A Review of Concept Drift in the Field of Network Anomaly Detection

doi:10.11871/jfdc.issn.2096-742X.2024.01.015

Abstract

Abstract:

[Purpose] With the rapid development and widespread application of network technology, network anomaly detection has become increasingly crucial as a means to safeguard network security and maintain the normal operation of systems. However, the evolving nature of abnormal behaviors and attack methods in networks presents new challenges to anomaly detection. Among these challenges, the concept drift problem is one of the widely recognized complexities in the field of network anomaly detection. [Methods] This review aims to conduct research analysis and summarization on the concept drift problem in the field of network anomaly detection. In comparison to previous studies, this paper will focus specifically on the field of flow data in network anomaly detection. [Literature Scope] Firstly, a detailed introduction to concept drift is provided, including its definition, causes, and characteristics. A comprehensive understanding of concept drift is intended to guide subsequent detection methods. Secondly, a systematic introduction to concept drift detection methods is presented, primarily including statistical methods, machine learning methods, and deep learning methods, while comparing the advantages, disadvantages, and application scenarios of each method. Finally, potential future research directions for concept drift are discussed. [Conclusion] This paper centers on the concept drift problem in the field of network anomaly detection. By providing a detailed introduction to the definition, causes, and characteristics of concept drift and conducting an in-depth analysis and summarization of concept drift detection methods tailored for flow data, the paper offers valuable references and guidance for future research directions.

Key words: concept drift, network anomaly detection, data distribution, model updating

DU Guanyao, GUO Yongjie, LONG Chun, ZHAO Jing, WAN Wei. A Review of Concept Drift in the Field of Network Anomaly Detection[J]. Frontiers of Data and Computing, 2024, 6(1): 162-178, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2024.01.015.

