phase only
increases by 2 s. The time consumption is still in an advantageous
position among all the methods compared.
4.6. Ablation experiment
To assess the contribution of different components to the overall
model, we conducted ablation experiments on the attention mecha-
nism, Wide model, and Deep model. Each component was masked out
separately, while the remaining parts of the model were left unchanged.
Anomaly detection was performed on HDFS logs and BGL logs, and the
results are presented in Table 8.
The experimental results demonstrate that the attention mechanism
plays a significant role in improving the overall performance of the
algorithm. With numerous features involved, it is crucial to effectively
learn and utilize the relevant features to avoid interference in pre-
dictions. The attention mechanism helps focus the model’s learning
on important features, thereby enhancing its performance. Regarding
the Wide and Deep components within the model, the results indicate
that omitting the Wide component reduces the overall prediction abil-
ity, whereas omitting the Deep component diminishes the prediction
ability. The Deep component leverages temporal features for anomaly
detection, while the Wide component predominantly utilizes invariant
features and statistical features. These components complement each
other in prediction. Therefore, to achieve optimal results, the Deep
component needs to be supplemented by the Wide component.
In summary, the attention mechanism contributes to overall perfor-
mance improvement, while both the Wide and Deep components are
crucial for achieving the best results.

10
W. Niu et al.
5. Discussion
5.1. Class imbalance
We believe that considering the expansion of the anomaly log
dataset using class balancing techniques, such as manually creating
anomaly logs, to improve model performance presents significant chal-
lenges. Because the temporal features required by the model are dif-
ficult to replicate and the expansion of features for statistical and
invariant features may result in overfitting. However, this is still a
worthwhile direction to pursue, and we will consider applying class
balancing techniques to log anomaly detection in future work.
5.2. Scalability
We conduct a comprehensive evaluation of log anomaly detec-
tion frameworks. In terms of handling log data scales, the framework
exhibits excellent performance and strong linear scalability, and can
effectively handle various datasets of different sizes. In terms of model
training, the use of Deep & Wide learning-based training solutions
greatly reduces training time and improves the efficiency of the system
in processing massive datasets. In addition, the framework shows flexi-
bility in hardware resource utilization and model update maintenance,
providing a reliable foundation for long-term maintenance of the sys-
tem. Overall, these findings not only guide the optimization of current
log anomaly detection system performance, but also provide substantial
support for future applications in large-scale data environments.
6. Conclusion
In this study, we presented WDLog, a robust log-based anomaly
detection framework designed to effectively identify abnormal logs
even in the presence of log changes. We improved the Drain algorithm
to generate log templates that are less sensitive to changing words,
thereby preserving more semantic information and enhancing robust-
ness. Additionally, we extracted multiple features based on correlation
to better capture the characteristics of different anomalies. By leverag-
ing the Wide & Deep framework, we employed different feature types to
detect anomaly logs, thereby improving the accuracy of the detection
process. Experimental results on the HDFS and BGL datasets demon-
strated the effectiveness of WDLog in anomaly detection. However,
it should be noted that WDLog currently does not support intelligent
word segmentation in log processing. As part of future research, we
will focus on further advancements in this field and explore intelligent
word segmentation techniques to enhance the capabilities of WDLog.
CRediT authorship contribution statement
Weina Niu: Writing – review & editing, Writing – original draft,
Software, Methodology, Formal analysis, Conceptualization. Xuhan
Liao: Writing – review & editing, Software, Methodology, Investigation,
Data curation, Conceptualization. Shiping Huang: Writing – review &
editing, Writing – original draft, Software, Data curation. Yudong Li:
Software, Investigation, Formal analysis. Xiaosong Zhang: Writing –
review & editing, Supervision, Funding acquisition. Beibei Li: Writing
– review & editing, Validation, Methodology.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Data availability
Data will be made available on request.
11
Applied Soft Computing 153 (2024) 111314
Acknowledgments
This work was supported in part by the National Science Foundation
of China under Grant 61902262, in part by the National Key Research
and Development Program of China under Grant 2023QY0101.
References
[1] T. Soper, Amazon Web Services outage affects Adobe, Roku, Twilio,
Flickr, others, 2020, https://www.geekwire.com/2020/amazon-web-services-
outage-affects-adobe-roku-twilio-flickr-others/.
[2] Annual report of the board of governors of the federal reserve system, 2021,
https://www.federalreserve.gov/publications/2021-ar-payment-system-and-
reserve-bank-oversight.htm.
