Motivating Examples

For the invariant "∀ S, S.orderMoneyDifference = S.price" (for all log sessions, the value of orderMoneyDifference should be equal to that of price), the state-of-the-arts such as DeepLog (CCS'17), LogAnomaly (IJCAI'19), PLELog (ICSE'21), LogRobust (FSE'19), NeuralLog (FSE'21), and ReplicaWatcher (NDSS'24) can have the following challenges:

1. Abstract away important details: 

DeepLog (CCS'17) and LogAnomaly (IJCAI'19) needs to summarize a "log key" (i.e., log template), and sequences of log keys are collected to train a language model to predict the anomaly. However, the log key can abstract away the value of crutial parameters. For example, the log key looks like: 

"$ INFO 1 -- [httpnio-$-exec-$] Entering in Method:rebook, Class:rebook.service.RebookServicelmpl,Arguments: [Rebookinfo(orderld=$,oldTripld=$, tripld=$,  status=$, orderMoneyDifference=$"

Then, the discriminative information between normal and attack logs are abstract away.

LogRobust (FSE'19), NeuralLog (FSE'21) and Replica (NDSS'24) translate the logs into a vector (e.g., by word2vec techniques) where the digital number are not included into the feature vectors.

In contrast, WebNorm can capture those details by analyze both the log and the program (and its source code) to derive the logs.

2. Assumed prior anomaly knowledge (too strong assumption in practice, especially for attack scenario):

LogRobust (FSE'19), NeuralLog (FSE'21) and PLElog (ICSE'21) are classification model trained on normal and abnormal log dataset. The assumption of the availability of known anomaly is strong. However, the attack logs are usually unknown unknown in practice, which can hardly be available in advance.

In contrast, WebNorm  learns the invariants/constraints. Any violation of a constraint serves as both alarm and explanation.