Unsupervised and Anomaly Detection Methods
摘要
Not all abuse is prelabeled or previously observed, and attackers intentionally create novelty to bypass supervised detectors. This chapter examines unsupervised learning and anomaly detection as discovery and resilience tools within risk systems. It covers clustering, density-based outlier scoring, reconstruction approaches, and distribution monitoring for drift. The chapter emphasizes operationalization: Segment-aware baselines reduce false alarms, interpretable anomaly reasons improve analyst throughput, and prioritization must reflect review capacity and business impact. Anomaly detection is positioned as a triage layer rather than a standalone judge, best paired with human review and supervised models that learn from confirmed outcomes. Because platform behavior changes with campaigns, product launches, and policy shifts, the chapter highlights drift and stability monitoring as first-class uses of unsupervised tooling. Used well, these methods shorten the time to discovery for emerging attacks, expose blind spots, and provide early-warning signals that guide model retraining, rule updates, and policy adjustment. Finally, we show how unsupervised outputs can drive targeted data collection and labeling, accelerating the transition from discovery to supervised prevention as attacks mature. These methods are particularly valuable as an early-warning layer and as a drift monitor that triggers investigation before losses surge.