A major difficulty of any anomaly-based intrusion detection system is that patterns of normal behavior change over time and the system must be retrained. One of the principal problems of the intrusion detection systems based on the anomaly detection principles is their error rate, both in terms of false negatives (undetected attacks) and false positives, i.e. legitimate traffic labeled as malicious. This problem is amplified by the fact that the sensitivity (and consequently the error rate) varies dynamically as a function of the network traffic. An IDS must be able to adapt to these changes, and be able to distinguish these changes in normal behavior from intrusive behavior. In this paper, we address some of the key issues of detecting intrusion when a potential change occurs in operational environment and learn from the changed environment.

Network Intrusion Detection System (NIDS), Stream Data Mining, Drift Detection, Early Drift Detection Method (EDDM)

[1] A. Asuncion and D. J. Newman. UCI Machine Learning Repository [http://www.ics.uci.edu/_mlearn/mlrepository.html]. University of California, Irvine, School of Information and Computer Sciences, 2007.
[2] Albert Bifet and Richard Kirkby Data Stream Mining A Practical Approach :August 2009.
[3] Andrei Bara, Prof. Wayne Luk, “DeADA Self-adaptive anomaly detection dataflow architecture, Master’s thesis, Master of Engineering in Computing of Imperial College London,2013.
[4] Charu C. Aggarwal, Jiawei Han, Jianyong Wang, and Philip S. Yu. On demand classification of data streams. In Knowledge Discovery and Data Mining, pages 503–508, 2004.
[5] Concept drift - http://en.wikipedia.org/wiki/Concept_drift.
[6] Damon Sotoudeh, Aijun An, “Partial Drift Detection Using a Rule Induction Framework”, CIKM’10 Proceedings of the 19th ACM International Conference on Information and Knowledge Management, Pages 769-778, 2010
[7] Dariusz Brzezinski, “Mining Data Streams with Concept Drift” , Poznan University of Technology, Faculty of Computing Science and Management, Institute of Computing Science,2010.
[8] Fredrik Gustafsson. Adaptive Filtering and Change Detection. Wiley, 2000.
[9] G.Widmerand M.Kubat. Learning in the presence of concept drift and hidden contexts. Machine learning, 23(1):69–101,1996.
[10] Ian F. Akyildiz, Weilian Su, Yogesh Sankarasubramaniam, and Erdal Cayirci. Asurvey on sensor networks. IEEE Communications Magazine, 40(8):102–116, 2002.
[11] Leo Breiman. Rejoinder to discussion of the paper “arcing classifiers”. The Annals of Statistics, 26(3):841–849, 1998.
[12] Maayan Harel, Koby Crammer, Ran El-Yaniv, Shie Mannor, “Concept Drift Detection Through Resampling”, Proceedings of the 31st International Conference on Machine Learning, Beijing, China, 2014. JMLR: W&CP volume 32.
[13] Manuel Baena-Garc´ıa, Jose´ del Campo-A´ vila, Rau´ l Fidalgo, Albert Bifet, Ricard Gavald´a, and Rafael Morales-Bueno. Early drift detection method. In Fourth International Workshop on Knowledge Discovery from Data Streams, 2006.
[14] Marcus A. Maloof, “Incremental Rule Learning with Partial Instance Memory for Changing Concepts”, Proceedings of the 2003 International Joint Conference on Neural Networks, 2764–2769. Los Alamitos, CA: IEEE Press
[15] Thomas G. Dietterich. Machine learning research: Four current directions. The AI Magazine, 18(4):97–136, 1998.