An integrated machine learning and control theoretic model for mining concept-drifting data streams

Abstract

Anomaly-based network Intrusion Detection Systems (IDS) model patterns of normal activity and detect novel network attacks. However, these systems depend on the availability of the systems normal traffic pattern profile. But the statistical fingerprint of the normal traffic pattern can change and shift over a period of time due to changes in operational or user activity at the networked site or even system updates. The changes in normal traffic patterns over time lead to concept drift. Some changes can be temporal, cyclical and can be short-lived or they can last for longer periods of time. Depending on a number of factors the speed at which the change in traffic patterns occurs can also be variable, ranging from near instantaneous to the change occurring over the span of numerous months. These changes in traffic patterns are a cause of concern for IDSs as they can lead to a significant increase in false positive rates, thereby reducing the overall system performance. In order to improve the reliability of the IDS, there is a need for an automated mechanism to detect valid traffic changes and avoid inappropriate ad hoc responses. ROC curves have historically been used to evaluate the accuracy of IDSs. ROC curves generated using fixed, time-invariant classification thresholds do not characterize the best accuracy that an IDS can achieve in presence of concept-drifting network traffic. In this paper, we present a integrated supervised machine learning and control theoretic model for detecting concept drift in network traffic patterns. The model comprises of a online support vector machine based classifier(incremental anomaly based detection), a Kullback - Leibler divergence based relative entropy measurement scheme(quantifying concept drift) and feedback control engine(adapting ROC thresholding). In our proposed system, any intrusion activity will cause significant variations, thereby causing a large error, while a minor aberration in the variations (concept drift) will not be immediately reported as alert.