[3] Q. Fu, J.-G. Lou, Q. Lin, R. Ding, D. Zhang, T. Xie, Contextual analysis of program
logs for understanding system behaviors, in: 2013 10th Working Conference on
Mining Software Repositories, MSR, IEEE, 2013, pp. 397–400.
[4] M. Farshchi, J.-G. Schneider, I. Weber, J. Grundy, Experience report: Anomaly
detection of cloud application operations using log and cloud metric correlation
analysis, in: 2015 IEEE 26th International Symposium on Software Reliability
Engineering, ISSRE, IEEE, 2015, pp. 24–34.
[5] K. Zhang, J. Xu, M.R. Min, G. Jiang, K. Pelechrinis, H. Zhang, Automated IT
system failure prediction: A deep learning approach, in: 2016 IEEE International
Conference on Big Data, Big Data, IEEE, 2016, pp. 1291–1300.
[6] X. Shu, J. Smiy, D.D. Yao, H. Lin, Massive distributed and parallel log analysis
for organizational security, in: 2013 IEEE Globecom Workshops, GC Wkshps,
IEEE, 2013, pp. 194–199.
[7] P. He, J. Zhu, S. He, J. Li, M.R. Lyu, An evaluation study on log parsing and
its use in log mining, in: 2016 46th Annual IEEE/IFIP International Conference
on Dependable Systems and Networks, DSN, IEEE, 2016, pp. 654–661.
[8] M. Du, F. Li, G. Zheng, V. Srikumar, Deeplog: Anomaly detection and diagnosis
from system logs through deep learning, in: Proceedings of the 2017 ACM
SIGSAC Conference on Computer and Communications Security, 2017, pp.
1285–1298.
[9] S. Kabinna, C.-P. Bezemer, W. Shang, M.D. Syer, A.E. Hassan, Examining the
stability of logging statements, Empir. Softw. Eng. 23 (2018) 290–333.
[10] H.-T. Cheng, L. Koc, J. Harmsen, T. Shaked, T. Chandra, H. Aradhye, G.
Anderson, G. Corrado, W. Chai, M. Ispir, et al., Wide & deep learning for
recommender systems, in: Proceedings of the 1st Workshop on Deep Learning
for Recommender Systems, 2016, pp. 7–10.
[11] K. Kaushik, G. Sharma, G. Goyal, A.K. Sharma, A. Chaubey, A systematic
approach for analyzing log files based on string matching regular expressions,
in: Cyber Security and Digital Forensics: Proceedings of ICCSDF 2021, Springer,
2022, pp. 3–10.
[12] P. He, J. Zhu, Z. Zheng, M.R. Lyu, Drain: An online log parsing approach with
fixed depth tree, in: 2017 IEEE International Conference on Web Services, ICWS,
2017, pp. 33–40, http://dx.doi.org/10.1109/ICWS.2017.13.
[13] R. Vaarandi, Mining event logs with slct and loghound, in: NOMS 2008-
2008 IEEE Network Operations and Management Symposium, IEEE, 2008, pp.
1071–1074.
[14] R. Vaarandi, M. Pihelgas, Logcluster-a data clustering and pattern mining
algorithm for event logs, in: 2015 11th International Conference on Network
and Service Management, CNSM, IEEE, 2015, pp. 1–7.
[15] H. Dai, H. Li, C.-S. Chen, W. Shang, T.-H. Chen, Logram: Efficient log parsing
using 𝑛 n-gram dictionaries, IEEE Trans. Softw. Eng. 48 (3) (2020) 879–892.
[16] Q. Fu, J.-G. Lou, Y. Wang, J. Li, Execution anomaly detection in distributed
systems through unstructured log analysis, in: 2009 Ninth IEEE International
Conference on Data Mining, IEEE, 2009, pp. 149–158.
[17] L. Tang, T. Li, C.-S. Perng, LogSig: Generating system events from raw textual
logs, in: Proceedings of the 20th ACM International Conference on Information
and Knowledge Management, 2011, pp. 785–794.
[18] M. Mizutani, Incremental mining of system log format, in: 2013 IEEE
International Conference on Services Computing, IEEE, 2013, pp. 595–602.
[19] K. Shima, Length matters: Clustering system log messages using length of words,
2016, arXiv preprint arXiv:1611.03213.
