Enhancing Detection of Anomaly-Based Intrusions in Smart Health Using Explainable AI

Anomaly-based threat detection is crucial for organizations. Anomalies are deviations from the norm and can sometimes be hard to identify in contextual cases. These anomalies may arise from an insider-based malicious intrusion. Anomalies are mostly unsupervised and sometimes require expert validation to confirm their occurrence. The black-box nature of unsupervised machine learning models offers little insight into the origin and details of the anomaly. Thus, there is a need for an explanation layer in anomaly detection systems to aid decision-makers in tracking anomalies. Anomaly-based threat detection is critical for smart health scenarios. In this research, we have utilized the electronic patient record to identify unsupervised anomalies. We have suggested adding an explainability layer that utilizes unsupervised learning. The results indicated that Isolation Forest outperformed the other methods on the clustering metrics, as validated by the explainability layer. Lime and Shap are used to visually explain the anomaly's cause using feature contributions. User-friendly, explainable captions are generated for each anomaly instance, enabling non-technical users to easily understand the results from Lime and Shap. Three metrics, fidelity, sparsity, and stability, are used to validate the explanation layer, which explains each instance of an anomaly: fidelity requires R² ≥ 0.70 , sparsity favors a smaller number of features that provide user-friendly results, and stability is high. Finally, a Lime-Shap agreement is used to validate the results for each anomaly instance across all Explanations (all seeds). The proposed scheme adds trust to unsupervised learning results, thereby increasing user confidence in the anomaly detection algorithm's outcomes and aiding decision-makers.