2/23/25, 12:05 PM DeepLog | Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

CCS 

Home > Conferences > CCS > Proceedings > CCS '17 > DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning

RESEARCH-ARTICLE PUBLIC ACCESS     

Feedback
DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep
Learning
Authors: Min Du, Feifei Li, Guineng Zheng, Vivek Srikumar Authors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security Pages 1285 - 1298
https://doi.org/10.1145/3133956.3134015

Published: 30 October 2017 Publication History

 
1,048 24,197     PDF  eReader
PDF
Help

Abstract 


Anomaly detection is a critical step towards building a secure and trustworthy system. The primary
Journals Magazines Proceedings Books SIGs Conferences People Advanced Search

purpose of a system log is to record system states and significant events at various critical points to help 

https://dl.acm.org/doi/10.1145/3133956.3134015 1/6
2/23/25, 12:05 PM DeepLog | Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

debug system failures and perform root cause analysis.

CCS Such

log data is universally available in nearly all 45
computer systems. Log data is an important and valuable resource for understanding system status and

performance issues; therefore, the various system logs are naturally excellent source of information for

online monitoring and anomaly detection. We propose DeepLog, a deep neural network model utilizing

Long Short-Term Memory (LSTM), to model a system log as a natural language sequence. This allows
DeepLog to automatically learn log patterns from normal execution, and detect anomalies when log 

patterns deviate from the model trained from log data under normal execution. In addition, we
demonstrate how to incrementally update the DeepLog model in an online fashion so that it can adapt to

new log patterns over time. Furthermore, DeepLog constructs workflows from the underlying system log
so that once an anomaly is detected, users can diagnose the detected anomaly and perform root cause
analysis effectively. Extensive experimental evaluations over large log data have shown that DeepLog has
outperformedThis website
other uses
existing cookies anomaly detection methods based on traditional data mining
log-based
We occasionally run membership recruitment campaigns on social media channels and use cookies to track post-clicks. We also share
methodologies.
information about your use of our site with our social media, advertising and analytics partners who may combine it with other
information that you’ve provided to them or that they’ve collected from your use of their services. Use the check boxes below to
choose the types of cookies you consent to have stored on your device.

Use necessary cookies only Allow selected cookies Allow all cookies

Necessary Preferences Statistics Marketing Show details

Supplemental Material

MP4 File PDF

Help

DOWNLOAD 2867.41 MB
Journals Magazines Proceedings Books SIGs Conferences People Advanced Search


https://dl.acm.org/doi/10.1145/3133956.3134015 2/6
2/23/25, 12:05 PM DeepLog | Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

CCS 

References
[1] VAST Challenge 2011. 2011. MC2 - Computer Networking Operations. (2011).
http://hcil2.cs.umd.edu/newvarepository/VAST%20Challenge%202011/challenges/MC2%20-
%20Computer%20Networking%20Operations/ [Online; accessed 08-May-2017].
Google Scholar
This website uses cookies
[2] Martín Abadi, Paul Barham, Jianmin Chen, Zhifeng Chen, Andy Davis, Jeffrey Dean, Matthieu Devin, Sanjay Ghemawat,
We occasionally run membership recruitment campaigns on social media channels and use cookies to track post-clicks. We also share
Geoffrey Irving, Michaelabout
information Isard,
youret
usealmbox.
of our site 2016
with ourTensorFlow: A system
social media, advertising and for large-scale
analytics machine
partners who learning
may combine Proc. USENIX
it with other
information that you’ve provided to them or that they’ve collected from your use of their services. Use the check boxes below to
Symposium onchoose
Operating
the typesSystems Design
of cookies you and
consent Implementation
to have (OSDI). 264--285.
stored on your device.
Google Scholar
Use necessary cookies only Allow selected cookies Allow all cookies
[3] Yoshua Bengio, Réjean Ducharme, Pascal Vincent, and Christian Jauvin 2003. A neural probabilistic language model. Journal
Necessary
of machine learning Preferences
research Vol. 3, Feb (2003),Statistics
1137--1155.Marketing Show details

Digital Library | Google Scholar

[4] Ivan Beschastnikh, Yuriy Brun, Michael D Ernst, and Arvind Krishnamurthy 2014. Inferring models of concurrent systems PDF
from logs of their behavior with CSight Proc. International Conference on Software Engineering (ICSE ). 468--479.
Help
Google Scholar

Show all references

Journals Magazines Proceedings Books SIGs Conferences People Advanced Search


https://dl.acm.org/doi/10.1145/3133956.3134015 3/6
2/23/25, 12:05 PM DeepLog | Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Cited By CCS  View all 

