MulAD: A log-based anomaly detection approach for distributed systems using multi-pattern and multi-model fusion

Context: Log-based anomaly detection (LAD) techniques examine whether or not continuously-generated logs match historically-normal patterns: This helps to ensure reliability in distributed systems using DevOps. However, complex anomalies can span multiple log-pattern types and thus may only be detected by combining these patterns: Relying only on any single pattern may cause anomalies to be missed. These are false negatives in anomaly detection. Objective: In this paper, we propose an Anomaly-Detection approach based on Multi-type log-pattern fusion and Multi-model integration (MulAD): MulAD fuses multi-type log patterns into a synthetic representation to detect complex anomalies. Method: MulAD first rearranges logs by source parameters to decouple interleaving logs and isolate relevant events. It then derives log patterns across five dimensions — semantic, sequential, quantitative, temporal (chronological), and parametric — and fuses them into a unified synthesized pattern . Finally, to detect anomalies, MulAD integrates the MABi-LSTM, Transformer, and graph neural network (GNN) models together: Each of these models is specifically designed to capture temporal and sequential dependencies, contextual information, and structural dependencies. Result: We evaluated MulAD on three public datasets (HDFS, BGL, and ThunderBird) and one industrial one, from the Ray system. Experimental results show that MulAD outperforms all state-of-the-art techniques. Conclusion: We conclude that MulAD is a promising anomaly-detection technique for complex anomalies in distributed systems.