$K^4$: Online Log Anomaly Detection Via Unsupervised Typicality Learning

TL;DR

$K^4$ is an unsupervised, fast, and parser-independent framework for online log anomaly detection that achieves state-of-the-art accuracy using compact descriptors and efficient k-NN statistics.

Contribution

It introduces $K^4$, a novel method transforming log embeddings into four-dimensional descriptors for high-performance online anomaly detection without retraining.

Findings

Achieves AUROC of 0.995-0.999, setting new state-of-the-art.

Training time under 4 seconds; inference as low as 4 microseconds.

Outperforms existing baselines by large margins.

Abstract

Existing Log Anomaly Detection (LogAD) methods are often slow, dependent on error-prone parsing, and use unrealistic evaluation protocols. We introduce $K^4$, an unsupervised and parser-independent framework for high-performance online detection. $K^4$ transforms arbitrary log embeddings into compact four-dimensional descriptors (Precision, Recall, Density, Coverage) using efficient k-nearest neighbor (k-NN) statistics. These descriptors enable lightweight detectors to accurately score anomalies without retraining. Using a more realistic online evaluation protocol, $K^4$ sets a new state-of-the-art (AUROC: 0.995-0.999), outperforming baselines by large margins while being orders of magnitude faster, with training under 4 seconds and inference as low as 4 $\mu$s.