Figures/Tables 6

Fig.1

Fig.2

Fig.3

Fig.4

Table 1

Table2

References 61

[1]	LU J, LIU A, DONG F, et al. Learning under Concept Drift: A Review[J]. IEEE Transactions on Knowledge and Data Engineering, 2020: 1.
[2]	LIMA M, FILHO T S, DE A, et al. A Comparative Study on Concept Drift Detectors for Regression[Z]. 2021.
[3]	TSYMBAL A. The Problem of Concept Drift: Definitions and Related Work[R]. Technical Report Department of Computer Science Trinity College Dublin, 2004.
[4]	ZLIOBAITE I, PECHENIZKIY M, GAMA J. An overview of concept drift applications[J]. In Big Data Analysis: New Algorithms for a New Society, 2016, 16: 91-114.
[5]	ZAMBON D, ALIPPI C, LIVI L. Concept Drift and Anomaly Detection in Graph Streams[J]. IEEE Transactions on Neural Networks & Learning Systems, 2017(99): 1-14.
[6]	YUAN L, LI H, XIA B, et al. Recent Advances in Concept Drift Adaptation Methods for Deep Learning[C]// Proceedings of the 31st International Joint Conference on Artificial Intelligence. Vienna, Austria: International Joint Conferences on Artificial Intelligence Organization, 2022: 5654-5661.
[7]	GONÇALVES JR P M, DE CARVALHO SANTOS S G T, BARROS R S M, et al. A comparative study on concept drift detectors[J]. Expert Systems with Applications, 2014, 41(18): 8144-8156. doi: 10.1016/j.eswa.2014.07.019
[8]	WANG S, MINKU L L, GHEZZI D, et al. Concept drift detection for online class imbalance learning[C]// The 2013 International Joint Conference on Neural Networks (IJCNN). IEEE, 2013: 1-10.
[9]	MINKU L L, WHITE A P, YAO X. The impact of diversity on online ensemble learning in the presence of concept drift[J]. IEEE Transactions on knowledge and Data Engineering, 2009, 22(5): 730-742. doi: 10.1109/TKDE.2009.156
[10]	LECHNER A, KECKEIS H, HUMPHRIES P. Patterns and processes in the drift of early developmental stages of fish in rivers: a review[J]. Reviews in Fish Biology and Fisheries, 2016, 26: 471-489. doi: 10.1007/s11160-016-9437-y
[11]	DIEHL S, ANDERSON K E, NISBET R M. Population responses of drifting stream invertebrates to spatial environmental variability: an emerging conceptual framework[M]// Aquatic insects: challenges to populations. Wallingford UK: CABI, 2008: 158-183.
[12]	COHEN A M, BHUPATIRAJU R T, HERSH W R. Feature generation, feature selection, classifiers, and conceptual drift for biomedical document triage[C]// TREC. 2004.
[13]	BAYRAM F, AHMED B S, KASSLER A. From concept drift to model degradation: An overview on performance-aware drift detectors[J]. Knowledge-Based Systems, 2022, 245: 108632. doi: 10.1016/j.knosys.2022.108632
[14]	LIMA M, Neto M, FILHO T S, et al. Learning Under Concept Drift for Regression—A Systematic Literature Review[J]. IEEE Access, 2022, 10: 45410-45429. doi: 10.1109/ACCESS.2022.3169785
[15]	ALKAYEM N F, CAO M, ZHANG Y, et al. Structural damage detection using finite element model updating with evolutionary algorithms: a survey[J]. Neural Computing and Applications, 2018, 30: 389-411. doi: 10.1007/s00521-017-3284-1
[16]	BAYRAM F, AHMED B S, Kassler A. From concept drift to model degradation: An overview on performance-aware drift detectors[J]. Knowledge-Based Systems, 2022, 245: 108632. doi: 10.1016/j.knosys.2022.108632
[17]	WANG S, SCHLOBACH S, KLEIN M. Concept drift and how to identify it[J]. Journal of Web Semantics, 2011, 9(3): 247-265. doi: 10.1016/j.websem.2011.05.003
[18]	KORYCKI Ł, KRAWCZYK B. Concept drift detection from multi-class imbalanced data streams[C]// 2021 IEEE 37th International Conference on Data Engineering (ICDE). IEEE, 2021: 1068-1079.
[19]	DRIES A, RÜCKERT U. Adaptive concept drift detection[J]. Statistical Analysis and Data Mining: The ASA Data Science Journal, 2009, 2(5-6): 311-327. doi: 10.1002/sam.v2:5/6
[20]	LIU A, SONG Y, ZHANG G, et al. Regional concept drift detection and density synchronized drift adaptation[C]// IJCAI International Joint Conference on Artificial Intelligence. 2017.
[21]	BAIDARI I, HONNIKOLL N. Bhattacharyya distance based concept drift detection method for evolving data stream[J]. Expert Systems with Applications, 2021, 183: 115303. doi: 10.1016/j.eswa.2021.115303
