A Graph-Augmented Isolation Forest Using Node2Vec and GraphSAGE for Mobile User Behavior Anomaly Detection
DOI:
https://doi.org/10.62411/jcta.15494Keywords:
Bipartite graph modeling, Cybersecurity analytics, Graph-based learning, Isolation forest, Mobile user behavior analysis, Unsupervised anomaly detection, User behavior modeling, User–feature graphAbstract
This study presents a Graph-Augmented Isolation Forest (GAIF), an unsupervised anomaly-detection framework for analyzing mobile user behavior. The proposed framework represents users and behavioral attributes as a user–feature bipartite graph, enabling the capture of relational dependencies that are not explicitly modeled in conventional vector-based approaches. Low-dimensional user representations are learned through Node2Vec and Graph Sample and Aggregate (GraphSAGE), and the resulting embeddings are subsequently processed by an Isolation Forest to produce anomaly scores. Experiments are conducted on a Mobile Device Usage and User Behavior dataset comprising 700 user profiles derived from application-level behavioral indicators. The dataset is treated as a behavioral abstraction rather than as a malware classification benchmark. A consistent 80:20 stratified train–test split is employed, with all learning-capable operations restricted to the training data to mitigate information leakage. Detection performance is evaluated post hoc using precision, recall, F1-score, and area under the curve (AUC) metrics. Under the evaluated setting, GAIF achieves an F1-score of 0.94 and an AUC of 0.97, demonstrating improved anomaly detection effectiveness relative to representative unsupervised baseline methods. These results are obtained on a static, proxy dataset and should not be interpreted as evidence of real-time deployment capability. Model interpretability is supported through post-hoc Uniform Manifold Approximation and Projection (UMAP) visualizations of the learned embeddings, providing structural insights into anomalous user behavior. Overall, the findings indicate that integrating graph-based representation learning with isolation-based anomaly scoring constitutes a computationally efficient approach for unsupervised mobile user behavior anomaly detection within the scope of this study.References
M. Ashawa and S. Morris, “Analysis of Mobile Malware: A Systematic Review of Evolution and Infection Strategies,” J. Inf. Secur. Cybercrimes Res., vol. 4, no. 2, pp. 103–131, Dec. 2021, doi: 10.26735/KRVI8434.
M. Ahmed, A. Naser Mahmood, and J. Hu, “A survey of network anomaly detection techniques,” J. Netw. Comput. Appl., vol. 60, pp. 19–31, Jan. 2016, doi: 10.1016/j.jnca.2015.11.016.
D. Samariya and A. Thakkar, “A Comprehensive Survey of Anomaly Detection Algorithms,” Ann. Data Sci., vol. 10, pp. 829–850, Nov. 2023, doi: 10.1007/s40745-021-00362-9.
K. G. Mehrotra, C. K. Mohan, and H. Huang, “Anomaly Detection,” in Anomaly Detection Principles and Algorithms, 2017, pp. 21–32. doi: 10.1007/978-3-319-67526-8_2.
R. A. Manzano Sanchez, K. Naik, A. Albasir, M. Zaman, and N. Goel, “Detection of Anomalous Behavior of Smartphone Devices using Changepoint Analysis and Machine Learning Techniques,” Digit. Threat. Res. Pract., vol. 4, no. 1, pp. 1–28, Mar. 2023, doi: 10.1145/3492327.
A. Blaise, M. Bouet, V. Conan, and S. Secci, “Group anomaly detection in mobile app usages: A spatiotemporal convex hull methodology,” Comput. Networks, vol. 216, p. 109277, Oct. 2022, doi: 10.1016/j.comnet.2022.109277.
A. Pathak, U. Barman, and T. S. Kumar, “Machine learning approach to detect android malware using feature-selection based on feature importance score,” J. Eng. Res., vol. 13, no. 2, pp. 712–720, Jun. 2025, doi: 10.1016/j.jer.2024.04.008.
A. Nematzadeh, S. C. Meylan, and T. L. Griffiths, “Evaluating Vector-Space Models of Word Representation, or,The Unreasonable Effectiveness of Counting Words Near Other Words,” in Proceedings of the Annual Meeting of the Cognitive Science Society, 2017. [Online]. Available: https://escholarship.org/uc/item/1kh9p4gj
W. S. Al Farizi, I. Hidayah, and M. N. Rizal, “Isolation Forest Based Anomaly Detection: A Systematic Literature Review,” in 2021 8th International Conference on Information Technology, Computer and Electrical Engineering (ICITACEE), Sep. 2021, pp. 118–122. doi: 10.1109/ICITACEE53184.2021.9617498.
