Learn→Fraud Detection & Anomaly Detection→Unsupervised Anomaly Detection (Isolation Forest, Autoencoders)→1 of 6
Fraud Detection & Anomaly Detection • Unsupervised Anomaly Detection (Isolation Forest, Autoencoders)Easy⏱️ ~2 min
What is Unsupervised Anomaly Detection?
Unsupervised anomaly detection identifies unusual patterns in data without requiring labeled examples of fraud or normal behavior. The core assumption is that anomalies are rare and structurally different enough from the majority of data that they can be detected by measuring how isolated or difficult to reconstruct they are. This approach is critical in production when you need to catch novel fraud patterns before labels exist, which can lag by hours or days.
Two widely adopted techniques are Isolation Forest and Autoencoders. Isolation Forest works by recursively partitioning feature space with random splits. Anomalies live in sparse regions, so they require fewer splits to isolate. The algorithm builds many trees and averages the path length needed to isolate each point. A shorter average path indicates an anomaly. This runs in approximately O(n log n) time for training with subsampling, and scoring is just tree traversal, making it extremely fast.
Autoencoders take a different approach. They learn a compressed representation of normal data and then reconstruct it. Training minimizes reconstruction error on what you believe is normal traffic. At inference time, samples that do not fit the learned manifold produce higher reconstruction error, flagging them as anomalies. Autoencoders can be simple feedforward networks for tabular data, recurrent networks for time series, or convolutional networks for images. They capture nonlinear relationships and complex patterns that density based methods might miss.
In production systems at companies like Stripe and PayPal, these unsupervised detectors run as early filters in fraud pipelines. They process 5,000 to 20,000 transactions per second and must return decisions within 50 to 150 milliseconds at p99. The unsupervised layer surfaces the top 0.5 to 2 percent of suspicious events, reducing load on expensive supervised classifiers while catching emerging patterns that have not yet been labeled.
💡 Key Takeaways
•Unsupervised detection works without labeled fraud examples, catching novel patterns before labels exist which typically lag by hours or days
•Isolation Forest isolates anomalies using random splits across many trees, requiring fewer splits for sparse anomalies, running in O(n log n) time
•Autoencoders learn to reconstruct normal data, flagging high reconstruction error as anomalies, capturing nonlinear patterns on complex manifolds
•Production systems at Stripe and PayPal process 5,000 to 20,000 transactions per second with p99 latency under 150 milliseconds
•Unsupervised layers flag top 0.5 to 2 percent of events, reducing load on expensive supervised models while maintaining coverage of emerging threats
📌 Examples
Stripe fraud detection: Isolation Forest with 100 to 300 trees scores 50 to 100 features in 0.2 to 0.5 milliseconds per transaction on CPU
PayPal risk service: Small tabular autoencoder with 2 to 3 hidden layers runs inference in 1 to 3 milliseconds per event on CPU
AWS CloudWatch Anomaly Detection: Random Cut Forest (Isolation Forest variant) monitors 500,000 metrics per minute at 8,333 metrics per second
Uber ML platform: Autoencoders deployed with feature stores and streaming inference, scoring multivariate sensor data at 1,000 to 5,000 windows per second per CPU socket