{"id":"https://openalex.org/W4415054571","doi":"https://doi.org/10.48550/arxiv.2509.05936","title":"ALPHA: LLM-Enabled Active Learning for Human-Free Network Anomaly Detection","display_name":"ALPHA: LLM-Enabled Active Learning for Human-Free Network Anomaly Detection","publication_year":2025,"publication_date":"2025-09-07","ids":{"openalex":"https://openalex.org/W4415054571","doi":"https://doi.org/10.48550/arxiv.2509.05936"},"language":"en","primary_location":{"id":"pmh:oai:arXiv.org:2509.05936","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2509.05936","pdf_url":"https://arxiv.org/pdf/2509.05936","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"type":"preprint","indexed_in":["arxiv","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/2509.05936","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5035732692","display_name":"Xuanhao Luo","orcid":"https://orcid.org/0000-0002-8895-7231"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Luo, Xuanhao","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":null,"display_name":"Jha, Shivesh Madan Nath","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jha, Shivesh Madan Nath","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5018971016","display_name":"Akruti Sinha","orcid":"https://orcid.org/0000-0002-2179-5629"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Sinha, Akruti","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5056381675","display_name":"Zhizhen Li","orcid":"https://orcid.org/0000-0003-0261-6696"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Zhizhen","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5100373048","display_name":"Yuchen Liu","orcid":"https://orcid.org/0000-0002-2097-6348"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Yuchen","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9990000128746033,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10917","display_name":"Smart Grid Security and Resilience","score":0.9765999913215637,"subfield":{"id":"https://openalex.org/subfields/2207","display_name":"Control and Systems Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.7860000133514404},{"id":"https://openalex.org/keywords/annotation","display_name":"Annotation","score":0.6055999994277954},{"id":"https://openalex.org/keywords/pipeline","display_name":"Pipeline (software)","score":0.5950999855995178},{"id":"https://openalex.org/keywords/active-learning","display_name":"Active learning (machine learning)","score":0.4765999913215637},{"id":"https://openalex.org/keywords/anomaly","display_name":"Anomaly (physics)","score":0.4503999948501587},{"id":"https://openalex.org/keywords/root","display_name":"Root (linguistics)","score":0.40880000591278076},{"id":"https://openalex.org/keywords/scalability","display_name":"Scalability","score":0.40790000557899475},{"id":"https://openalex.org/keywords/supervised-learning","display_name":"Supervised learning","score":0.3797999918460846}],"concepts":[{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.7860000133514404},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6920999884605408},{"id":"https://openalex.org/C2776321320","wikidata":"https://www.wikidata.org/wiki/Q857525","display_name":"Annotation","level":2,"score":0.6055999994277954},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.5950999855995178},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5907999873161316},{"id":"https://openalex.org/C77967617","wikidata":"https://www.wikidata.org/wiki/Q4677561","display_name":"Active learning (machine learning)","level":2,"score":0.4765999913215637},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.46799999475479126},{"id":"https://openalex.org/C12997251","wikidata":"https://www.wikidata.org/wiki/Q567560","display_name":"Anomaly (physics)","level":2,"score":0.4503999948501587},{"id":"https://openalex.org/C171078966","wikidata":"https://www.wikidata.org/wiki/Q111029","display_name":"Root (linguistics)","level":2,"score":0.40880000591278076},{"id":"https://openalex.org/C48044578","wikidata":"https://www.wikidata.org/wiki/Q727490","display_name":"Scalability","level":2,"score":0.40790000557899475},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4058000147342682},{"id":"https://openalex.org/C136389625","wikidata":"https://www.wikidata.org/wiki/Q334384","display_name":"Supervised