M. Yamauchi, Y. Ohsita, M. Murata, K. Ueda, and Y. Kato, “Anomaly Detection in Smart Home Operation From User Behaviors and Home Conditions,” IEEE Trans. Consum. Electron., vol. 66, no. 2, pp. 183–192, May 2020, doi: 10.1109/TCE.2020.2981636.
M. Zhang, B. Xu, and J. Gong, “An Anomaly Detection Model Based on One-Class SVM to Detect Network Intrusions,” in 2015 11th International Conference on Mobile Ad-hoc and Sensor Networks (MSN), Dec. 2015, pp. 102–107. doi: 10.1109/MSN.2015.40.
O. Alghushairy, R. Alsini, T. Soule, and X. Ma, “A Review of Local Outlier Factor Algorithms for Outlier Detection in Big Data Streams,” Big Data Cogn. Comput., vol. 5, no. 1, p. 1, Dec. 2020, doi: 10.3390/bdcc5010001.
M. S. Parwez, D. B. Rawat, and M. Garuba, “Big Data Analytics for User-Activity Analysis and User-Anomaly Detection in Mobile Wireless Network,” IEEE Trans. Ind. Informatics, vol. 13, no. 4, pp. 2058–2065, Aug. 2017, doi: 10.1109/TII.2017.2650206.
R. Meddeb, F. Jemili, B. Triki, and O. Korbaa, “Anomaly-based Behavioral Detection in Mobile Ad-Hoc Networks,” Procedia Comput. Sci., vol. 159, pp. 77–86, 2019, doi: 10.1016/j.procs.2019.09.162.
H. Li, C. Zhao, Y. Liu, and X. Zhang, “Anomaly detection by discovering bipartite structure on complex networks,” Comput. Networks, vol. 190, p. 107899, May 2021, doi: 10.1016/j.comnet.2021.107899.
Z. Chen and A. Sun, “Anomaly Detection on Dynamic Bipartite Graph with Burstiness,” in 2020 IEEE International Conference on Data Mining (ICDM), Nov. 2020, pp. 966–971. doi: 10.1109/ICDM50108.2020.00110.
X. Wang, H. Dou, D. Dong, and Z. Meng, “Graph anomaly detection based on hybrid node representation learning,” Neural Networks, vol. 185, p. 107169, May 2025, doi: 10.1016/j.neunet.2025.107169.
X. Ma et al., “A Comprehensive Survey on Graph Anomaly Detection With Deep Learning,” IEEE Trans. Knowl. Data Eng., vol. 35, no. 12, pp. 12012–12038, Dec. 2023, doi: 10.1109/TKDE.2021.3118815.
A. A. Ojugo et al., “CoSoGMIR: A Social Graph Contagion Diffusion Framework using the Movement-Interaction-Return Technique,” J. Comput. Theor. Appl., vol. 1, no. 2, pp. 163–173, Dec. 2023, doi: 10.33633/jcta.v1i2.9355.
A. Grover and J. Leskovec, “node2vec: Scalable Feature Learning for Networks,” in Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Aug. 2016, pp. 855–864. doi: 10.1145/2939672.2939754.
W. L. Hamilton, R. Ying, and J. Leskovec, “Inductive Representation Learning on Large Graphs,” in NIPS’17: Proceedings of the 31st International Conference on Neural Information Processing Systems, Sep. 2017, vol. 2017-Decem, no. Nips, pp. 1025–1035. [Online]. Available: http://arxiv.org/abs/1706.02216
H. Zhang, Y. Luo, Q. Yu, L. Sun, X. Li, and Z. Sun, “A Framework of Abnormal Behavior Detection and Classification Based on Big Trajectory Data for Mobile Networks,” Secur. Commun. Networks, vol. 2020, pp. 1–15, Dec. 2020, doi: 10.1155/2020/8858444.
A. P. Ferreira, C. Gupta, P. R. M. Inacio, and M. M. Freire, “Behaviour-based Malware Detection in Mobile Android Platforms Using Machine Learning Algorithms,” J. Wirel. Mob. Networks, Ubiquitous Comput. Dependable Appl., vol. 12, no. 4, pp. 62–88, 2021, doi: 10.22667/JOWUA.2021.12.31.062.
A. P. Binitie et al., “MoBiSafe: an obfuscated single factor authentication mode to enhance secured USSD channel transaction in Nigeria,” Indones. J. Electr. Eng. Comput. Sci., vol. 40, no. 1, p. 426, Oct. 2025, doi: 10.11591/ijeecs.v40.i1.pp426-436.
B. A. P. and B. J. O., “Adapting User Interface Design to Mitigate Shoulder Surfing Attacks in USSD Channel,” African J. Environ. Nat. Sci. Res., vol. 7, no. 1, pp. 13–27, Jan. 2024, doi: 10.52589/AJENSR-DPCGWN0X.
