Log anomaly detection is crucial for uncovering system failures and security risks. Although logs originate from nested component executions with clear boundaries, this structure is lost when stored as flat sequences. As a result, state-of-the-art methods often miss true dependencies within executions while learning spurious correlations across unrelated events. We propose KRONE, the first hierarchical anomaly detection framework that automatically derives execution hierarchies from flat logs to enable modular, multi-level anomaly detection. At its core, the KRONE Log Abstraction Model extracts application-specific semantic hierarchies, which are used to recursively decompose log sequences into coherent execution units, referred to as KRONE Seqs. This transforms sequence-level detection into a set of modular KRONE Seq-level detection tasks. For each test KRONE Seq, KRONE adopts a hybrid modular detection strategy that routes between an efficient level-independent Local-Context detector for rapid filtering and a Nested-Aware detector that captures cross-level semantic dependencies, augmented with LLM-based anomaly detection and explanation. KRONE further optimizes detection through cached result reuse and early-exit strategies along the hierarchy. Experiments on three public benchmarks and one industrial dataset from ByteDance Cloud demonstrate that KRONE achieves substantial improvements in accuracy (42.49% to 87.98%), F1 score, data efficiency (117.3x reduction), resource efficiency (43.7x reduction), and interpretability. KRONE improves F1-score by 10.07% (82.76% to 92.83%) over prior methods while reducing LLM usage to only 1.1% to 3.3% of the test data. Code: https://github.com/LeiMa0324/KRONE Demo: https://leima0324.github.io/KRONE_Demo_official/

翻译：日志异常检测对于发现系统故障和安全风险至关重要。尽管日志源自具有明确边界的嵌套组件执行过程，但在存储为扁平序列时，这种结构信息会丢失。因此，现有最先进方法常常在捕捉执行内部真实依赖关系的同时，学习到无关事件之间的虚假相关性。我们提出KRONE——首个能够从扁平日志中自动推导执行层次结构，从而支持模块化、多层次异常检测的层次化异常检测框架。其核心是KRONE日志抽象模型，该模型提取特定于应用的语义层次结构，并利用该结构递归地将日志序列分解为连贯的执行单元（称为KRONE序列）。这将序列级检测任务转化为一组模块化的KRONE序列级检测任务。对于每个待测KRONE序列，KRONE采用混合模块化检测策略：在效率优先的层级无关局部上下文检测器（快速过滤）与嵌套感知检测器（捕捉跨层级语义依赖关系，并辅以大语言模型驱动的异常检测与解释）之间进行路由。KRONE还通过沿层次结构缓存结果复用及早退策略进一步优化检测速度。在三个公开基准数据集及字节跳动云工业数据集上的实验表明：KRONE在准确率（从42.49%提升至87.98%）、F1分数、数据效率（降低117.3倍）、资源效率（降低43.7倍）和可解释性方面均实现显著提升。相比现有方法，KRONE将F1分数提高10.07%（从82.76%提升至92.83%），同时将大语言模型使用量控制在测试数据的1.1%至3.3%。代码：https://github.com/LeiMa0324/KRONE 演示：https://leima0324.github.io/KRONE_Demo_official/