网络异常检测领域概念漂移问题研究综述

doi:10.11871/jfdc.issn.2096-742X.2024.01.015

数据与计算发展前沿 ›› 2024, Vol. 6 ›› Issue (1): 162-178.

CSTR: 32002.14.jfdc.CN10-1649/TP.2024.01.015

doi: 10.11871/jfdc.issn.2096-742X.2024.01.015

网络异常检测领域概念漂移问题研究综述

杜冠瑶¹(),郭勇杰^1,²,龙春^1,^*(),赵静¹,万巍¹

1.中国科学院计算机网络信息中心，北京 100083
2.中国科学院大学，北京 100190

收稿日期:2023-08-01 出版日期:2024-02-20 发布日期:2024-02-21
通讯作者: * 龙春（E-mail: anquanip@cnic.cn）
作者简介:杜冠瑶，中国科学院计算机网络信息中心，网络空间安全技术与应用发展部高级工程师，博士，中国科学院大学硕士研究生导师，在国内外重要刊物及会议发表学术论文20余篇，其中一作12篇，SCI收录5篇。主要研究方向网络攻击监测、安全大数据智能分析，网络安全智能协同保障。
本文负责文章构思、撰写和细节修改。
DU Guanyao is a senior engineer in the Department of Network Space Security Technology and Application Development at the Computer Network Information Center, Chinese Academy of Sciences. She holds a Ph.D. degree and serves as a master's supervisor at the University of Chinese Academy of Sciences. She has published over 20 academic papers in domestic and international journals and conferences, with 12 of them as the first author and 5 being SCI indexed. Her research interests include network attack monitoring, intelligent analysis of security big data, and intelligent collaborative security in cyberspace.
In this paper, she is responsible for conceptualizing the article, writing, and refining details.
E-mail: duguanyao@cnic.cn|龙春，中国科学院计算机网络信息中心，网络空间安全技术与应用发展部部长，正高级工程师，博士，中国科学院大学博士研究生导师，先后主持国家下一代互联网安全专项、国家发改委信息安全专项，主持中国科学院网络安全保障体系建设工程专项，承担中国科学院网络空间安全战略性先导科技专项课题。主要研究方向为网络与系统安全监测与分析、数据安全、主动网络安全保障。
本文负责论文框架指导，并提供有效建议。
LONG Chun, the Director of the Department of Network Space Security Technology and Application Development at the Computer Network Information Center, Chinese Academy of Sciences, is a senior engineer with a Ph.D. degree. He also serves as a Ph.D. supervisor at the University of Chinese Academy of Sciences. He has successively led national projects, including the National Next-Generation Internet Security Special Project and the Information Security Special Project of the National Development and Reform Commission. As the head of the project for the construction of the security system of the Chinese Academy of Sciences, he has undertaken key projects of the Strategic Pioneering Science and Technology Program of the Chinese Academy of Sciences. His research interests include network and system security monitoring and analysis, data security, and proactive network security assurance.
In this paper, he is responsible for guiding the research and providing effective advice.
E-mail: anquanip@cnic.cn
基金资助:
中国科学院战略性先导科技专项（C类）项目(XDC02030600);网络安全保障体系建设工程（三期）(CAS-WX2022GC-04);面向新兴业务应用的自动化安全防护关键技术研究(SGTYHT/21-JS-223);中国科学院网络安全和信息化专项应用示范项目(CAS-WX2022SF-0401)

A Review of Concept Drift in the Field of Network Anomaly Detection

DU Guanyao¹(),GUO Yongjie^1,²,LONG Chun^1,^*(),ZHAO Jing¹,WAN Wei¹

1. Computer Network Information Center, Chinese Academy of Sciences, Beijing 100083, China
2. University of Chinese Academy of Sciences, Beijing 100190, China

