Handle Concept Drift Research Articles

Experts still needed: boosting long-term android malware detection with active learning

The continuous evolution of cyber threats imposes a critical challenge to malware detection systems, so operational detection solutions in real-world settings must keep up-to-date malware knowledge databases. Machine learning-based solutions are not exempt from this requirement as handling concept drift constitutes the primary building block for keeping high detection performance in the long term. However, maintaining non-stationary malware detection models is highly demanding due to the high cost of labeling. This study applies several active learning-based approaches for maintaining a non-stationary model for Android malware detection in a 7-year-long time frame and conducts a comprehensive analysis to understand the impact of feature space selection, different data balancing techniques, and timestamping methods, utilized for locating the instances along the historical timeline, on the model’s detection performance over time. The detection accuracy and labeling costs are compared with various baselines. Additionally, the study investigates the resilience of such models against noisy labeling, a common problem in production environments due to unintentional expert errors and adversarial attacks. This research fills a significant gap in the literature by conducting a comprehensive analysis of active learning approaches to address concept drift in non-stationary settings established for mobile malware detection.

OnsitNet: A memory-capable online time series forecasting model incorporating a self-attention mechanism

Traditional time series (TS) forecasting models are based on fixed, static datasets and lack scalability when faced with the continuous influx of data in real-world scenarios. Real-time online learning of data streams is crucial for improving forecasting efficiency. However, few studies focus on online TS forecasting, and existing approaches have several limitations. Most current online TS forecasting models merely train on data streams and are ineffective in handling concept drift scenarios. Furthermore, they often fail to adequately consider dependencies between variables and do not leverage the robust modeling capabilities of offline models. Therefore, we propose an innovative online learning method called OnsitNet. It consists of multiple learning modules that progressively expand the receptive field of convolutional kernels within the learning modules using an exponentially growing dilation factor, aiding in the capture of multi-scale data features. Within the learning modules, we propose an online learning strategy focusing on memorizing concept drift scenarios, with a fast learner, memorizer, and Pearson trigger. The Pearson trigger activates dynamic interaction between the fast learner and memorizer by detecting new data patterns, facilitating online rapid learning of data streams. To capture the dependencies between variables, we propose a new model, SITransformer, which is a streamlined version of the offline model ITransformer. Unlike the traditional Transformer, it reverses the roles of the feed-forward network and the attention mechanism. This inverted architecture is more effective at learning the correlations between variables. Experimental results on five real-world datasets show OnsitNet achieves lower online prediction errors, enabling timely and effective forecasting of future trends in TS data.

Evolving cybersecurity frontiers: A comprehensive survey on concept drift and feature dynamics aware machine and deep learning in intrusion detection systems

Intrusion Detection Systems (IDS) have become pivotal in safeguarding information systems against evolving threats. Concurrently, Concept Drift presents a significant challenge in machine learning, affecting the adaptability and accuracy of predictive models in dynamic environments. Understanding the synergy between IDS and Concept Drift is crucial for developing robust security systems. The motivation behind this survey is driven by the emerging complexities in cyber threats and the dynamic nature of data streams, which necessitate advanced IDS capable of adapting to Concept and Feature Drift. Our analysis reveals a glaring omission in the existing literature—the integration of Concept Drift and Feature Drift within IDS. Most studies have focused on Concept Drift in a general context or on IDS but have yet to comprehensively consider the implications of data dynamics. This oversight has led to a fragmented understanding and suboptimal approaches to tackling modern cyber threats. To address this, we propose a comprehensive review that delves into the role of machine learning in IDS, explicitly focusing on Concept and Feature Drift. We have proposed a framework that includes all the necessary components for a drift-aware IDS. The framework incorporates dynamic feature selection, adaptive learning algorithms, and continuous monitoring techniques to handle Concept Drift and Feature Drift effectively. The survey highlights state-of-the-art methodologies and current challenges in integrating these concepts. The methodology involves an exhaustive analysis of published works from 2019 to 2024, comparing and contrasting various models and approaches. This includes a detailed examination of Concept Drift-aware IDS methods, dynamic feature selection techniques, and the impact of high dimensionality in IDS. These quantitative improvements underscore the necessity for developing adaptive and resilient IDS. The survey uncovers under-represented areas in current research, paving the way for future investigations. By highlighting these gaps and providing comparative data, the survey sets a clear direction for upcoming research efforts to foster the development of more dynamic and adaptable IDS solutions. The quantitative experimental evaluation of the proposed framework is planned to be conducted in a future article, where we will assess its effectiveness and performance in real-world scenarios.

