Refining Decision Boundaries In Anomaly Detection Using Similarity Search Within the Feature Space

TL;DR

This paper presents SDA2E, a novel autoencoder with similarity-guided active learning strategies and a new similarity measure, significantly improving anomaly detection in highly imbalanced datasets like cybersecurity threats.

Contribution

Introduces SDA2E, a sparse autoencoder with a similarity-guided active learning framework and a new similarity measure, enhancing decision boundary refinement in anomaly detection.

Findings

Achieves superior ranking performance with nDCG up to 1.0.

Reduces labeled data requirement by up to 80%.

Outperforms 15 state-of-the-art methods across 52 datasets.

Abstract

Detecting rare and diverse anomalies in highly imbalanced datasets-such as Advanced Persistent Threats (APTs) in cybersecurity-remains a fundamental challenge for machine learning systems. Active learning offers a promising direction by strategically querying an oracle to minimize labeling effort, yet conventional approaches often fail to exploit the intrinsic geometric structure of the feature space for model refinement. In this paper, we introduce SDA2E, a Sparse Dual Adversarial Attention-based AutoEncoder designed to learn compact and discriminative latent representations from imbalanced, high-dimensional data. We further propose a similarity-guided active learning framework that integrates three novel strategies to refine decision boundaries efficiently: mormal-like expansion, which enriches the training set with points similar to labeled normals to improve reconstruction fidelity; anomaly-like prioritization, which boosts ranking accuracy by focusing on points resembling known anomalies; and a hybrid strategy that combines both for balanced model refinement and ranking. A key component of our framework is a new similarity measure, Normalized Matching 1s (SIM_NM1), tailored for sparse binary embeddings. We evaluate SDA2E extensively across 52 imbalanced datasets, including multiple DARPA Transparent Computing scenarios, and benchmark it against 15 state-of-the-art anomaly detection methods. Results demonstrate that SDA2E consistently achieves superior ranking performance (nDCG up to 1.0 in several cases) while reducing the required labeled data by up to 80% compared to passive training. Statistical tests confirm the significance of these improvements. Our work establishes a robust, efficient, and statistically validated framework for anomaly detection that is particularly suited to cybersecurity applications such as APT detection.