learning","level":3,"score":0.3797999918460846},{"id":"https://openalex.org/C130963320","wikidata":"https://www.wikidata.org/wiki/Q1401207","display_name":"Root cause analysis","level":2,"score":0.3529999852180481},{"id":"https://openalex.org/C58973888","wikidata":"https://www.wikidata.org/wiki/Q1041418","display_name":"Semi-supervised learning","level":2,"score":0.3488999903202057},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.33629998564720154},{"id":"https://openalex.org/C2776145971","wikidata":"https://www.wikidata.org/wiki/Q30673951","display_name":"Labeled data","level":2,"score":0.31769999861717224},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.3052999973297119},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.29750001430511475},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.2646999955177307},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.2623000144958496},{"id":"https://openalex.org/C79337645","wikidata":"https://www.wikidata.org/wiki/Q779824","display_name":"Outlier","level":2,"score":0.26109999418258667},{"id":"https://openalex.org/C94915269","wikidata":"https://www.wikidata.org/wiki/Q1834857","display_name":"Detector","level":2,"score":0.2587999999523163}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:oai:arXiv.org:2509.05936","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2509.05936","pdf_url":"https://arxiv.org/pdf/2509.05936","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},{"id":"doi:10.48550/arxiv.2509.05936","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2509.05936","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:arXiv.org:2509.05936","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2509.05936","pdf_url":"https://arxiv.org/pdf/2509.05936","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Network":[0],"log":[1,16,61,129],"data":[2,42],"analysis":[3,17,25,153],"plays":[4],"a":[5,108,167],"critical":[6],"role":[7],"in":[8,146,159],"detecting":[9],"security":[10],"threats":[11],"and":[12,22,43,70,169],"operational":[13],"anomalies.":[14],"Traditional":[15],"methods":[18,141],"for":[19,59,172],"anomaly":[20,80,96,176],"detection":[21,81,135],"root":[23,156],"cause":[24,157],"rely":[26],"heavily":[27],"on":[28,119,127],"expert":[29],"knowledge":[30],"or":[31],"fully":[32,139],"supervised":[33,140],"learning":[34],"models,":[35],"both":[36],"of":[37,94],"which":[38],"require":[39],"extensive":[40],"labeled":[41],"significant":[44],"human":[45,144],"effort.":[46],"To":[47,101],"address":[48],"these":[49],"challenges,":[50],"we":[51,106],"propose":[52,107],"ALPHA,":[53],"the":[54,79,103,120,147,160],"first":[55],"Active":[56],"Learning":[57],"Pipeline":[58],"Human-free":[60],"Analysis.":[62],"ALPHA":[63,133,149,166],"integrates":[64],"semantic":[65],"embedding,":[66],"clustering-based":[67],"representative":[68],"sampling,":[69],"large":[71],"language":[72],"model":[73],"(LLM)-assisted":[74],"few-shot":[75,110],"annotation":[76,104],"to":[77,138],"automate":[78],"process.":[82],"The":[83],"LLM":[84],"annotated":[85],"labels":[86],"are":[87],"propagated":[88],"across":[89],"clusters,":[90],"enabling":[91],"large-scale":[92],"training":[93],"an":[95],"detector":[97],"with":[98],"minimal":[99],"supervision.":[100],"enhance":[102],"accuracy,":[105],"two-step":[109],"refinement":[111],"strategy":[112],"that":[113,132],"adaptively":[114],"selects":[115],"informative":[116],"prompts":[117],"based":[118],"LLM's":[121],"observed":[122],"error":[123],"patterns.":[124],"Extensive":[125],"experiments":[126],"real-world":[128],"datasets":[130],"demonstrate":[131],"achieves":[134],"accuracy":[136],"comparable":[137],"while":[142],"mitigating":[143],"efforts":[145],"loop.":[148],"also":[150],"supports":[151],"interpretable":[152],"through":[154],"LLM-driven":[155],"explanations":[158],"post-detection":[161],"stage.":[162],"These":[163],"capabilities":[164],"make":[165],"scalable":[168],"cost-efficient":[170],"solution":[171],"truly":[173],"automated":[174],"log-based":[175],"detection.":[177]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-11T00:00:00"}