A Behavioral Anomaly Detection Framework for Academic Information Systems Using Isolation Forest: A Case Study of Students and Academic Staff
DOI:
https://doi.org/10.65405/qt152954Keywords:
Academic Information Systems; Cybersecurity; User Behavior Analysis; Anomaly Detection; Isolation Forest; Machine Learning; Behavioral Analytics.Abstract
Academic Information Systems (AIS) have become essential platforms for managing educational and administrative activities, making them attractive targets for cybersecurity threats. Although conventional authentication mechanisms verify user identities during login, they provide limited capability for detecting abnormal user behavior after successful authentication. This study proposes a machine learning-based behavioral anomaly detection framework for Academic Information Systems using the Isolation Forest algorithm. The proposed framework integrates user session records, audit logs, and user role information into a unified behavioral dataset extracted from a real operational Academic Information System. A database view was developed to aggregate behavioral information from multiple relational tables, resulting in a dataset containing 3,090 authenticated user sessions described by 15 behavioral attributes. After feature engineering and preprocessing, 12 behavioral features were used to train the Isolation Forest model. Three contamination values (0.01, 0.03, and 0.05) were experimentally evaluated to investigate their influence on anomaly detection performance. The final model, configured with a contamination value of 0.05, identified 155 anomalous sessions, corresponding to an anomaly detection rate of 5.02%.
Statistical analyses demonstrated that the proposed framework successfully distinguished behavioral deviations using temporal characteristics, session properties, user roles, and database activity patterns without requiring labeled attack data. The findings indicate that the proposed framework can serve as an effective early-warning behavioral monitoring mechanism to support cybersecurity in Academic Information Systems while preserving the advantages of unsupervised machine learning.
Downloads
References
[1] F. T. Liu, K. M. Ting, and Z.-H. Zhou, “Isolation Forest,” in Proceedings of the 8th IEEE International Conference on Data Mining (ICDM), Pisa, Italy, 2008, pp. 413–422.
[2] F. T. Liu, K. M. Ting, and Z.-H. Zhou, “Isolation-Based Anomaly Detection,” ACM Transactions on Knowledge Discovery from Data, vol. 6, no. 1, pp. 1–39, Mar. 2012.
[3] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly Detection: A Survey,” ACM Computing Surveys, vol. 41, no. 3, pp. 1–58, Jul. 2009.
[4] A. L. Buczak and E. Guven, “A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection,” IEEE Communications Surveys & Tutorials, vol. 18, no. 2, pp. 1153–1176, 2016.
[5] M. Ahmed, A. N. Mahmood, and J. Hu, “A Survey of Network Anomaly Detection Techniques,” Journal of Network and Computer Applications, vol. 60, pp. 19–31, Jan. 2016.
[6] P. A. Legg, O. Buckley, M. Goldsmith, and S. Creese, “Automated Insider Threat Detection System Using User and Role-Based Profile Assessment,” IEEE Systems Journal, vol. 11, no. 2, pp. 503–512, Jun. 2017.
[6] Alnnale, T. (2026). Predictive Governance in Digital Enterprises: An LSTM-Enhanced Deep Learning Framework for Economic Optimization of IT Incident Management Using Enriched Process Logs. Al-Farooq Journal of Sciences, 2(3), 86-113.