Received:2023-08-01 Online:2024-02-20 Published:2024-02-21

摘要/Abstract

摘要：

【目的】随着网络技术的快速发展和广泛应用，网络异常检测作为保护网络安全和维护系统正常运行的手段变得越来越重要。然而，网络中异常行为和攻击手段不断变化，给异常检测带来了新的挑战。其中，概念漂移问题是网络异常检测领域中受到广泛关注的难点之一。【方法】本综述旨在对网络异常检测领域中概念漂移问题进行研究分析和总结。与前人的研究相比，本文将专注于网络异常检测领域的流数据。【文献范围】首先，对概念漂移进行详细介绍，包括定义、产生原因和特点。通过对概念漂移的全面理解，可以为后续的检测方法提供指导。其次，系统性地介绍了概念漂移检测方法，主要包括基于统计的方法、机器学习方法和深度学习方法等，并对比了各类方法的优缺点和适用场景。最后，探讨了概念漂移在未来可能的研究方向。【结论】本文聚焦于网络异常检测领域的概念漂移问题，通过详细介绍概念漂移的定义、产生原因和特点，以及深入分析和总结针对流数据概念漂移的检测方法，为未来研究方向提供了有价值的参考和指导。

关键词: 概念漂移, 网络异常检测, 数据分布, 模型更新

Abstract:

[Purpose] With the rapid development and widespread application of network technology, network anomaly detection has become increasingly crucial as a means to safeguard network security and maintain the normal operation of systems. However, the evolving nature of abnormal behaviors and attack methods in networks presents new challenges to anomaly detection. Among these challenges, the concept drift problem is one of the widely recognized complexities in the field of network anomaly detection. [Methods] This review aims to conduct research analysis and summarization on the concept drift problem in the field of network anomaly detection. In comparison to previous studies, this paper will focus specifically on the field of flow data in network anomaly detection. [Literature Scope] Firstly, a detailed introduction to concept drift is provided, including its definition, causes, and characteristics. A comprehensive understanding of concept drift is intended to guide subsequent detection methods. Secondly, a systematic introduction to concept drift detection methods is presented, primarily including statistical methods, machine learning methods, and deep learning methods, while comparing the advantages, disadvantages, and application scenarios of each method. Finally, potential future research directions for concept drift are discussed. [Conclusion] This paper centers on the concept drift problem in the field of network anomaly detection. By providing a detailed introduction to the definition, causes, and characteristics of concept drift and conducting an in-depth analysis and summarization of concept drift detection methods tailored for flow data, the paper offers valuable references and guidance for future research directions.

Key words: concept drift, network anomaly detection, data distribution, model updating

杜冠瑶, 郭勇杰, 龙春, 赵静, 万巍. 网络异常检测领域概念漂移问题研究综述[J]. 数据与计算发展前沿, 2024, 6(1): 162-178.

DU Guanyao, GUO Yongjie, LONG Chun, ZHAO Jing, WAN Wei. A Review of Concept Drift in the Field of Network Anomaly Detection[J]. Frontiers of Data and Computing, 2024, 6(1): 162-178, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2024.01.015.

