Detecting runtime control-flow anomalies in complex systems remains challenging due to “unknown unknowns”—unforeseen deviations beyond predefined specifications. Method: This paper proposes a software monitoring approach integrating large language models (LLMs) with conformance checking. The method leverages LLMs to automatically align design models with source code, generate semantically consistent instrumentation strategies, and construct interpretable, lightweight control-flow models from event logs. Contribution/Results: It is the first work to introduce LLM-driven design-code co-modeling into dynamic monitoring—replacing manual rule specification with end-to-end automated monitor synthesis. Evaluated on a railway traffic management case study, the approach achieves 84.78% control-flow coverage, 96.61% F1-score, and 93.52% AUC for anomaly detection, significantly enhancing system reliability and trustworthiness under unknown environmental conditions.

Context: Ensuring high levels of dependability in modern computer-based systems has become increasingly challenging due to their complexity. Although systems are validated at design time, their behavior can be different at run-time, possibly showing control-flow anomalies due to"unknown unknowns". Objective: We aim to detect control-flow anomalies through software monitoring, which verifies run-time behavior by logging software execution and detecting deviations from expected control flow. Methods: We propose a methodology to develop software monitors for control-flow anomaly detection through Large Language Models (LLMs) and conformance checking. The methodology builds on existing software development practices to maintain traditional V&V while providing an additional level of robustness and trustworthiness. It leverages LLMs to link design-time models and implementation code, automating source-code instrumentation. The resulting event logs are analyzed via conformance checking, an explainable and effective technique for control-flow anomaly detection. Results: We test the methodology on a case-study scenario from the European Railway Traffic Management System / European Train Control System (ERTMS/ETCS), which is a railway standard for modern interoperable railways. The results obtained from the ERTMS/ETCS case study demonstrate that LLM-based source-code instrumentation can achieve up to 84.775% control-flow coverage of the reference design-time process model, while the subsequent conformance checking-based anomaly detection reaches a peak performance of 96.610% F1-score and 93.515% AUC. Conclusion: Incorporating domain-specific knowledge to guide LLMs in source-code instrumentation significantly allowed obtaining reliable and quality software logs and enabled effective control-flow anomaly detection through conformance checking.