Unseen Anomaly Detection from System Logs

Detecting anomalies in system logs effectively is crucial for ensuring software reliability. However, most existing log anomaly detection methods operate under the assumption that anomalous patterns remain consistent between the training and testing phases. This limitation hinders their ability to identify previously unseen anomalies. In real-world scenarios, software upgrades may introduce novel anomalous patterns that deviate from the training distribution, a challenge we refer to as anomaly shift. To address this, we propose UnseenLog, a novel log anomaly detection framework designed to identify anomalous code files whose representations shift from the training distribution. UnseenLog introduces a MinMax strategy to select augmented anomaly samples that strike a balance between reliability and novelty, enriching the training set with additional pseudo-label samples. Furthermore, we propose Recurrent Iterative Selection and Enhancement (RISE), a training scheme that progressively enhances the graph model through competitive model selection and adaptive data enhancement, thereby improving robustness against novel anomalies. Extensive experiments on real-world datasets demonstrate that UnseenLog significantly outperforms state-of-the-art baselines, achieving consistent improvements in multiple real-world datasets. The code is available at https://github.com/ZhuoxingZhang/UnseenLog.