User Log Anomaly Detection System Based on Isolation Forest

The user log anomaly detection system plays an important role in network operation and network security. By analyzing the logs generated by users, the log anomaly detection system can discover the abnormal behaviors of users in time and automatically notify administrators to handle them. Based on rule matching, traditional log anomaly detection systems reduce the maintenance cost and improves the network security while providing rapid detection. However, such methods suffer from the low accuracy, which limited the provided security for network. In this paper, we propose a user log anomaly detection system based on isolation forest, which combines the advantages of rule matching and isolation forest. In the system, we first pre-filter out the abnormal logs that are easily detected by rule matching, then use the isolation forest in unsupervised learning as the log anomaly detection algorithm, which improves the detection accuracy while ensuring the detection speed of the system. Finally, we optimize the isolation forest model to further improve the detection accuracy of the model. The obtained experiment results show that the detection accuracy of the proposed system is 1%~12% higher than that of traditional log anomaly detection systems using other classical unsupervised anomaly detection algorithms. Furthermore, we test the optimized isolation forest model. The results show that the detection accuracy of the optimized isolation forest model is 0.7% higher than that of the original model.