LogICL: Distilling LLM Reasoning to Bridge the Semantic Gap in Cross-Domain Log Anomaly Detection
Jingwei Ye, Zhi Wang, Chenbin Su, Jieshuai Yang, Jiayi Ding, Chunbo Liu, Ge Chu
TL;DR
LogICL addresses the data-scarce, cross-domain log anomaly detection problem by distilling LLM reasoning into a lightweight encoder. It introduces a delta matrix to quantify demonstration utility via MMR-guided selection, and optimizes the encoder with a multi-objective loss combining domain alignment (MMD), supervised contrastive loss, and an ICL-guided term. At inference, it retrieves reasoning-aware demonstrations through a dual-source, semantic-similarity and delta-based expansion strategy, enabling CoT-enabled, frozen-LLM reasoning. Across few-shot and zero-shot transfers on diverse log domains, LogICL achieves state-of-the-art performance and provides interpretable insights through latent semantic alignment visualizations and case studies.
Abstract
Effective log anomaly detection is critical to sustaining reliability in large-scale IT infrastructures. Transformer-based models require substantial resources and labeled data, exacerbating the cold-start problem in target domains where logs are scarce. Existing cross-domain methods leverage source logs but struggle with generalization due to reliance on surface lexical similarity, failing to capture latent semantic equivalence amid structural divergences. To address this, we propose LogICL, a framework distilling Large Language Model (LLM) reasoning into a lightweight encoder for cross-domain anomaly detection. During training, LogICL constructs a delta matrix measuring the utility of demonstrations selected via Maximal Marginal Relevance relative to zero-shot inference. The encoder is optimized via a multi-objective loss comprising an ICL-Guided term that aligns representations based on reasoning assistance utility, maximum mean discrepancy for domain alignment, and supervised contrastive loss. At inference, the optimized encoder retrieves reasoning-aware demonstrations using semantic similarity and delta scores, enabling frozen-LLM in-context learning with Chain-of-Thought for accurate and interpretable detection. Experiments on few-shot and zero-shot cross-domain benchmarks confirm LogICL achieves state-of-the-art performance across heterogeneous systems. Further analysis via visualizations and case studies confirms LogICL bridges the semantic gap beyond surface lexical similarity, effectively capturing latent semantic equivalence for rapid deployment.