NLLog: Lightweight, Explainable SOC Anomaly Detection via Log-to-Language Rewriting

Problem
The paper addresses the limitations of traditional system-generated logs, which often follow rigid template formats that impede both automated analysis and human interpretability. The authors highlight the need for a more flexible and comprehensible approach to log analysis, particularly in the context of security operations centers (SOCs). This work is presented as a preprint, indicating that it has not yet undergone peer review.

Method
NLLog employs a novel pipeline that begins with the deterministic rewriting of parsed log templates into natural language sentences structured around the WHO-WHAT-SEVERITY framework. This transformation enhances human readability and facilitates automated processing. The rewritten logs are then aggregated using term-frequency-inverse-document-frequency (TF-IDF) weighting. For classification, the authors utilize tree ensemble methods, which are known for their robustness in handling structured data. To provide explainability, the model employs TreeSHAP, a method for back-projecting evidence to aid analysts in understanding the rationale behind detected anomalies. The authors do not disclose specific details regarding the training compute or the exact architecture of the tree ensembles used.

Results
NLLog demonstrates superior performance compared to two reproduced matched-protocol baselines across multiple datasets, including the Hadoop Distributed File System (HDFS), Blue Gene/L (BGL), and the AIT Alert Data Set. The system maintains low false-positive rates, achieving a balance between sensitivity and specificity that is critical for SOC operations. The authors report that NLLog operates with latency suitable for real-time triage on commodity hardware, making it practical for deployment in operational environments. Specific performance metrics, such as accuracy and F1 scores, are not detailed in the summary provided.

Limitations
The authors acknowledge that the effectiveness of NLLog is corpus-dependent, indicating that its performance may vary based on the characteristics of the log data being analyzed. They also note that an enrollment-time coverage check is necessary to identify potential refinement needs before deployment. However, the paper does not address potential scalability issues or the impact of varying log formats on the system’s performance, which could be critical for broader applicability.

Why it matters
NLLog’s approach to transforming log data into a more interpretable format has significant implications for enhancing the efficiency of anomaly detection in security contexts. By combining explainability with effective classification, this work paves the way for more accessible and actionable insights from system logs, which are crucial for timely incident response. The findings contribute to the ongoing discourse on improving automated log analysis and could inspire further research into hybrid models that integrate natural language processing with traditional anomaly detection techniques, as published in arXiv cs.LG.