Ano2Rule : Rule-Based Global Interpretation for Unsupervised Anomaly Detection in Security

Li, Ruoyu and Zhang, Yu and Li, Qing and Wu, Nengwu and Jiang, Yong and Meng, Weizhi and Cui, Laizhong (2026) Ano2Rule : Rule-Based Global Interpretation for Unsupervised Anomaly Detection in Security. IEEE Transactions on Dependable and Secure Computing. ISSN 1545-5971

Text (TDSC-2025-07-1090_Proof_hi)
TDSC-2025-07-1090_Proof_hi.pdf - Accepted Version
Available under License Creative Commons Attribution.
Download (2MB)

Abstract

In the realm of cybersecurity, unsupervised anomaly detection models have emerged as pivotal tools for identifying novel threats in dynamic and evolving environments. However, the opaque nature of these black-box models presents a significant barrier to their adoption in high-stakes applications, where model interpretability is essential for trust and deployment. This paper presents a rule-based approach called Ano2Rule that enhances the interpretability of unsupervised anomaly detection. First, we propose the concept of distribution decomposition rules that decompose the complex distribution of normal data into multiple compositional distributions. To find such rules, we design an unsupervised Interior Clustering Tree that incorporates the model prediction into the splitting criteria. Then, we propose the Compositional Boundary Exploration (CBE) algorithm to obtain the boundary inference rules that estimate the decision boundary of the original model on each compositional distribution. By merging these two types of rules into a rule set, we can present the inferential process of the unsupervised black-box model in a human-understandable way, and build a surrogate rule-based model for online deployment at the same time. We validate Ano2Rule through extensive experiments on diverse real-world datasets, including network intrusion detection and IoT security, demonstrating superior fidelity and robustness compared to baseline methods. The results show that Ano2Rule achieves high fidelity with the original model's predictions while providing human-understandable insights.