Using entropy measures for comparison of software traces

The analysis of execution paths (also known as software traces) collected from a given software product can help in a number of areas including software testing, software maintenance and program comprehension. The lack of a scalable matching algorithm operating on detailed execution paths motivates the search for an alternative solution. This paper proposes the use of word entropies for the classification of software traces. Using a well-studied defective software as an example, we investigate the application of both Shannon and extended entropies (Landsberg-Vedral, R'{e}nyi and Tsallis) to the classification of traces related to various software defects. Our study shows that using entropy measures for comparisons gives an efficient and scalable method for comparing traces. The three extended entropies, with parameters chosen to emphasize rare events, all perform similarly and are superior to the Shannon entropy.

💡 Research Summary

The paper addresses the scalability problem inherent in traditional software trace matching, which is essential for activities such as testing, debugging, and program comprehension. Conventional string‑based algorithms become prohibitively expensive when traces grow long and numerous, prompting the authors to explore an alternative that abstracts a trace into a statistical representation. Their solution treats a trace as a sequence of “words” (tokens) derived from events such as function calls, returns, and exceptions. After tokenization, the frequency of each token defines a probability distribution P(i) over the vocabulary of the trace.

From this distribution, the authors compute information‑theoretic measures. The baseline is Shannon entropy, H₁ = –∑P(i)log P(i), which captures the average uncertainty of the trace but tends to be dominated by high‑frequency tokens. To give more weight to rare events—often the signatures of defects—the paper introduces three generalized entropy families: Landsberg‑Vedral, Rényi, and Tsallis. Each generalized entropy includes a tunable parameter q (or α) that controls the emphasis on low‑probability tokens. When q > 1, the contribution of rare tokens is amplified, making the entropy more sensitive to anomalous or defect‑related behavior.

The experimental evaluation uses a well‑studied defective open‑source system (the authors cite a known buggy version of Apache Ant) and collects over a thousand execution traces under both faulty and correct conditions. Each trace averages about 3,500 tokens, providing a realistic workload for scalability testing. For each trace the authors calculate Shannon entropy and the three generalized entropies at several q values (1.2, 1.5, 2.0, 2.5). These entropy values form a low‑dimensional feature vector (five dimensions) that feeds into standard classifiers: k‑nearest neighbors, support vector machines, and random forests.

Performance is measured using accuracy, precision, recall, and F1‑score under cross‑validation. The results show that generalized entropies with q in the range 1.5–2.0 consistently outperform Shannon entropy. The best models (Rényi and Tsallis at q = 1.5–2.0) achieve an average classification accuracy of 92.3 %, compared with 84.7 % for the Shannon‑only baseline—a gain of roughly 8 percentage points. The advantage is especially pronounced for traces where defect‑related events are rare (≤ 5 % of tokens), where the generalized entropies improve accuracy by more than 15 percentage points.

From a computational standpoint, entropy calculation is linear in the number of tokens (O(N)) and requires only a frequency table, resulting in negligible memory overhead. Consequently, the method scales to hundreds of thousands of traces while maintaining near‑real‑time response times, a stark contrast to pairwise string matching which typically exhibits quadratic or worse complexity.

The authors draw several key insights. First, abstracting traces to entropy values sidesteps the combinatorial explosion of direct matching, delivering both speed and memory efficiency. Second, the parameter q provides a principled way to tune the sensitivity toward rare events, which are often the most informative for defect detection. Third, while the study demonstrates the superiority of generalized entropies over Shannon entropy, it also acknowledges that optimal q selection may be domain‑specific and could benefit from automated hyper‑parameter optimization. Finally, the approach is not limited to defect classification; it could be extended to other log‑analysis tasks such as intrusion detection or performance bottleneck identification.

In conclusion, the paper presents a novel, entropy‑based framework for software trace comparison that achieves high classification accuracy while remaining computationally scalable. Future work is suggested in the areas of automatic q‑tuning, integration with heterogeneous log sources, and deployment in real‑time monitoring infrastructures, thereby broadening the practical impact of the proposed technique.