ICAD-LLM: One-for-All Anomaly Detection via In-Context Learning with Large Language Models

TL;DR

ICAD-LLM introduces In-Context Anomaly Detection to enable a single model to perform cross-modal anomaly detection by comparing target samples against dynamically provided reference sets. The framework combines a Modality-Aware Encoder, a Prompt-Guided Representation Module, and Contextual Contrastive Learning to learn a universal discrepancy function, trained once and deployed across time series, tabular, and log data. Empirical results show competitive performance with task-specific methods and strong zero-shot generalization to unseen tasks, highlighting practical potential for scalable, multi-domain AD. The work advances a One-for-All AD paradigm by leveraging LLMs’ in-context capabilities for flexible, cost-effective deployment in evolving IT environments.

Abstract

Anomaly detection (AD) is a fundamental task of critical importance across numerous domains. Current systems increasingly operate in rapidly evolving environments that generate diverse yet interconnected data modalities -- such as time series, system logs, and tabular records -- as exemplified by modern IT systems. Effective AD methods in such environments must therefore possess two critical capabilities: (1) the ability to handle heterogeneous data formats within a unified framework, allowing the model to process and detect multiple modalities in a consistent manner during anomalous events; (2) a strong generalization ability to quickly adapt to new scenarios without extensive retraining. However, most existing methods fall short of these requirements, as they typically focus on single modalities and lack the flexibility to generalize across domains. To address this gap, we introduce a novel paradigm: In-Context Anomaly Detection (ICAD), where anomalies are defined by their dissimilarity to a relevant reference set of normal samples. Under this paradigm, we propose ICAD-LLM, a unified AD framework leveraging Large Language Models' in-context learning abilities to process heterogeneous data within a single model. Extensive experiments demonstrate that ICAD-LLM achieves competitive performance with task-specific AD methods and exhibits strong generalization to previously unseen tasks, which substantially reduces deployment costs and enables rapid adaptation to new environments. To the best of our knowledge, ICAD-LLM is the first model capable of handling anomaly detection tasks across diverse domains and modalities.

Figures (5)

• Figure 1: An illustration of different levels of AD.
• Figure 2: Comparison of different AD paradigms. (a) Traditional One-for-One/Many AD learns a fixed decision boundary from training data to identify outliers. (b) In-Context Anomaly Detection learns a general comparison function, detecting anomalies based on their discrepancy from a given reference set.
• Figure 3: The overall pipeline of ICAD-LLM. A reference set and target samples are first encoded by the Modality-Aware Encoder. The resulting embeddings are then concatenated with prompt and special tokens, and fed into the Prompt-Guided Representation Module to extract context-sensitive representations. Finally, the Contextual Contrastive Learning objective is employed to optimize the model's ability to distinguish between these samples. R-S means random selection.
• Figure 4: Generalization performance comparison different methods on unseen datasets across three modalities.
• Figure 5: Impact of (a) reference set size and (b) total training data volume on the performance of ICAD-LLM.