E. V. Ugbotu et al., “Investigating a SMOTE-Tomek Boosted Stacked Learning Scheme for Phishing Website Detection: A Pilot Study,” J. Comput. Theor. Appl., vol. 3, no. 2, pp. 145–159, Oct. 2025, doi: 10.62411/jcta.14472.
J. Burgueño, I. De-la-Bandera, J. Mendoza, D. Palacios, C. Morillas, and R. Barco, “Online Anomaly Detection System for Mobile Networks,” Sensors, vol. 20, no. 24, p. 7232, Dec. 2020, doi: 10.3390/s20247232.
G. Suarez-Tangil, S. K. Dash, M. Ahmadi, J. Kinder, G. Giacinto, and L. Cavallaro, “DroidSieve,” in Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, Mar. 2017, pp. 309–320. doi: 10.1145/3029806.3029825.
D. R. I. M. Setiadi, A. R. Muslikh, S. W. Iriananda, W. Warto, J. Gondohanindijo, and A. A. Ojugo, “Outlier Detection Using Gaussian Mixture Model Clustering to Optimize XGBoost for Credit Approval Prediction,” J. Comput. Theor. Appl., vol. 2, no. 2, pp. 244–255, Nov. 2024, doi: 10.62411/jcta.11638.
A. Adesh, S. G, J. Shetty, and L. Xu, “Local outlier factor for anomaly detection in HPCC systems,” J. Parallel Distrib. Comput., vol. 192, p. 104923, Oct. 2024, doi: 10.1016/j.jpdc.2024.104923.
P. Bountzis, D. Kavallieros, T. Tsikrika, S. Vrochidis, and I. Kompatsiaris, “A deep one-class classifier for network anomaly detection using autoencoders and one-class support vector machines,” Front. Comput. Sci., vol. 7, Oct. 2025, doi: 10.3389/fcomp.2025.1646679.
J. Liu, H. Wang, H. Hang, S. Ma, X. Shen, and Y. Shi, “Self-Supervised Random Forest on Transformed Distribution for Anomaly Detection,” IEEE Trans. Neural Networks Learn. Syst., vol. 36, no. 2, pp. 2675–2689, Feb. 2025, doi: 10.1109/TNNLS.2023.3348833.
T. Lu, Y. Du, L. Ouyang, Q. Chen, and X. Wang, “Android Malware Detection Based on a Hybrid Deep Learning Model,” Secur. Commun. Networks, vol. 2020, pp. 1–11, Aug. 2020, doi: 10.1155/2020/8863617.
W. Ju et al., “A Comprehensive Survey on Deep Graph Representation Learning,” Neural Networks, vol. 173, p. 106207, May 2024, doi: 10.1016/j.neunet.2024.106207.
G. Pang, C. Shen, L. Cao, and A. Van Den Hengel, “Deep Learning for Anomaly Detection,” ACM Comput. Surv., vol. 54, no. 2, pp. 1–38, Mar. 2022, doi: 10.1145/3439950.
A. Modell, J. Larson, M. Turcotte, and A. Bertiger, “A Graph Embedding Approach to User Behavior Anomaly Detection,” in 2021 IEEE International Conference on Big Data (Big Data), Dec. 2021, pp. 2650–2655. doi: 10.1109/BigData52589.2021.9671423.
L. Akoglu, H. Tong, and D. Koutra, “Graph-based Anomaly Detection and Description: A Survey,” arXiv. Apr. 28, 2014. [Online]. Available: http://arxiv.org/abs/1404.4679
P. Veličković, W. Fedus, W. L. Hamilton, P. Liò, Y. Bengio, and R. D. Hjelm, “Deep Graph Infomax,” ArXiv. Dec. 21, 2018. [Online]. Available: http://arxiv.org/abs/1809.10341
H. Kim, B. S. Lee, W.-Y. Shin, and S. Lim, “Graph Anomaly Detection With Graph Neural Networks: Current Status and Challenges,” IEEE Access, vol. 10, pp. 111820–111829, 2022, doi: 10.1109/ACCESS.2022.3211306.
G. Li and J. J. Jung, “Dynamic graph embedding for outlier detection on multiple meteorological time series,” PLoS One, vol. 16, no. 2, p. e0247119, Feb. 2021, doi: 10.1371/journal.pone.0247119.
Bandyopadhyay Sambaran, Vishal Vivek Saley, and Murty M.N., “Integrating Network Embedding and Community Outlier Detection via Multiclass Graph Description,” in Frontiers in Artificial Intelligence and Applications, 2020. doi: 10.3233/FAIA200191.