An experimental review of the ensemble-based data stream classification algorithms in non-stationary environments

Data streams are sequences of fast-growing and high-speed data points that typically suffer from the infinite length, large volume, and specifically unstable data distribution. Ensemble learning as a prevalent classification approach is widely used in data stream mining studies. Besides the impressive performance of ensemble learning algorithms in providing a collection of diverse and accurate classifiers, they are specifically efficient in handling non-stationary data streams. Due to the component-based nature and the chance of dynamic updates for the components of the ensemble, this category is appropriate for dynamically learning the changing concepts of the data. Several review research have been conducted on the challenges of non-stationary data streams so far. None of the available surveys are dedicated to examine the effect of ensemble learning models on concept drift handling. This paper aims to provide a thorough theoretical and experimental review of the most significant ensemble-based data stream classification approaches in confronting with various types of concept drifts. In this comprehensive experimental analysis, 21 state-of-the-art ensemble algorithms are tested on 30 synthetic datasets under various types and volumes of concept drifts. This experimental analysis involves analyzing the classification accuracy, kappa score and running time of the algorithms, along with performing various statistical tests. In addition to conducting experimental analysis, a comprehensive investigation is carried out on the most significant challenges posed by non-stationary data streams, which provides the reader with valuable insights.

An Ensemble Methods of Predicting the New Labels with Concept Drift from a High-Dimensional Data Stream

Multi-Label Learning (MLL) has arisen in data engineering to identify instances based on a specific feature associated with a collection of labels. Adaptive learning necessitates classifying features with New Labels (NLs) if a data stream contains newer perspectives. As a result, an MLL with Emerging Multiple NLs (MuEMNL) and managing High-Dimensional data streams (MuEMNLHD) approaches were developed that divides the NL sets into multiple NLs for efficient classification. However, it did not handle concept drift issues when huge amounts of data arrived at high speeds using limited resources. Hence, this article proposes an adaptive ensemble learning approach to cope with a huge amount of data streams and solve concept drift issues by constructing a MuEMNL-Ensemble Neural Network (ENN) rather than a random forest classifier. It defines the number of NNs in the ensemble, whether or not they use constructive pruning, how many hidden nodes each NN uses, and how many training samples are used to train each NN independently. Also, to solve the concept drifts, pairwise and non-pairwise diversity measures are analyzed while constructing ensemble NN for efficient training using the entire learning examples. Moreover, the tradeoff between the NN’s precision and diversity is maintained simultaneously. At last, the test outcomes reveal that the proposed approach attains a better performance contrasted with the existing MLL approaches.

Effective and Efficient Android Malware Detection and Category Classification Using the Enhanced KronoDroid Dataset

