見微知著：透過反事實擾動實現弱監督日誌實例異常定位

摘要

日誌異常偵測是系統運維與安全保障中的關鍵任務。然而，在大規模網路化系統中，日誌資料以巨量規模產生，而實例層級的人工標註成本極高，為細粒度異常定位帶來嚴峻挑戰。為解決此問題，我們提出LogMILP（基於原型增強與擾動之多實例學習的日誌異常定位方法），一種僅需包層級標籤即可實現包層級異常偵測與實例層級異常定位的弱監督框架。該方法透過原型引導的結構化建模與反事實擾動一致性正則化，引導模型精準定位關鍵日誌條目，從而在粗粒度監督下提升定位可靠性與可解釋性。在三個公開資料集上的實驗結果顯示，LogMILP在維持競爭性偵測效能的同時，能顯著提升實例層級定位的可靠性。本方法程式碼已開源於 https://github.com/YUK1207/LogMILP。

English

Log anomaly detection is a critical task for system operations and security assurance. However, in networked systems at scale, log data are generated at massive scale while instance-level annotations are prohibitively expensive, posing great difficulties to fine-grained anomaly localization. To address this challenge, we propose LogMILP (Log anomaly localization based on Multi-Instance Learning enhanced by prototypes and Perturbation), a weakly supervised framework that enables both bag-level anomaly detection and instance-level anomaly localization using only bag-level labels. Our method guides the model to pinpoint the critical log entries using prototype-guided structural modeling with counterfactual perturbation consistency regularization, thereby improving localization reliability and interpretability under coarse-grained supervision. Experimental results on three public datasets demonstrate that LogMILP achieves competitive detection performance while yielding significantly more reliable instance-level localization. Our code is open-sourced at https://github.com/YUK1207/LogMILP.