KRONE: Scalable LLM-Augmented Log Anomaly Detection via Hierarchical Abstraction

· Source: cs.AI updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Data Science & Analytics, Cloud Computing & IT Infrastructure · Depth: Expert, extended

Summary

Krone is a novel hierarchical anomaly detection framework designed to uncover system failures and security risks from flat log data. It addresses the limitation of existing methods that lose the inherent nested structure of log executions when logs are stored as flat sequences. Krone introduces the Krone Log Abstraction Model, which automatically extracts application-specific semantic hierarchical structures (Entity, Action, Status) from log templates using an LLM-based Named Entity Recognition approach. This hierarchy enables recursive decomposition of log sequences into modular "Krone Seqs" at multi-levels, transforming complex sequence-level detection into more manageable subtasks. The framework employs a hybrid modular detection mechanism, routing between an efficient Local-Context detector for rapid filtering of normal sequences and a Nested-Aware detector that incorporates cross-level semantic dependencies, augmented with LLM-based anomaly detection and explanation. Experiments on three public benchmarks (BGL, HDFS, ThunderBird) and one industrial dataset from ByteDance Cloud demonstrated Krone's comprehensive improvements, including an F1-score increase of 10.07% (from 82.76% to 92.83%) over prior methods, data space reduction by up to 117.3x, resource efficiency gains of up to 43.7x, and reduced LLM usage to 1.1%–3.3% of test data size.

Key takeaway

Research Scientists developing log anomaly detection systems should consider adopting Krone's hierarchical approach to overcome limitations of flat log processing. By automatically inferring semantic hierarchies and applying a hybrid detection strategy, you can achieve significant improvements in F1-score, data efficiency, and resource utilization, especially for LLM-based methods. Focus on leveraging the modularity and reusability of Krone Seqs to enable scalable and interpretable anomaly detection across diverse system logs.

Key insights

Krone leverages hierarchical log structures and hybrid LLM-pattern matching for efficient, accurate, and interpretable anomaly detection.

Principles

Method

Krone extracts Entity, Action, Status hierarchies from log templates using LLMs, then recursively decomposes log sequences into Krone Seqs. It applies a hybrid detector, first using pattern matching, then selectively invoking LLMs for complex cases, with cached results and early-exit optimization.

In practice

Topics

Code references

Best for: Research Scientist, AI Scientist, Machine Learning Engineer, MLOps Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.AI updates on arXiv.org.