Android is the most widely used mobile operating system and responsible for handling a wide variety of data from simple messages to sensitive banking details. The explosive increase in malware targeting this platform has made it imperative to adopt machine learning approaches for effective malware detection and classification. Since its release in 2008, the Android platform has changed substantially and there has also been a significant increase in the number, complexity, and evolution of malware that target this platform. This rapid evolution quickly renders existing malware datasets out of date and has a degrading impact on machine learning-based detection models. Many studies have been carried out to explore the effectiveness of various machine learning models for Android malware detection. Majority of these studies use datasets that have compiled using static or dynamic analysis of malware but the use of hybrid analysis approaches has not been addressed completely. Likewise, the impact of malware evolution has not been fully investigated. Although some of the models have achieved exceptional results, their performance deteriorated for evolving malware and they were also not effective against antidynamic malware. In this paper, we address both these limitations by creating an enhanced subset of the KronoDroid dataset and using it to develop a supervised machine learning model capable of detecting evolving and antidynamic malware. The original KronoDroid dataset contains malware samples from 2008 to 2020, making it effective for the detection of evolving malware and handling concept drift. Also, the dynamic features are collected by executing the malware on a real device, making it effective for handling antidynamic malware. We create an enhanced subset of this dataset by adding malware category labels with the help of multiple online repositories. Then, we train multiple supervised machine learning models and use the ExtraTree classifier to select the top 50 features. Our results show that the random forest (RF) model has the highest accuracy of 98.03% for malware detection and 87.56% for malware category classification (for 15 malware categories).

A Novel Neural Ensemble Architecture for On-the-fly Classification of Evolving Text Streams

We study on-the-fly classification of evolving text streams in which the relation between the input data and target labels changes over time—i.e., “concept drift.” These variations decrease the model’s performance, as predictions become less accurate over time and they necessitate a more adaptable system. While most studies focus on concept drift detection and handling with ensemble approaches, the application of neural models in this area is relatively less studied. We introduce Adaptive Neural Ensemble Network ( AdaNEN ), a novel ensemble-based neural approach, capable of handling concept drift in data streams. With our novel architecture, we address some of the problems neural models face when exploited for online adaptive learning environments. Most current studies address concept drift detection and handling in numerical streams, and the evolving text stream classification remains relatively unexplored. We hypothesize that the lack of public and large-scale experimental data could be one reason. To this end, we propose a method based on an existing approach for generating evolving text streams by introducing various types of concept drifts to real-world text datasets. We provide an extensive evaluation of our proposed approach using 12 state-of-the-art baselines and 13 datasets. We first evaluate concept drift handling capability of AdaNEN and the baseline models on evolving numerical streams; this aims to demonstrate the concept drift handling capabilities of our method on a general spectrum and motivate its use in evolving text streams. The models are then evaluated in evolving text stream classification. Our experimental results show that AdaNEN consistently outperforms the existing approaches in terms of predictive performance with conservative efficiency.

An Incremental Naive Bayes Learner for Real-time Health Prediction

Healthcare monitoring systems have improved with the Internet of Things and machine learning prediction models. Traditional batch machine-learning approaches cannot generate an effective model since most data will be continuous and real-time. Real-time medical data processing is challenging since the entire data is unavailable during prediction. Here, a continuous model adaptation based on incremental learning is demanded. The development of such a system can significantly improve patient outcomes and reduce healthcare costs. This paper proposes an Incremental Naive Bayes Learner that can handle concept drifts in data. The algorithm keeps a sliding window of data constantly updated as new data is added. The adaptive window size determines how much data is used to train the model at any given time. After processing each chunk of data, the algorithm calculates the model’s accuracy. The system detects a concept drift and dynamically updates the training set if the accuracy drops below a predefined threshold. We conducted a comparative evaluation of state-of-the-art batch and incremental learning algorithms on different medical datasets, demonstrating the impact of incremental learning. The results demonstrate the effectiveness of our approach: the Agrawal dataset achieved the highest accuracy at 66.6%, followed by Dialysis at 61.6%, while Liver and HCC achieved 50% and 58.3% accuracy, respectively. This approach ensures a sustained high level of accuracy in healthcare monitoring systems over time, even amidst concept drift.