[22]	NISHIDA K, YAMAUCHI K. Detecting concept drift using statistical testing[C]// International conference on discovery science. Berlin, Heidelberg: Springer Berlin Heidelberg, 2007: 264-269.
[23]	LIU A, LU J, ZHANG G. Concept drift detection via equal intensity k-means space partitioning[J]. IEEE transactions on cybernetics, 2020, 51(6): 3198-3211. doi: 10.1109/TCYB.2020.2983962
[24]	KABIR M A, KEUNG J W, BENNIN K E, et al. Assessing the significant impact of concept drift in software defect prediction[C]// 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC). IEEE, 2019, 1: 53-58.
[25]	WANG X, KANG Q, AN J, et al. Drifted Twitter spam classification using multiscale detection test on KL divergence[J]. IEEE Access, 2019, 7: 108384-108394. doi: 10.1109/Access.6287639
[26]	HAYAT M Z, BASIRI J, SEYEDHOSSEIN L, et al. Content-based concept drift detection for email spam filtering[C]// 2010 5th International Symposium on Telecommunications. IEEE, 2010: 531-536.
[27]	GOLDENBERG I, WEBB G I. Survey of distance measures for quantifying concept drift and shift in numeric data[J]. Knowledge and Information Systems, 2019, 60(2): 591-615. doi: 10.1007/s10115-018-1257-z
[28]	张育培, 柴玉梅, 王黎明. 基于鞅的数据流概念漂移检测方法[J]. 小型微型计算机系统, 2013, 34(8): 1787-1792.
[29]	胡阳, 孙自强. 基于McDiarmid边界的自适应加权概念漂移检测方法[J/OL]. 华东理工大学学报(自然科学版): 1-10 [2023-06-12].
[30]	MASUD M, GAO J, KHAN L, et al. Classification and novel class detection in concept-drifting data streams under time constraints[J]. IEEE Transactions on knowledge and data engineering, 2010, 23(6): 859-874. doi: 10.1109/TKDE.2010.61
[31]	MASUD M M, AL-KHATEEB T M, KHAN L, et al. Detecting recurring and novel classes in concept-drifting data streams[C]// 2011 IEEE 11th International Conference on Data Mining. IEEE, 2011: 1176-1181.
[32]	SAURAV S, MALHOTRA P, TV V, et al. Online anomaly detection with concept drift adaptation using recurrent neural networks[C]// Proceedings of the acm india joint international conference on data science and management of data. 2018: 78-87.
[33]	JAIN M, KAUR G. Distributed anomaly detection using concept drift detection based hybrid ensemble techniques in streamed network data[J]. Cluster Computing, 2021, 24: 2099-2114. doi: 10.1007/s10586-021-03249-9
[34]	QIAO H, NOVIKOV B, BLECH J O. Concept drift analysis by dynamic residual projection for effectively detecting botnet cyber-attacks in IoT scenarios[J]. IEEE Transactions on Industrial Informatics, 2021, 18(6): 3692-3701. doi: 10.1109/TII.2021.3108464
[35]	YANG L, MANIAS D M, SHAMI A. Pwpae: An ensemble framework for concept drift adaptation in iot data streams[C]// 2021 IEEE Global Communications Conference (GLOBECOM). IEEE, 2021: 1-6.
[36]	KLINKENBERG R, JOACHIMS T. Detecting concept drift with support vector machines[C]// ICML. 2000: 487-494.
[37]	SEELIGER A, NOLLE T, MÜHLHÄUSER M. Detecting concept drift in processes using graph metrics on process graphs[C]// Proceedings of the 9th Conference on Subject-Oriented Business Process Management. 2017: 1-10.
[38]	崔泽林. 基于密度网格的数据流聚类和概念漂移检测算法研究[D]. 北京: 北京交通大学, 2017.
[39]	LIU A, LU J, LIU F, et al. Accumulating regional density dissimilarity for concept drift detection in data streams[J]. Pattern Recognition, 2018, 76: 256-272. doi: 10.1016/j.patcog.2017.11.009
[40]	ROSS G J, ADAMS N M, TASOULIS D K, et al. Exponentially weighted moving average charts for detecting concept drift[J]. Pattern recognition letters, 2012, 33(2): 191-198. doi: 10.1016/j.patrec.2011.08.019
[41]	HOENS T R, POLIKAR R, CHAWLA N V. Learning from streaming data with concept drift and imbalance: an overview[J]. Progress in Artificial Intelligence, 2012, 1: 89-101. doi: 10.1007/s13748-011-0008-0
[42]	徐清妍, 何丽, 朱泓西. 改进Hoeffding不等式的概念漂移检测方法[J]. 计算机工程与应用, 2020, 56(19): 55-61. doi: 10.3778/j.issn.1002-8331.1910-0397
[43]	朱群, 张玉红, 胡学钢, 等. 一种基于双层窗口的概念漂移数据流分类算法[J]. 自动化学报, 2011, 37(9): 1077-1084.
[44]	JAIN M, KAUR G, SAXENA V. A K-Means clustering and SVM based hybrid concept drift detection technique for network anomaly detection[J]. Expert Systems with Applications, 2022, 193: 116510. doi: 10.1016/j.eswa.2022.116510