图/表 6

图1

图2

图3

图4

表1

表2

参考文献 61

[1]	LU J, LIU A, DONG F, et al. Learning under Concept Drift: A Review[J]. IEEE Transactions on Knowledge and Data Engineering, 2020: 1.
[2]	LIMA M, FILHO T S, DE A, et al. A Comparative Study on Concept Drift Detectors for Regression[Z]. 2021.
[3]	TSYMBAL A. The Problem of Concept Drift: Definitions and Related Work[R]. Technical Report Department of Computer Science Trinity College Dublin, 2004.
[4]	ZLIOBAITE I, PECHENIZKIY M, GAMA J. An overview of concept drift applications[J]. In Big Data Analysis: New Algorithms for a New Society, 2016, 16: 91-114.
[5]	ZAMBON D, ALIPPI C, LIVI L. Concept Drift and Anomaly Detection in Graph Streams[J]. IEEE Transactions on Neural Networks & Learning Systems, 2017(99): 1-14.
[6]	YUAN L, LI H, XIA B, et al. Recent Advances in Concept Drift Adaptation Methods for Deep Learning[C]// Proceedings of the 31st International Joint Conference on Artificial Intelligence. Vienna, Austria: International Joint Conferences on Artificial Intelligence Organization, 2022: 5654-5661.
[7]	GONÇALVES JR P M, DE CARVALHO SANTOS S G T, BARROS R S M, et al. A comparative study on concept drift detectors[J]. Expert Systems with Applications, 2014, 41(18): 8144-8156. doi: 10.1016/j.eswa.2014.07.019
[8]	WANG S, MINKU L L, GHEZZI D, et al. Concept drift detection for online class imbalance learning[C]// The 2013 International Joint Conference on Neural Networks (IJCNN). IEEE, 2013: 1-10.
[9]	MINKU L L, WHITE A P, YAO X. The impact of diversity on online ensemble learning in the presence of concept drift[J]. IEEE Transactions on knowledge and Data Engineering, 2009, 22(5): 730-742. doi: 10.1109/TKDE.2009.156
[10]	LECHNER A, KECKEIS H, HUMPHRIES P. Patterns and processes in the drift of early developmental stages of fish in rivers: a review[J]. Reviews in Fish Biology and Fisheries, 2016, 26: 471-489. doi: 10.1007/s11160-016-9437-y
[11]	DIEHL S, ANDERSON K E, NISBET R M. Population responses of drifting stream invertebrates to spatial environmental variability: an emerging conceptual framework[M]// Aquatic insects: challenges to populations. Wallingford UK: CABI, 2008: 158-183.
[12]	COHEN A M, BHUPATIRAJU R T, HERSH W R. Feature generation, feature selection, classifiers, and conceptual drift for biomedical document triage[C]// TREC. 2004.
[13]	BAYRAM F, AHMED B S, KASSLER A. From concept drift to model degradation: An overview on performance-aware drift detectors[J]. Knowledge-Based Systems, 2022, 245: 108632. doi: 10.1016/j.knosys.2022.108632
[14]	LIMA M, Neto M, FILHO T S, et al. Learning Under Concept Drift for Regression—A Systematic Literature Review[J]. IEEE Access, 2022, 10: 45410-45429. doi: 10.1109/ACCESS.2022.3169785
[15]	ALKAYEM N F, CAO M, ZHANG Y, et al. Structural damage detection using finite element model updating with evolutionary algorithms: a survey[J]. Neural Computing and Applications, 2018, 30: 389-411. doi: 10.1007/s00521-017-3284-1
[16]	BAYRAM F, AHMED B S, Kassler A. From concept drift to model degradation: An overview on performance-aware drift detectors[J]. Knowledge-Based Systems, 2022, 245: 108632. doi: 10.1016/j.knosys.2022.108632
[17]	WANG S, SCHLOBACH S, KLEIN M. Concept drift and how to identify it[J]. Journal of Web Semantics, 2011, 9(3): 247-265. doi: 10.1016/j.websem.2011.05.003
[18]	KORYCKI Ł, KRAWCZYK B. Concept drift detection from multi-class imbalanced data streams[C]// 2021 IEEE 37th International Conference on Data Engineering (ICDE). IEEE, 2021: 1068-1079.
[19]	DRIES A, RÜCKERT U. Adaptive concept drift detection[J]. Statistical Analysis and Data Mining: The ASA Data Science Journal, 2009, 2(5-6): 311-327. doi: 10.1002/sam.v2:5/6
[20]	LIU A, SONG Y, ZHANG G, et al. Regional concept drift detection and density synchronized drift adaptation[C]// IJCAI International Joint Conference on Artificial Intelligence. 2017.
[21]	BAIDARI I, HONNIKOLL N. Bhattacharyya distance based concept drift detection method for evolving data stream[J]. Expert Systems with Applications, 2021, 183: 115303. doi: 10.1016/j.eswa.2021.115303