A fast online stacked regressor to handle concept drifts

The number of algorithms based on Extreme Learning Machine (ELM), which train Single Layer Feedforward Neural Networks (SLFN), has increased in the past years due to their fast training stages and good generalization performances. Many variants have been proposed, which deal with outliers, with online learning and other characteristics. Recently, Fast Deep Stacked Network (FDSN) was proposed, which is an alternative to large ELM networks with similar performances using less memory than ELM-based algorithms. Regarding online methods, which deal with data that arrives over time considering concept drift, ensemble approaches are one of the most promising categories of these methods. FDSN can be viewed as an ensemble of SLFN, where the network output is the output of the most recent SLFN. In this paper, we propose Online Sequential FDSN (OSFDSN), which is similar to FDSN, but each of its SLFN modules has a weighted contribution to the network output. These weights are dynamically calculated, according to the most recent data. We compare our method with some other similar techniques with implementations publicly available. Our conducted experiments show that the proposed technique is statistically equivalent to the others when considering RMSE, while having a faster updating scheme.

Smoclust: synthetic minority oversampling based on stream clustering for evolving data streams

Many real-world data stream applications not only suffer from concept drift but also class imbalance. Yet, very few existing studies investigated this joint challenge. Data difficulty factors, which have been shown to be key challenges in class imbalanced data streams, are not taken into account by existing approaches when learning class imbalanced data streams. In this work, we propose a drift adaptable oversampling strategy to synthesise minority class examples based on stream clustering. The motivation is that stream clustering methods continuously update themselves to reflect the characteristics of the current underlying concept, including data difficulty factors. This nature can potentially be used to compress past information without caching data in the memory explicitly. Based on the compressed information, synthetic examples can be created within the region that recently generated new minority class examples. Experiments with artificial and real-world data streams show that the proposed approach can handle concept drift involving different minority class decomposition better than existing approaches, especially when the data stream is severely class imbalanced and presenting high proportions of safe and borderline minority class examples.

METER: A Dynamic Concept Adaptation Framework for Online Anomaly Detection

Real-time analytics and decision-making require online anomaly detection (OAD) to handle drifts in data streams efficiently and effectively. Unfortunately, existing approaches are often constrained by their limited detection capacity and slow adaptation to evolving data streams, inhibiting their efficacy and efficiency in handling concept drift , which is a major challenge in evolving data streams. In this paper, we introduce METER, a novel dynamic concept adaptation framework that introduces a new paradigm for OAD. METER addresses concept drift by first training a base detection model on historical data to capture recurring central concepts , and then learning to dynamically adapt to new concepts in data streams upon detecting concept drift. Particularly, METER employs a novel dynamic concept adaptation technique that leverages a hypernetwork to dynamically generate the parameter shift of the base detection model, providing a more effective and efficient solution than conventional retraining or fine-tuning approaches. Further, METER incorporates a lightweight drift detection controller, underpinned by evidential deep learning, to support robust and interpretable concept drift detection. We conduct an extensive experimental evaluation, and the results show that METER significantly outperforms existing OAD approaches in various application scenarios.

An adaptive XGBoost-based optimized sliding window for concept drift handling in non-stationary spatiotemporal data streams classifications

An adaptive XGBoost-based optimized sliding window for concept drift handling in non-stationary spatiotemporal data streams classifications

DARWIN: An online deep learning approach to handle concept drifts in predictive process monitoring

Predictive process monitoring (PPM) is a specific task under the umbrella of Process Mining that aims to predict several factors of a business process (e.g., next activity prediction) based on the knowledge learned from historical event logs. Despite recent PPM algorithms have gained predictive accuracy using deep learning, they commonly perform an offline analysis of event data assuming that logged processes remain in a steady state over time. However, this is often not the real-world case due to concept drifts. The main goal of this work is to solve the next-activity prediction problem under dynamic conditions of business data streams. To this aim, we propose DARWIN as a novel PPM method that detects concept drifts and adapts a deep neural model to concept drifts. A deep empirical analysis of different factors that may influence the performance of DARWIN in streaming scenarios is provided. Experiments with various benchmark event streams show the effectiveness of the proposed approach.