Gümüş H and Eyüpoğlu C. (2025). ÇİZGE ÖĞRENMEDE ÇİZGE SİNİR AĞLARI. İstanbul Ticaret Üniversitesi Teknoloji ve Uygulamalı
Bilimler Dergisi. 10.56809/icujtas.1442504. 7:2. (17-56). Online publication date: 28-Feb-2025.

https://doi.org/10.56809/icujtas.1442504

Kotenko I and Levshun D. (2025). Machine Learning Methods of Intelligent System Event Analysis for Multistep Cyberattack
Detection. Scientific and Technical Information Processing. 10.3103/S0147688224700254. 51:5. (372-381). Online publication date:
21-Feb-2025.

https://doi.org/10.3103/S0147688224700254

Zhang H, Zhou Y, Xu H, Shi J, Lin X and Gao Y. (2025). Anomaly detection in virtual machine logs against irrelevant attribute
interference. PLOS ONE. 10.1371/journal.pone.0315897. 20:1. (e0315897). Online publication date: 7-Jan-2025.

https://doi.org/10.1371/journal.pone.0315897
This website uses cookies
We occasionally run membership recruitment campaigns on social media channels and use cookies to track post-clicks. We also share
information about your use of our site with our social media, advertising and analytics partners who may combine it with other
information that you’ve provided to them or that they’ve collected from your use of their services. Use the check boxes below to
Show More Cited By
choose the types of cookies you consent to have stored on your device.

Use necessary cookies only Allow selected cookies Allow all cookies
Index Terms Necessary Preferences Statistics Marketing Show details

DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning
PDF
Help
Information systems Security and privacy

Intrusion/anomaly detection and malware

Information systems applications
Journals Magazines Proceedings Books SIGs Conferences People mitigation Advanced Search


https://dl.acm.org/doi/10.1145/3133956.3134015 4/6
2/23/25, 12:05 PM DeepLog | Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

CCS 

Decision support systems

Online analytical processing

Recommendations

LAnoBERT: System log anomaly detection based on BERT masked language model
Abstract
The system log generated in a computer system refers to large-scale data that are collected simultaneously and used as the basic data…
Highlights
We propose LAnoBERT, a new log parser-free and unsupervised framework…

This website uses cookies Read More

A Critical Review of Common Logrun
We occasionally Data Sets Used
membership for Evaluation
recruitment campaigns of Sequence-Based
on social Anomaly
media channels and Detection
use cookies Techniques
to track post-clicks. We also share
information about your use of our site with our social media, advertising and analytics partners who may combine it with other
Log data store eventinformation
execution thatpatterns that correspond
you’ve provided to them or that to underlying
they’ve workflows
collected from your use of systems
of their orUse
services. applications. While
the check boxes belowmost
to logs are
choose the types of cookies you consent to have stored on your device.
informative, log data also include artifacts that indicate failures or incidents. Accordingly, log data are often used to ...
Read More
Use necessary cookies only Allow selected cookies Allow all cookies
Robust log-based anomaly detection on unstable log data
Necessary Preferences Statistics Marketing Show details
ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the
Foundations of Software Engineering

Logs are widely used by large and complex software-intensive systems for troubleshooting. There have been a lot of studies on log-based PDF
anomaly detection. To detect the anomalies, the existing methods mainly construct a detection model using log event ...
Read More Help

Comments
Journals Magazines Proceedings Books SIGs Conferences People Advanced Search


https://dl.acm.org/doi/10.1145/3133956.3134015 5/6
2/23/25, 12:05 PM DeepLog | Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

CCS 

Download PDF

View Table of Conten

Categories About Join Connect

Journals About ACM Digital Library Join ACM  Contact us via email
Magazines ACM Digital Library Board Join SIGs  ACM on Facebook
Books This websiteInformation
Subscription uses cookies Subscribe to Publications  ACM DL on X
We occasionally run membership recruitment campaigns on social media channels and use cookies to track post-clicks. We also share
Proceedings Author Guidelines
information Institutions
about your use of our site with our social media, advertising and and
analytics partners whoLibraries
may combine it with other  ACM on Linkedin
information that you’ve provided to them or that they’ve collected from your use of their services. Use the check boxes below to
SIGs UsingtheACM
choose Digital
types of cookies Library
you consent to have stored on your device.  Send Feedback
Conferences All Holdings within the ACM Digital Library  Submit a Bug Report
Use necessary cookies only Allow selected cookies Allow all cookies
Collections ACM Computing Classification System
People Necessary Statement
Accessibility Preferences Statistics Marketing Show details

PDF
The ACM Digital Library is published by the Association for Computing
Machinery. Copyright © 2025 ACM, Inc. Help
Terms of Usage Privacy Policy Code of Ethics

https://dl.acm.org/doi/10.1145/3133956.3134015 6/6