[22]	NISHIDA K, YAMAUCHI K. Detecting concept drift using statistical testing[C]// International conference on discovery science. Berlin, Heidelberg: Springer Berlin Heidelberg, 2007: 264-269.
[23]	LIU A, LU J, ZHANG G. Concept drift detection via equal intensity k-means space partitioning[J]. IEEE transactions on cybernetics, 2020, 51(6): 3198-3211. doi: 10.1109/TCYB.2020.2983962
[24]	KABIR M A, KEUNG J W, BENNIN K E, et al. Assessing the significant impact of concept drift in software defect prediction[C]// 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC). IEEE, 2019, 1: 53-58.
[25]	WANG X, KANG Q, AN J, et al. Drifted Twitter spam classification using multiscale detection test on KL divergence[J]. IEEE Access, 2019, 7: 108384-108394. doi: 10.1109/Access.6287639
[26]	HAYAT M Z, BASIRI J, SEYEDHOSSEIN L, et al. Content-based concept drift detection for email spam filtering[C]// 2010 5th International Symposium on Telecommunications. IEEE, 2010: 531-536.
[27]	GOLDENBERG I, WEBB G I. Survey of distance measures for quantifying concept drift and shift in numeric data[J]. Knowledge and Information Systems, 2019, 60(2): 591-615. doi: 10.1007/s10115-018-1257-z
[28]	张育培, 柴玉梅, 王黎明. 基于鞅的数据流概念漂移检测方法[J]. 小型微型计算机系统, 2013, 34(8): 1787-1792.
[29]	胡阳, 孙自强. 基于McDiarmid边界的自适应加权概念漂移检测方法[J/OL]. 华东理工大学学报(自然科学版): 1-10 [2023-06-12].
[30]	MASUD M, GAO J, KHAN L, et al. Classification and novel class detection in concept-drifting data streams under time constraints[J]. IEEE Transactions on knowledge and data engineering, 2010, 23(6): 859-874. doi: 10.1109/TKDE.2010.61
[31]	MASUD M M, AL-KHATEEB T M, KHAN L, et al. Detecting recurring and novel classes in concept-drifting data streams[C]// 2011 IEEE 11th International Conference on Data Mining. IEEE, 2011: 1176-1181.
[32]	SAURAV S, MALHOTRA P, TV V, et al. Online anomaly detection with concept drift adaptation using recurrent neural networks[C]// Proceedings of the acm india joint international conference on data science and management of data. 2018: 78-87.
[33]	JAIN M, KAUR G. Distributed anomaly detection using concept drift detection based hybrid ensemble techniques in streamed network data[J]. Cluster Computing, 2021, 24: 2099-2114. doi: 10.1007/s10586-021-03249-9
[34]	QIAO H, NOVIKOV B, BLECH J O. Concept drift analysis by dynamic residual projection for effectively detecting botnet cyber-attacks in IoT scenarios[J]. IEEE Transactions on Industrial Informatics, 2021, 18(6): 3692-3701. doi: 10.1109/TII.2021.3108464
[35]	YANG L, MANIAS D M, SHAMI A. Pwpae: An ensemble framework for concept drift adaptation in iot data streams[C]// 2021 IEEE Global Communications Conference (GLOBECOM). IEEE, 2021: 1-6.
[36]	KLINKENBERG R, JOACHIMS T. Detecting concept drift with support vector machines[C]// ICML. 2000: 487-494.
[37]	SEELIGER A, NOLLE T, MÜHLHÄUSER M. Detecting concept drift in processes using graph metrics on process graphs[C]// Proceedings of the 9th Conference on Subject-Oriented Business Process Management. 2017: 1-10.
[38]	崔泽林. 基于密度网格的数据流聚类和概念漂移检测算法研究[D]. 北京: 北京交通大学, 2017.
[39]	LIU A, LU J, LIU F, et al. Accumulating regional density dissimilarity for concept drift detection in data streams[J]. Pattern Recognition, 2018, 76: 256-272. doi: 10.1016/j.patcog.2017.11.009
[40]	ROSS G J, ADAMS N M, TASOULIS D K, et al. Exponentially weighted moving average charts for detecting concept drift[J]. Pattern recognition letters, 2012, 33(2): 191-198. doi: 10.1016/j.patrec.2011.08.019
[41]	HOENS T R, POLIKAR R, CHAWLA N V. Learning from streaming data with concept drift and imbalance: an overview[J]. Progress in Artificial Intelligence, 2012, 1: 89-101. doi: 10.1007/s13748-011-0008-0
[42]	徐清妍, 何丽, 朱泓西. 改进Hoeffding不等式的概念漂移检测方法[J]. 计算机工程与应用, 2020, 56(19): 55-61. doi: 10.3778/j.issn.1002-8331.1910-0397
[43]	朱群, 张玉红, 胡学钢, 等. 一种基于双层窗口的概念漂移数据流分类算法[J]. 自动化学报, 2011, 37(9): 1077-1084.