Handling concept drift in deep learning applications for process monitoring

As machine learning applications transcend from laboratories to real-world operations in manufacturing use cases such as intelligent maintenance and quality control, questions regarding their continuous reliability and robustness arise. Static datasets used to develop machine learning models can only capture a subset of possible real-world conditions. Instances of concept drift, such as changing environmental-, equipment- and operating conditions may, over time, significantly degrade the performance of machine learning models, compromising safety, acceptance, and economics if not properly addressed. It is thus necessary to (1) detect drifts and (2) efficiently adapt the model to dynamically changing conditions. In this work, we propose a framework to tackle the issue of drift detection by utilizing the underlying neural network's uncertainty. We demonstrate the framework's effectiveness in a case study involving process monitoring of a real-world CNC milling process. The dataset includes accelerometer data and multiple types of realistic concept drifts. In addition, we introduce a methodology for inducing controllable, synthetic concept drift through a simulated sensor rotation. Our experiments show that the introduced drifts lead to a strong performance degradation of the model, which highlights the relevance for practitioners. All drifts are detected using the proposed framework, enabling continuously reliable applications.

Dynamic Incremental Ensemble Fuzzy Classifier for Data Streams in Green Internet of Things

Due to the fast, dynamic, and continuous arrival of data streams in the green Internet of Things (IoT) environment, the probability distribution of data streams changes over time. In real IoT scenarios such as unmanned aerial vehicle (UAV) detection and smart light switch control, data distribution changes have reduced the trained model’s accuracy for data streams problems classification, making it challenging to detect UAV intruders and predict whether energy-saving lamps in smart buildings are on or off. In this paper, an incremental ensemble classification method is proposed to improve prediction accuracy for green IoT. Specifically, a fuzzy rule-based classifier is combined with a dynamic weighting algorithm for improving classification accuracy. Moreover, the model is updated by incrementally learning the characteristics of data streams, which can effectively handle concept drift caused by data distribution changes in data streams. Experimental evaluations of UAV intrusion detection, smart buildings, and other datasets show that the proposed approach yields 2% higher area under the curve (AUC) and geometric mean (G-mean) than existing methods on UAV Detection and Occupancy datasets and 5% higher AUC and G-mean on five benchmarking datasets. For all datasets, the proposed approach yields 50% faster average training time than other methods.

A novel technique for detecting sudden concept drift in healthcare data using multi-linear artificial intelligence techniques.

A financial market is a platform to produce data streams continuously and around 1. 145 Trillion MB of data per day. Estimation and the analysis of unknown or dynamic behaviors of these systems is one the challenging tasks. Analysis of these systems is very much essential to strengthen the environmental parameters to stabilize society activities. This can elevate the living style of society to the next level. In this connection, the proposed paper is trying to accommodate the financial data stream using the sliding window approach and random forest algorithm to provide a solution to handle concept drift in the financial market to stabilize the behavior of the system through drift estimation. The proposed approach provides promising results in terms of accuracy in detecting concept drift over the state of existing drift detection methods like one class drifts detection (OCDD), Adaptive Windowing ADWIN), and the Page-Hinckley test.

Review of ensemble classification over data streams based on supervised and semi-supervised

Most data stream ensemble classification algorithms use supervised learning. This method needs to use a large number of labeled data to train the classifier, and the cost of obtaining labeled data is very high. Therefore, the semi supervised learning algorithm using labeled data and unlabeled data to train the classifier becomes more and more popular. This article is the first to review data stream ensemble classification methods from the perspectives of supervised learning and semi-supervised learning. Firstly, basic classifiers such as decision trees, neural networks, and support vector machines are introduced from the perspective of supervised learning and semi-supervised learning. Secondly, the key technologies in data stream ensemble classification are explained from the two aspects of incremental and online. Finally, the majority voting and weight voting are explained in the ensemble strategies. The different ensemble methods are summarized and the classic algorithms are quantitatively analyzed. Further research directions are given, including the handling of concept drift under supervised and semi-supervised learning, the study of homogeneous ensemble and heterogeneous ensemble, and the classification of data stream ensemble under unsupervised learning.