[20] Z.M. Jiang, A.E. Hassan, P. Flora, G. Hamann, Abstracting execution logs to
execution events for enterprise applications (short paper), in: 2008 the Eighth
International Conference on Quality Software, IEEE, 2008, pp. 181–186.
[21] P. He, J. Zhu, S. He, J. Li, M.R. Lyu, Towards automated log parsing for large-
scale log data analysis, IEEE Trans. Dependable Secure Comput. 15 (6) (2017)
931–944.
[22] A.A. Makanju, A.N. Zincir-Heywood, E.E. Milios, Clustering event logs using
iterative partitioning, in: Proceedings of the 15th ACM SIGKDD International
Conference on Knowledge Discovery and Data Mining, 2009, pp. 1255–1264.
[23] M. Du, F. Li, Spell: Online streaming parsing of large unstructured system logs,
IEEE Trans. Knowl. Data Eng. 31 (11) (2018) 2213–2227.
[24] W. Meng, Y. Liu, Y. Zhu, S. Zhang, D. Pei, Y. Liu, Y. Chen, R. Zhang, S. Tao, P.
Sun, et al., LogAnomaly: Unsupervised detection of sequential and quantitative
anomalies in unstructured logs, in: IJCAI, vol. 19, 2019, pp. 4739–4745.
W. Niu et al.
[25] X. Zhang, Y. Xu, Q. Lin, B. Qiao, H. Zhang, Y. Dang, C. Xie, X. Yang, Q. Cheng,
Z. Li, et al., Robust log-based anomaly detection on unstable log data, in: Pro-
ceedings of the 2019 27th ACM Joint Meeting on European Software Engineering
Conference and Symposium on the Foundations of Software Engineering, 2019,
pp. 807–817.
[26] C. Yin, Y. Zhang, Unsupervised log anomaly detection model based on CNN and
Bi-LSTM(in Chinese), J. Comput. Appl. (2023).
[27] L. Yang, J. Chen, Z. Wang, W. Wang, J. Jiang, X. Dong, W. Zhang, Semi-
supervised log-based anomaly detection via probabilistic label estimation, in:
2021 IEEE/ACM 43rd International Conference on Software Engineering, ICSE,
2021, pp. 1448–1460, http://dx.doi.org/10.1109/ICSE43902.2021.00130.
[28] S. Yen, M. Moh, T.-S. Moh, CausalConvLSTM: Semi-supervised log anomaly
detection through sequence modeling, in: 2019 18th IEEE International Con-
ference on Machine Learning and Applications, ICMLA, 2019, pp. 1334–1341,
http://dx.doi.org/10.1109/ICMLA.2019.00217.
[29] Y. LeCun, L. Bottou, Y. Bengio, P. Haffner, Gradient-based learning applied to
document recognition, Proc. IEEE 86 (11) (1998) 2278–2324.
[30] A. Graves, A. Graves, Long short-term memory, in: Supervised Sequence Labelling
with Recurrent Neural Networks, Springer, 2012, pp. 37–45.
12
Applied Soft Computing 153 (2024) 111314
[31] J. Pennington, R. Socher, C.D. Manning, Glove: Global vectors for word represen-
tation, in: Proceedings of the 2014 Conference on Empirical Methods in Natural
Language Processing, EMNLP, 2014, pp. 1532–1543.
[32] A. Ram, S. Jalal, A.S. Jalal, M. Kumar, A density based algorithm for discovering
density varied clusters in large spatial databases, Int. J. Comput. Appl. 3 (6)
(2010) 1–4.
[33] X. He, J. Pan, O. Jin, T. Xu, B. Liu, T. Xu, Y. Shi, A. Atallah, R. Herbrich, S.
Bowers, et al., Practical lessons from predicting clicks on ads at facebook, in:
Proceedings of the Eighth International Workshop on Data Mining for Online
Advertising, 2014, pp. 1–9.
[34] K. Cho, B. Van Merriënboer, C. Gulcehre, D. Bahdanau, F. Bougares, H. Schwenk,
Y. Bengio, Learning phrase representations using RNN encoder-decoder for
statistical machine translation, 2014, arXiv preprint arXiv:1406.1078.
[35] D. Bahdanau, K. Cho, Y. Bengio, Neural machine translation by jointly learning
to align and translate, 2014, arXiv preprint arXiv:1409.0473.
[36] S. He, J. Zhu, P. He, M.R. Lyu, Loghub: a large collection of system log datasets
towards automated log analytics, 2020, arXiv preprint arXiv:2008.06448.