KRONE: Scalable LLM-Augmented Log Anomaly Detection via Hierarchical Abstraction
Summary
Krone is a novel hierarchical anomaly detection framework designed to uncover system failures and security risks from flat log data. It addresses the limitation of existing methods that lose the inherent nested structure of log executions when logs are stored as flat sequences. Krone introduces the Krone Log Abstraction Model, which automatically extracts application-specific semantic hierarchical structures (Entity, Action, Status) from log templates using an LLM-based Named Entity Recognition approach. This hierarchy enables recursive decomposition of log sequences into modular "Krone Seqs" at multi-levels, transforming complex sequence-level detection into more manageable subtasks. The framework employs a hybrid modular detection mechanism, routing between an efficient Local-Context detector for rapid filtering of normal sequences and a Nested-Aware detector that incorporates cross-level semantic dependencies, augmented with LLM-based anomaly detection and explanation. Experiments on three public benchmarks (BGL, HDFS, ThunderBird) and one industrial dataset from ByteDance Cloud demonstrated Krone's comprehensive improvements, including an F1-score increase of 10.07% (from 82.76% to 92.83%) over prior methods, data space reduction by up to 117.3x, resource efficiency gains of up to 43.7x, and reduced LLM usage to 1.1%–3.3% of test data size.
Key takeaway
Research Scientists developing log anomaly detection systems should consider adopting Krone's hierarchical approach to overcome limitations of flat log processing. By automatically inferring semantic hierarchies and applying a hybrid detection strategy, you can achieve significant improvements in F1-score, data efficiency, and resource utilization, especially for LLM-based methods. Focus on leveraging the modularity and reusability of Krone Seqs to enable scalable and interpretable anomaly detection across diverse system logs.
Key insights
Krone leverages hierarchical log structures and hybrid LLM-pattern matching for efficient, accurate, and interpretable anomaly detection.
Principles
- Log data contains inherent hierarchical execution patterns.
- Modular detection on decomposed log segments improves accuracy and efficiency.
- Hybrid detection combining pattern matching and LLMs optimizes resource use.
Method
Krone extracts Entity, Action, Status hierarchies from log templates using LLMs, then recursively decomposes log sequences into Krone Seqs. It applies a hybrid detector, first using pattern matching, then selectively invoking LLMs for complex cases, with cached results and early-exit optimization.
In practice
- Decompose flat logs into hierarchical "Krone Seqs" for finer-grained analysis.
- Implement a two-stage detection: fast pattern matching, then targeted LLM reasoning.
- Cache LLM results for recurring log patterns to reduce computational costs.
Topics
- Log Anomaly Detection
- Hierarchical Abstraction
- Large Language Models
- Krone Log Abstraction Model
- Modular Detection
Code references
Best for: Research Scientist, AI Scientist, Machine Learning Engineer, MLOps Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by cs.AI updates on arXiv.org.