LogRAIL: A Retrieval-Augmented LLM Reverification Layer for Log Anomaly Detection

초록

Android logs vary across devices, build versions, and deployment cycles and may contain missing or out-of-order entries, making reliable anomaly detection difficult. To address this problem, we propose LogRAIL, a two-stage framework in which the first stage selects candidate anomaly windows and the second stage performs reverification. Raw logs are normalized into templates, and a transformer-based sequence classifier processes fixed-length windows of log templates to produce anomaly decisions and scores. A retrieval-augmented large language model inference layer (RAIL) then re-evaluates only windows near the decision threshold and applies either a precision-oriented mode to reduce false positives or a recall-oriented mode to reduce false negatives. The model also provides a concise reason for each decision. In both operating modes, LogRAIL improves F1-score over Stage 1 while enabling controlled precision–recall trade-offs aligned with operational objectives. These results show that LogRAIL provides per-window decision explanations and supporting templates, offering template-based rationales for post-detection review and reporting.

키워드