[2602.07303] KRONE: Scalable LLM-Augmented Log Anomaly Detection via Hierarchical Abstraction

Computer Science > Databases arXiv:2602.07303 (cs) [Submitted on 7 Feb 2026 (v1), last revised 17 Apr 2026 (this version, v3)] Title:KRONE: Scalable LLM-Augmented Log Anomaly Detection via Hierarchical Abstraction Authors:Lei Ma, Jinyang Liu, Tieying Zhang, Peter M. VanNostrand, Dennis M. Hofmann, Lei Cao, Elke A. Rundensteiner, Jianjun Chen View a PDF of the paper titled KRONE: Scalable LLM-Augmented Log Anomaly Detection via Hierarchical Abstraction, by Lei Ma and 7 other authors View PDF HTML (experimental) Abstract:Log anomaly detection is crucial for uncovering system failures and security risks. Although logs originate from nested component executions with clear boundaries, this structure is lost when stored as flat sequences. As a result, state-of-the-art methods often miss true dependencies within executions while learning spurious correlations across unrelated events. We propose KRONE, the first hierarchical anomaly detection framework that automatically derives execution hierarchies from flat logs to enable modular, multi-level anomaly detection. At its core, the KRONE Log Abstraction Model extracts application-specific semantic hierarchies, which are used to recursively decompose log sequences into coherent execution units, referred to as KRONE Seqs. This transforms sequence-level detection into a set of modular KRONE Seq-level detection tasks. For each test KRONE Seq, KRONE adopts a hybrid modular detection strategy that routes between an efficient level-indepe...