Incorporating Feedback into Tree-based Anomaly Detection

TL;DR

This paper introduces a feedback mechanism for tree-based anomaly detection, specifically enhancing Isolation Forests by incorporating analyst input to reduce false positives and improve anomaly ranking in large datasets.

Contribution

It presents a novel, scalable method for integrating binary analyst feedback into Isolation Forests, improving anomaly detection performance.

Findings

Significant performance improvement with feedback integration

Method scales well with large datasets

Enhances the usability of anomaly detection systems

Abstract

Anomaly detectors are often used to produce a ranked list of statistical anomalies, which are examined by human analysts in order to extract the actual anomalies of interest. Unfortunately, in realworld applications, this process can be exceedingly difficult for the analyst since a large fraction of high-ranking anomalies are false positives and not interesting from the application perspective. In this paper, we aim to make the analyst's job easier by allowing for analyst feedback during the investigation process. Ideally, the feedback influences the ranking of the anomaly detector in a way that reduces the number of false positives that must be examined before discovering the anomalies of interest. In particular, we introduce a novel technique for incorporating simple binary feedback into tree-based anomaly detectors. We focus on the Isolation Forest algorithm as a representative tree-based anomaly detector, and show that we can significantly improve its performance by incorporating feedback, when compared with the baseline algorithm that does not incorporate feedback. Our technique is simple and scales well as the size of the data increases, which makes it suitable for interactive discovery of anomalies in large datasets.