SENTRY: An Adversarial Robust Anomaly Detection Approach in System Log based on Pattern Unit Extraction and Time-Step Masking

Anomaly detection in system log plays a critical role in identifying abnormal behaviors and ensuring the security of software systems. Although dynamic analysis and deep learning-based models have demonstrated strong detection capabilities, they remain vulnerable to adversarial perturbations. To address these challenges, this paper proposes an adversarial robust anomaly detection approach, SENTRY, which integrates Shapelet-based pattern unit extraction, dynamic time-step masking, and knowledge distillation with difficult sample learning. We enhance the Shapelet algorithm with a customized distance metric to extract semantically meaningful pattern units, enabling effective reconstruction of log sequences while eliminating adversarial noise. These refined sequences are subsequently fed into an LSTM-based model equipped with a confidence-guided masking mechanism that reweights each time step according to its estimated likelihood of being part of normal system behavior, thereby emphasizing potential anomalies. Finally, the framework incorporates a teacher-student learning paradigm, in which the student model is guided by the teacher’s misclassified examples through a difficulty-aware strategy, enhancing its robustness against a wide range of adversarial attacks. Extensive experiments on real-world log datasets demonstrate that the proposed method significantly outperforms baseline models in both standard anomaly detection and adversarial scenarios, while transferability tests across different backbone models further validate its generalizability.