Our user study shows that the anomaly explanation form of PARs is better understood and favoured by Anomaly detection, which aims to identify data instances regular anomaly detection system users compared with existing that do not conform to the expected behavior, is a classic model-agnostic anomaly explanation options. In our machine learning task with numerous applications in experiments, we demonstrate that it is significantly more various domains including fraud detection, intrusion detection, efficient to find PARs than anchors (Ribeiro, Singh, and predictive maintenance, etc. Over the past decades, numerous Guestrin 2018), another rule-based explanation, for identified methods have been proposed to tackle this challenging anomaly instances. Moreover, PARs are also far more problem. Examples include one-class classificationbased accurate than anchors for anomaly explanation, meaning (Manevitz and Yousef 2001; Ruff et al. 2018), nearest that they have considerably higher precision and recall when neighbor-based (Breunig et al. 2000), clustering-based applied as anomaly detection rules on unseen data other (Jiang and An 2008), isolation-based (Liu, Ting, and Zhou than the anomaly instance on which they were originally derived 2012; Hariri, Kind, and Brunner 2019), density-based (Liu, for explanation. Additionally, we show that PARs can Tan, and Zhou 2022; Feng and Tian 2021) and deep anomaly also achieve higher accuracy on abnormal feature identification detection models based on autoencoders (Zhou and Paffenroth compared with many state-of-the-art model-agnostic 2017; Zong et al. 2018), generative adversarial networks explanation methods including LIME (Ribeiro, Singh, and (Zenati et al. 2018; Han, Chen, and Liu 2021), to Guestrin 2016), SHAP (Lundberg and Lee 2017), COIN name a few.

Anomalies are often indicators of malfunction or inefficiency in various systems such as manufacturing, healthcare, finance, surveillance, to name a few. While the literature is abundant in effective detection algorithms due to this practical relevance, autonomous anomaly detection is rarely used in real-world scenarios. Especially in high-stakes applications, a human-in-the-loop is often involved in processes beyond detection such as verification and troubleshooting. In this work, we introduce ALARM (for Analyst-in-the-Loop Anomaly Reasoning and Management); an end-to-end framework that supports the anomaly mining cycle comprehensively, from detection to action. Besides unsupervised detection of emerging anomalies, it offers anomaly explanations and an interactive GUI for human-in-the-loop processes -- visual exploration, sense-making, and ultimately action-taking via designing new detection rules -- that help close ``the loop'' as the new rules complement rule-based supervised detection, typical of many deployed systems in practice. We demonstrate \method's efficacy through a series of case studies with fraud analysts from the financial industry.