FIG. 13 · ATLASIsolation Forest
Outliers are
easy to isolate.
Randomly split features until every point is alone in its leaf. Anomalies require fewer splits to isolate — so the average path length in a forest of random trees becomes an anomaly score.
The shading is the anomaly score across the canvas. Bright accent means high score (likely outlier). Points with a score above the threshold are circled. Move the threshold slider to tune precision vs recall; move n_trees to feel the variance reduction from averaging more trees.
§ IThe score, contoured
Bright regions are where the forest expects to find anomalies. Each circled point is flagged above your threshold.
§ IIHow it works
Build a forest of trees. Each tree is grown by picking a random feature, picking a random split value within that feature's range, and recursing. Stop when every leaf has one point (or you've hit a depth limit).
Now run a query point down every tree and record how deep it lands. If the point is in a dense region, it takes many splits to isolate (deep leaves). If it's an outlier, the random splits will typically isolate it fast (shallow leaves). Average path length across the forest becomes the score — shorter paths mean more anomalous.
What's elegant: there is no notion of "normal" or "outlier" in the training step. The model simply quantifies how easy each point is to separate. Anomalies fall out as a property of the structure rather than a hand-tuned threshold.
The math
For sub-sample size ψ, the expected path length of a randomly drawn point in an iTree is the average BST search-failure path:
c(ψ) = 2H(ψ − 1) − 2(ψ − 1)/ψwhere H(i) is the harmonic number ≈ ln(i) + 0.5772. The anomaly score for point x is:
s(x) = 2^(−E[h(x)] / c(ψ))where E[h(x)] is the average path length across the forest. Score close to 1 → strong anomaly. Score near 0.5 → indistinguishable from normal.
§ IIIWhere it shines, where it breaks
High-dimensional anomalies
Random splits scale to thousands of features without breaking a sweat. Each tree only uses a sub-sample, so training is sub-linear in n. Production fraud detection at major credit-card networks and banks runs on isolation forests.
No labels needed
Anomaly detection is rarely supervised — you don't have labeled fraud examples in advance. Isolation Forest is fully unsupervised and works without any prior assumption about what "normal" looks like.
Local-density anomalies
Points that are anomalous within a local neighborhood but globally dense get missed. Local Outlier Factor (LOF) handles that scenario by computing density relative to local neighbors rather than the whole space.
Threshold is your call
Move the threshold slider above. There's no principled way to set it without labeled validation data. Production systems either use unsupervised heuristics (top 1% by score) or a small labeled sample to calibrate precision/recall.
§ IVTrade-off scorecard
- Inference0.70
- Accuracy0.75
- Training0.65
- Small size0.65
§ VIn production
Credit-card fraud detection at major US issuers. Isolation Forest runs in real-time over hundreds of transaction features — merchant, amount, time, location, device fingerprint — flagging high-score events for second-stage review or hold. Volume is hundreds of millions of transactions per day; anomaly rate is on the order of 0.1%. The unsupervised property is essential because new fraud patterns appear faster than they can be labeled.