This work addresses the limitation of traditional log anomaly detection methods, which overlook the inherent nested execution structures in logs and consequently learn spurious dependencies from flattened sequences, leading to inaccurate anomaly identification. To overcome this, the authors propose KRONE, a novel framework that automatically constructs semantic hierarchical execution structures from raw logs and recursively decomposes them into multi-level coherent KRONE sequences for modular, hierarchical anomaly detection. KRONE integrates lightweight local detectors with nesting-aware detectors, enhanced by early-exit and result-caching mechanisms, and leverages large language models (LLMs) to generate interpretable diagnostic reports. Evaluated on three public benchmarks and an industrial-scale dataset from ByteDance Cloud, KRONE achieves over a 10-point improvement in F1-score while significantly reducing LLM invocation frequency, thereby balancing accuracy, efficiency, and interpretability.

Log anomaly detection is crucial for uncovering system failures and security risks. Although logs originate from nested component executions with clear boundaries, this structure is lost when they are stored as flat sequences. As a result, state-of-the-art methods risk missing true dependencies within executions while learning spurious ones across unrelated events. We propose KRONE, the first hierarchical anomaly detection framework that automatically derives execution hierarchies from flat logs for modular multi-level anomaly detection. At its core, the KRONE Log Abstraction Model captures application-specific semantic hierarchies from log data. This hierarchy is then leveraged to recursively decompose log sequences into multiple levels of coherent execution chunks, referred to as KRONE Seqs, transforming sequence-level anomaly detection into a set of modular KRONE Seq-level detection tasks. For each test KRONE Seq, KRONE employs a hybrid modular detection mechanism that dynamically routes between an efficient level-independent Local-Context detector, which rapidly filters normal sequences, and a Nested-Aware detector that incorporates cross-level semantic dependencies and supports LLM-based anomaly detection and explanation. KRONE further optimizes hierarchical detection through cached result reuse and early-exit strategies. Experiments on three public benchmarks and one industrial dataset from ByteDance Cloud demonstrate that KRONE achieves consistent improvements in detection accuracy, F1-score, data efficiency, resource efficiency, and interpretability. KRONE improves the F1-score by more than 10 percentage points over prior methods while reducing LLM usage to only a small fraction of the test data.