This work addresses a critical limitation in existing log-based anomaly detection methods, which typically reduce logs to flat sequences of templates and thereby overlook the implicit multi-relational execution structures among events. To overcome this, the authors propose a novel approach that explicitly reconstructs an underlying state machine from raw logs and formulates a multi-table relational schema encompassing traces, events, states, transitions, and parameters. This schema guides synthetic data generation, preserving rare yet legitimate behaviors while adhering to structural, temporal, and procedural constraints. By uniquely integrating state machine discovery with multi-relational synthetic data generation, the method substantially enhances both the robustness and interpretability of anomaly detection. Experimental results demonstrate that the generated data outperforms baseline approaches in constraint satisfaction, distributional similarity, and workflow fidelity, leading to improved performance in detecting anomalies and defects on real-world datasets.

Software systems generate massive unstructured logs that record execution behavior, failures, and interactions across components, yet existing log anomaly detection methods treat these logs primarily as flat sequences of templates, overlooking the relational execution structure that governs how events co-occur and evolve over time. We propose a framework that discovers this hidden structure by recovering an execution state machine directly from logs and inducing a corresponding multi-table relational schema connecting traces, events, states, transitions, and parameters. This discovered state machine serves as a generative prior to produce realistic multi-relational synthetic data that preserves structural, temporal, and process constraints while amplifying rare but valid execution behaviors. We assess the fidelity of the generated data through constraint validation, distributional similarity, and process-level metrics, and demonstrate its usefulness by showing that augmenting real logs with the synthetic relational data significantly improves anomaly and bug detection on held-out real datasets compared to sequence-based baselines and naive oversampling. Our results show that execution logs implicitly encode a relational database governed by a latent state machine, and that recovering this structure enables principled synthetic data generation for robust and interpretable anomaly detection.