KRONE: Hierarchical and Modular Log Anomaly Detection

TL;DR

KRONE tackles the challenge of detecting anomalies in hierarchical software executions when logs are stored as flat sequences. It introduces the Krone Log Abstraction Model to automatically derive a semantic, three-level execution hierarchy (Entity, Action, Status) and decomposes log sequences into modular Krone Seqs, enabling efficient bottom-up detection. Detection combines fast Local-Context pattern matching with selective Nested-Aware LLM reasoning, supported by training and test knowledge bases, caching, and early exit to balance accuracy and cost. Across four real-world datasets, KRONE yields substantial F1 gains, dramatically reduces LLM usage (to 1.1%–3.3% of test sequences), and achieves up to 117.3x data-space reduction, while also providing interpretable, multi-level anomaly explanations.

Abstract

Log anomaly detection is crucial for uncovering system failures and security risks. Although logs originate from nested component executions with clear boundaries, this structure is lost when they are stored as flat sequences. As a result, state-of-the-art methods risk missing true dependencies within executions while learning spurious ones across unrelated events. We propose KRONE, the first hierarchical anomaly detection framework that automatically derives execution hierarchies from flat logs for modular multi-level anomaly detection. At its core, the KRONE Log Abstraction Model captures application-specific semantic hierarchies from log data. This hierarchy is then leveraged to recursively decompose log sequences into multiple levels of coherent execution chunks, referred to as KRONE Seqs, transforming sequence-level anomaly detection into a set of modular KRONE Seq-level detection tasks. For each test KRONE Seq, KRONE employs a hybrid modular detection mechanism that dynamically routes between an efficient level-independent Local-Context detector, which rapidly filters normal sequences, and a Nested-Aware detector that incorporates cross-level semantic dependencies and supports LLM-based anomaly detection and explanation. KRONE further optimizes hierarchical detection through cached result reuse and early-exit strategies. Experiments on three public benchmarks and one industrial dataset from ByteDance Cloud demonstrate that KRONE achieves consistent improvements in detection accuracy, F1-score, data efficiency, resource efficiency, and interpretability. KRONE improves the F1-score by more than 10 percentage points over prior methods while reducing LLM usage to only a small fraction of the test data.

Figures (14)

• Figure 1: Hierarchical System, Execution, and Log Anomalies. Low-level anomaly (intra-component): missing response for $\texttt{GET}\_request$ in $Comm$ component. High-level anomaly (inter-component): abnormal component transition $[Session, Comm]$ without $Auth$.
• Figure 2: Krone Log Abstraction Model of Log Data. a) the example log sequence $L$ with log keys and templates. b) the entities, actions, and statuses extracted from the log templates. c) Krone Tree as the data schema, and Krone Seqs decomposed from example log sequence $L$.
• Figure 3: Krone Framework. a) Hierarchical Bottom-up Execution. b) Modular Krone Seq Detection: Local-Context Strategy with pattern matching. c) Modular Krone Seq Detection: Nested-Aware Strategy with LLM.
• Figure 4: Cardinality reduction achieved by Krone. Y-axis in log scale. Black dashed line: total training size; FP: # frequent patterns. CP: # closed patterns. MP: # maximal patterns. S-seq: # Krone S-seqs. $\uparrow$: size increase vs. total train size, $\downarrow$: size decrease vs. total train size.
• Figure 5: Re-usability of Krone S-seqs. Black dashed line: total occurrences of Krone S-seqs; bar: # unique Krone S-seqs. $\downarrow$: size reduce w.r.t occurrences.

Theorems & Definitions (5)

• Definition 1: Log Key and Template
• Definition 2: Log Sequence
• Definition 3: Krone Tree
• Definition 4: Krone Seq
• Definition 5: Local-Context vs. Nested-Aware Format of Krone Seqs