[44]	JAIN M, KAUR G, SAXENA V. A K-Means clustering and SVM based hybrid concept drift detection technique for network anomaly detection[J]. Expert Systems with Applications, 2022, 193: 116510. doi: 10.1016/j.eswa.2022.116510
[45]	SAKAMOTO Y, FUKUI K I, GAMA J, et al. Concept drift detection with clustering via statistical change detection methods[C]// 2015 Seventh International Conference on Knowledge and Systems Engineering (KSE). IEEE, 2015: 37-42.
[46]	DE SOUSA R G, PERES S M, FANTINATO M, et al. Concept drift detection and localization in process mining: An integrated and efficient approach enabled by trace clustering[C]// Proceedings of the 36th annual ACM symposium on applied computing. 2021: 364-373.
[47]	FANIZZI N, D’AMATO C, ESPOSITO F. Conceptual clustering and its application to concept drift and novelty detection[C]// The Semantic Web: Research and Applications: 5th European Semantic Web Conference, ESWC 2008, Tenerife, Canary Islands, Spain, June 1-5, 2008 Proceedings 5. Springer Berlin Heidelberg, 2008: 318-332.
[48]	YUAN Y, WANG Z, WANG W. Unsupervised concept drift detection based on multi-scale slide windows[J]. Ad Hoc Networks, 2021, 111: 102325. doi: 10.1016/j.adhoc.2020.102325
[49]	REN S, LIAO B, ZHU W, et al. The gradual resampling ensemble for mining imbalanced data streams with concept drift[J]. Neurocomputing, 2018, 286: 150-166. doi: 10.1016/j.neucom.2018.01.063
[50]	ELWELL R, POLIKAR R. Incremental learning of concept drift in nonstationary environments[J]. IEEE Transactions on Neural Networks, 2011, 22(10): 1517-1531. doi: 10.1109/TNN.2011.2160459 pmid: 21824845
[51]	GUO H, ZHANG S, WANG W. Selective ensemble-based online adaptive deep neural networks for streaming data with concept drift[J]. Neural Networks, 2021, 142: 437-456. doi: 10.1016/j.neunet.2021.06.027 pmid: 34273615
[52]	YANG Z, AL-DAHIDI S, BARALDI P, et al. A novel concept drift detection method for incremental learning in nonstationary environments[J]. IEEE transactions on neural networks and learning systems, 2019, 31(1): 309-320. doi: 10.1109/TNNLS.5962385
[53]	GAMA J, MEDAS P, CASTILLO G, et al. Learning with drift detection[C]// Advances in Artificial Intelligence-SBIA 2004: 17th Brazilian Symposium on Artificial Intelligence, Sao Luis, Maranhao, Brazil, September 29-Ocotber 1, 2004. Proceedings 17. Springer Berlin Heidelberg, 2004: 286-295.
[54]	SCHLIMMER J C, GRANGER JR R H. Beyond incremental processing: Tracking concept drift[C]// Proceedings of the Fifth AAAI National Conference on Artificial Intelligence. 1986: 502-507.
[55]	SUSNJAK T, BARCZAK A L C, HAWICK K A. Adaptive cascade of boosted ensembles for face detection in concept drift[J]. Neural Computing and Applications, 2012, 21: 671-682. doi: 10.1007/s00521-011-0663-x
[56]	SPINOSA E J, DE LEON F, DE CARVALHO A P, et al. Olindda: A cluster-based approach for detecting novelty and concept drift in data streams[C]// Proceedings of the 2007 ACM symposium on Applied computing. 2007: 448-452.
[57]	YANG L, GUO W, HAO Q, et al. CADE: Detecting and explaining concept drift samples for security applications[C]// 30th USENIX Security Symposium (USENIX Security 21). 2021: 2327-2344.
[58]	WANG S, MINKU L L. AUC Estimation and Concept Drift Detection for Imbalanced Data Streams with Multiple Classes[C]// 2020 International Joint Conference on Neural Networks (IJCNN), Glasgow, UK, 2020:1-8.
[59]	WANG S, MINKU L L, GHEZZI D D, et al. Concept drift detection for online class imbalance learning[C]// The 2013 International Joint Conference on Neural Networks (IJCNN), Dallas, TX, USA, 2013.
[60]	ABBASI A, JAVED A R, CHAKRABORTY C, et al. ElStream: An Ensemble Learning Approach for Concept Drift Detection in Dynamic Social Big Data Stream Learning[J]. IEEE Access, 2021, 9:66408-66419. doi: 10.1109/ACCESS.2021.3076264
[61]	YANG L, SHAMi A. A lightweight concept drift detection and adaptation framework for IoT data streams[J]. IEEE Internet of Things Magazine, 2021, 4:96-101.