DDG-DA: Data Distribution Generation for Predictable Concept Drift Adaptation

In many real-world scenarios, we often deal with streaming data that is sequentially collected over time. Due to the non-stationary nature of the environment, the streaming data distribution may change in unpredictable ways, which is known as the concept drift in the literature. To handle concept drift, previous methods first detect when/where the concept drift happens and then adapt models to fit the distribution of the latest data. However, there are still many cases that some underlying factors of environment evolution are predictable, making it possible to model the future concept drift trend of the streaming data, while such cases are not fully explored in previous work. In this paper, we propose a novel method DDG-DA, that can effectively forecast the evolution of data distribution and improve the performance of models. Specifically, we first train a predictor to estimate the future data distribution, then leverage it to generate training samples, and finally train models on the generated data. We conduct experiments on three real-world tasks (forecasting on stock price trend, electricity load and solar irradiance) and obtained significant improvement on multiple widely-used models.

An adaptive deep learning framework for day-ahead forecasting of photovoltaic power generation

Accurate forecasts of photovoltaic power generation (PVPG) are essential to optimize operations between energy supply and demand. Recently, the propagation of sensors and smart meters has produced an enormous volume of data, which supports the data-driven models for PVPG forecasting. Although emerging deep learning (DL) models, such as the long short-term memory (LSTM), based on historical data, have provided effective solutions for PVPG forecasting with great successes, these models utilize offline learning. As a result, DL models cannot take advantage of the opportunity to learn from newly-arrived data, and are unable to handle concept drift caused by installing extra PV units and unforeseen PV unit failures. Consequently, to improve day-ahead PVPG forecasting accuracy, as well as eliminate the impacts of concept drift, this paper proposes an adaptive LSTM (AD-LSTM), which is a DL framework that can not only acquire general knowledge from historical data, but also dynamically learn specific knowledge from newly-arrived data. A two-phase adaptive learning strategy (TP-ALS) is integrated into AD-LSTM, and a sliding window (SDWIN) algorithm is proposed, to detect concept drift in PV systems. Multiple datasets from PV systems are utilized to assess the feasibility and effectiveness of the proposed approaches. The developed AD-LSTM model demonstrates greater forecasting capability than the conventional offline LSTM model, particularly in the presence of concept drift. The forecasting skill of AD-LSTM can be improved up to 73.11%. Additionally, the proposed AD-LSTM model also achieves superior performance in terms of day-ahead PVPG forecasting for individual days and multiple days to other reference models in the literature.

Concept drift and cross-device behavior: Challenges and implications for effective android malware detection

The large body of Android malware research has demonstrated that machine learning methods can provide high performance for detecting Android malware. However, the vast majority of studies underestimate the evolving nature of the threat landscape, which requires the creation of a model life-cycle to ensure effective continuous detection in real-world settings over time. In this study, we modeled the concept drift issue of Android malware detection, encompassing the years between 2011 and 2018, using dynamic feature sets (i.e., system calls) derived from Android apps. The relevant studies in the literature have not focused on the timestamp selection approach and its critical impact on effective drift modeling. We evaluated and compared distinct timestamp alternatives. Our experimental results show that a widely used timestamp in the literature yields poor results over time and that enhanced concept drift handling is achieved when an app internal timestamp was used. Additionally, this study sheds light on the usage of distinct data sources and their impact on concept drift modeling. We identified that dynamic features obtained for individual apps from different data sources (i.e., emulator and real device) show significant differences that can distort the modeling results. Therefore, the data sources should be considered and their fusion preferably avoided while creating the training and testing data sets. Our analysis is supported using a global interpretation method to comprehend and characterize the evolution of Android apps throughout the years from a data source-related perspective.