K. Hoarau, P. U. Tournoux, and T. Razafindralambo, “Unsupervised representation learning for BGP anomaly detection using graph auto-encoders,” ITU J. Futur. Evol. Technol., vol. 5, no. 1, pp. 120–133, Mar. 2024, doi: 10.52953/CTFY7896.
Purushottam Perapu, “Anomaly Detection in User Behaviour Using Machine Learning For Cloud Platforms,” Int. J. Sci. Res. Comput. Sci. Eng. Inf. Technol., vol. 11, no. 3, pp. 805–809, May 2025, doi: 10.32628/CSEIT25113343.
Y. Chabchoub, M. U. Togbe, A. Boly, and R. Chiky, “An In-Depth Study and Improvement of Isolation Forest,” IEEE Access, vol. 10, pp. 10219–10237, 2022, doi: 10.1109/ACCESS.2022.3144425.
X. Kong, J. Wang, Z. Hu, Y. He, X. Zhao, and G. Shen, “Mobile Trajectory Anomaly Detection: Taxonomy, Methodology, Challenges, and Directions,” IEEE Internet Things J., vol. 11, no. 11, pp. 19210–19231, Jun. 2024, doi: 10.1109/JIOT.2024.3376457.
N. R. Palakurti, “Challenges and Future Directions in Anomaly Detection,” in Practical Applications of Data Processing, Algorithms, and Modeling, 2024, pp. 269–284. doi: 10.4018/979-8-3693-2909-2.ch020.
M. Yang and J. Zhang, “Data Anomaly Detection in the Internet of Things: A Review of Current Trends and Research Challenges,” Int. J. Adv. Comput. Sci. Appl., vol. 14, no. 9, 2023, doi: 10.14569/IJACSA.2023.0140901.
M. Bahri, F. Salutari, A. Putina, and M. Sozio, “AutoML: state of the art with a focus on anomaly detection, challenges, and research directions,” Int. J. Data Sci. Anal., vol. 14, no. 2, pp. 113–126, Aug. 2022, doi: 10.1007/s41060-022-00309-0.
D. D. Yao, X. Shu, L. Cheng, and S. J. Stolfo, Anomaly Detection as a Service. Cham: Springer International Publishing, 2018. doi: 10.1007/978-3-031-02354-5.
E. Caville, W. W. Lo, S. Layeghy, and M. Portmann, “Anomal-E: A self-supervised network intrusion detection system based on graph neural networks,” Knowledge-Based Syst., vol. 258, p. 110030, Dec. 2022, doi: 10.1016/j.knosys.2022.110030.
A. Zoubir and B. Missaoui, “Integrating Graph Neural Networks with Scattering Transform for Anomaly Detection,” ArXiv. Apr. 24, 2024. [Online]. Available: http://arxiv.org/abs/2404.10800
T. O. Jejeniwa, T. O. Jejeniwa, and O. S. Owolabi, “Leveraging Hybrid AI for Real-Time Fraud Detection: A Case Study On The Efficacy of Graph Neural Networks and Anomaly Detection In Nigerian Fintechs,” J. Digit. Secur. Forensics, vol. 2, no. 2, pp. 137–143, Dec. 2025, doi: 10.29121/digisecforensics.v2.i2.2025.60.
M. R. Kori, “IFSC-GNN: A Lightweight Graph Neural Framework for Intelligent Anomaly Detection in Cognitive Wireless Sensor Networks,” Int. J. Res. Appl. Sci. Eng. Technol., vol. 13, no. 11, pp. 2115–2120, Nov. 2025, doi: 10.22214/ijraset.2025.75558.
T. K. K. Ho, A. Karami, and N. Armanfard, “Graph Anomaly Detection in Time Series: A Survey,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 47, no. 8, pp. 6990–7009, Aug. 2025, doi: 10.1109/TPAMI.2025.3566620.
O. Okolo, B. Y. Baha, and M. D. Philemon, “Using Causal Graph Model variable selection for BERT models Prediction of Patient Survival in a Clinical Text Discharge Dataset,” J. Futur. Artif. Intell. Technol., vol. 1, no. 4, pp. 455–473, Mar. 2025, doi: 10.62411/faith.3048-3719-61.
W. Chua et al., “Web Traffic Anomaly Detection Using Isolation Forest,” Informatics, vol. 11, no. 4, p. 83, Nov. 2024, doi: 10.3390/informatics11040083.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Amaka Patience Binitie; Sunny Innocent Onyemenem; Nneamaka Christiana Anujeonye, Arnold Adimabua Ojugo, Francesca Avwuru Egbokhare, Tabitha Chukwudi Aghaunor
This work is licensed under a Creative Commons Attribution 4.0 International License.
