Log Event Graph Modeling for Backend Anomaly Detection with Multi-Relational Representation Learning

Abstract

To address the challenges of semantically fragmented log text, implicit cross-component relationships, and difficulty in characterizing anomaly propagation in backend anomaly detection, this paper proposes a log event graph modeling method combining event extraction. This method transforms the raw log stream into a reasonable, structured representation and enables session-level risk assessment. The method first segments the log into sessions, extracting event triggers and parameter elements from unstructured text within each session. Entity normalization is then used to align object representations and reduce noise and ambiguity. Subsequently, a multi-relationship log event graph containing event nodes and entity nodes is constructed. Temporal adjacency, object co-occurrence, and dependencies are uniformly encoded as relation edges, explicitly representing system behavior chains and state interactions. Based on this graph structure, a representation learning process of multi-relation aggregation is designed. Information is propagated and fused within different relation neighborhoods to form node-level representations, which are then read out at the graph level to obtain global embeddings. Finally, these are mapped to anomaly scores to support alarm ranking and evidence tracing. Comparative experiments show that this framework can more fully utilize log semantic clues and structural dependency information, achieving superior overall detection quality across multiple evaluation metrics and demonstrating stronger practicality in controlling false positives and false negatives.