<![CDATA[This study presents a Graph-Augmented Isolation Forest (GAIF), an unsupervised anomaly-detection framework for analyzing mobile user behavior. The proposed framework represents users and behavioral attributes as a user–feature bipartite graph, enabling the capture of relational dependencies that are not explicitly modeled in conventional vector-based approaches. Low-dimensional user representations are learned through Node2Vec and Graph Sample and Aggregate (GraphSAGE), and the resulting embeddings are subsequently processed by an Isolation Forest to produce anomaly scores. Experiments are conducted on a Mobile Device Usage and User Behavior dataset comprising 700 user profiles derived from application-level behavioral indicators. The dataset is treated as a behavioral abstraction rather than as a malware classification benchmark. A consistent 80:20 stratified train–test split is employed, with all learning-capable operations restricted to the training data to mitigate information leakage. Detection performance is evaluated post hoc using precision, recall, F1-score, and area under the curve (AUC) metrics. Under the evaluated setting, GAIF achieves an F1-score of 0.94 and an AUC of 0.97, demonstrating improved anomaly detection effectiveness relative to representative unsupervised baseline methods. These results are obtained on a static, proxy dataset and should not be interpreted as evidence of real-time deployment capability. Model interpretability is supported through post-hoc Uniform Manifold Approximation and Projection (UMAP) visualizations of the learned embeddings, providing structural insights into anomalous user behavior. Overall, the findings indicate that integrating graph-based representation learning with isolation-based anomaly scoring constitutes a computationally efficient approach for unsupervised mobile user behavior anomaly detection within the scope of this study.]]>
Copyrights © 2026
