TL;DR
KRONE is a hierarchical log anomaly detection framework that automatically derives execution hierarchies from flat logs, enabling modular detection and significantly improving accuracy, efficiency, and interpretability.
Contribution
It introduces a novel hierarchical anomaly detection approach that extracts semantic hierarchies from logs and combines multiple detectors with LLM-based analysis.
Findings
Achieves 42.49% to 87.98% accuracy improvements
Reduces data and resource usage by over 100x
Improves F1-score by 10.07% over prior methods
Abstract
Log anomaly detection is crucial for uncovering system failures and security risks. Although logs originate from nested component executions with clear boundaries, this structure is lost when stored as flat sequences. As a result, state-of-the-art methods often miss true dependencies within executions while learning spurious correlations across unrelated events. We propose KRONE, the first hierarchical anomaly detection framework that automatically derives execution hierarchies from flat logs to enable modular, multi-level anomaly detection. At its core, the KRONE Log Abstraction Model extracts application-specific semantic hierarchies, which are used to recursively decompose log sequences into coherent execution units, referred to as KRONE Seqs. This transforms sequence-level detection into a set of modular KRONE Seq-level detection tasks. For each test KRONE Seq, KRONE adopts a hybrid…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
