Active Learning-based Isolation Forest (ALIF): Enhancing anomaly detection with expert feedback

Abstract

The detection of anomalous behaviours is an emerging need in many applications, particularly in contexts where security and reliability are critical. The definition of anomaly varies depending on the domain; however, it is often impractical or too time consuming to obtain a fully labelled dataset. The use of unsupervised models to overcome the lack of labels often fails to catch domain-specific anomalies as they rely on general definitions of outliers. This paper suggests a novel approach to address this problem, Active Learning-based Isolation Forest (ALIF), reducing the number of required labels and tuning the detector to the definition of anomaly provided by the user. The proposed approach is particularly appealing in scenarios where users can interact and provide feedback to the anomaly detector. Smart monitoring software embedded with anomaly detection capabilities commonly relies on unsupervised models, lacking a way to adjust its prediction: ALIF is able to enhance the capabilities of such systems by exploiting user feedback during common operations. ALIF is a lightweight modification of the popular Isolation Forest that proved superior performance compared to other state-of-the-art algorithms in a multitude of real anomaly detection datasets.