使用方法	发表年份	参献	算法名称	漂移类型	是否主动检测概念漂移	模型如何更新
基于统计的方法	2017[19]	21	LDD	突变漂移	是	自动
	2009[20]	23	Meta-ADD	所有类型	否	不更新
	2007[22]	9	STEPD	所有类型	是	不更新
	2004[23]	48	EI-KMeans	突变漂移、渐增漂移	是	自动
	2019[24]	35	DDM	所有类型	否	不更新
	2010[26]	14	KL divergence	所有类型	是	不更新
基于预测的方法	2011[31]	31	OLINDDA	渐进漂移	是	自动
	2011[32]	11	ECSMiner	所有类型	是	不更新
	2021[34]	33	GMM	所有类型	是	自动更新
	2022[35]	39	DRPM	所有类型	是	不更新
基于滑动窗口的方法	2018[40]	56	NN-DVI	所有类型	是	自动
	2012[41]	25	EWMA	渐进漂移	是	自动
	2012[42]	86	CVFDT	突变漂移、渐增漂移、复发式漂移	是	不更新
基于聚类的方法	2015[48]	15	DDM	突变漂移、渐增漂移、渐进漂移	是	不更新
	2022[49]	58	ProM	所有类型	是	自动
	2008[53]	29	PAM	突变漂移、渐增漂移	是	不更新
基于深度学习的方法	2011[59]	63	Learn++.NSE	突变漂移、渐增漂移、渐进漂移	否	自动
基于深度学习的方法	2020[60]	59	OS-ELMs	所有类型	是	自动

数据集名称	数据类型	用途	引用文献
KDD Cup数据集	网络流量数据	网络入侵检测	[2]、[34]、[47]
UNSW-NB15数据集	校园网络的流量数据	网络异常检测	[38]、[40]
CICIDS2017数据集	网络异常检测数据集	用于评估和比较网络异常检测算法的性能	[32]
NSL-KDD数据集	网络流量数据	用于网络入侵检测任务	[31]、[35]、[51]

网络异常检测领域概念漂移问题研究综述

A Review of Concept Drift in the Field of Network Anomaly Detection

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 61

相关文章 0

编辑推荐

Metrics

本文评价