[45]	SAKAMOTO Y, FUKUI K I, GAMA J, et al. Concept drift detection with clustering via statistical change detection methods[C]// 2015 Seventh International Conference on Knowledge and Systems Engineering (KSE). IEEE, 2015: 37-42.
[46]	DE SOUSA R G, PERES S M, FANTINATO M, et al. Concept drift detection and localization in process mining: An integrated and efficient approach enabled by trace clustering[C]// Proceedings of the 36th annual ACM symposium on applied computing. 2021: 364-373.
[47]	FANIZZI N, D’AMATO C, ESPOSITO F. Conceptual clustering and its application to concept drift and novelty detection[C]// The Semantic Web: Research and Applications: 5th European Semantic Web Conference, ESWC 2008, Tenerife, Canary Islands, Spain, June 1-5, 2008 Proceedings 5. Springer Berlin Heidelberg, 2008: 318-332.
[48]	YUAN Y, WANG Z, WANG W. Unsupervised concept drift detection based on multi-scale slide windows[J]. Ad Hoc Networks, 2021, 111: 102325. doi: 10.1016/j.adhoc.2020.102325
[49]	REN S, LIAO B, ZHU W, et al. The gradual resampling ensemble for mining imbalanced data streams with concept drift[J]. Neurocomputing, 2018, 286: 150-166. doi: 10.1016/j.neucom.2018.01.063
[50]	ELWELL R, POLIKAR R. Incremental learning of concept drift in nonstationary environments[J]. IEEE Transactions on Neural Networks, 2011, 22(10): 1517-1531. doi: 10.1109/TNN.2011.2160459 pmid: 21824845
[51]	GUO H, ZHANG S, WANG W. Selective ensemble-based online adaptive deep neural networks for streaming data with concept drift[J]. Neural Networks, 2021, 142: 437-456. doi: 10.1016/j.neunet.2021.06.027 pmid: 34273615
[52]	YANG Z, AL-DAHIDI S, BARALDI P, et al. A novel concept drift detection method for incremental learning in nonstationary environments[J]. IEEE transactions on neural networks and learning systems, 2019, 31(1): 309-320. doi: 10.1109/TNNLS.5962385
[53]	GAMA J, MEDAS P, CASTILLO G, et al. Learning with drift detection[C]// Advances in Artificial Intelligence-SBIA 2004: 17th Brazilian Symposium on Artificial Intelligence, Sao Luis, Maranhao, Brazil, September 29-Ocotber 1, 2004. Proceedings 17. Springer Berlin Heidelberg, 2004: 286-295.
[54]	SCHLIMMER J C, GRANGER JR R H. Beyond incremental processing: Tracking concept drift[C]// Proceedings of the Fifth AAAI National Conference on Artificial Intelligence. 1986: 502-507.
[55]	SUSNJAK T, BARCZAK A L C, HAWICK K A. Adaptive cascade of boosted ensembles for face detection in concept drift[J]. Neural Computing and Applications, 2012, 21: 671-682. doi: 10.1007/s00521-011-0663-x
[56]	SPINOSA E J, DE LEON F, DE CARVALHO A P, et al. Olindda: A cluster-based approach for detecting novelty and concept drift in data streams[C]// Proceedings of the 2007 ACM symposium on Applied computing. 2007: 448-452.
[57]	YANG L, GUO W, HAO Q, et al. CADE: Detecting and explaining concept drift samples for security applications[C]// 30th USENIX Security Symposium (USENIX Security 21). 2021: 2327-2344.
[58]	WANG S, MINKU L L. AUC Estimation and Concept Drift Detection for Imbalanced Data Streams with Multiple Classes[C]// 2020 International Joint Conference on Neural Networks (IJCNN), Glasgow, UK, 2020:1-8.
[59]	WANG S, MINKU L L, GHEZZI D D, et al. Concept drift detection for online class imbalance learning[C]// The 2013 International Joint Conference on Neural Networks (IJCNN), Dallas, TX, USA, 2013.
[60]	ABBASI A, JAVED A R, CHAKRABORTY C, et al. ElStream: An Ensemble Learning Approach for Concept Drift Detection in Dynamic Social Big Data Stream Learning[J]. IEEE Access, 2021, 9:66408-66419. doi: 10.1109/ACCESS.2021.3076264
[61]	YANG L, SHAMi A. A lightweight concept drift detection and adaptation framework for IoT data streams[J]. IEEE Internet of Things Magazine, 2021, 4:96-101.

使用方法	发表年份	参献	算法名称	漂移类型	是否主动检测概念漂移	模型如何更新
基于统计的方法	2017[19]	21	LDD	突变漂移	是	自动
	2009[20]	23	Meta-ADD	所有类型	否	不更新
	2007[22]	9	STEPD	所有类型	是	不更新
	2004[23]	48	EI-KMeans	突变漂移、渐增漂移	是	自动
	2019[24]	35	DDM	所有类型	否	不更新
	2010[26]	14	KL divergence	所有类型	是	不更新
基于预测的方法	2011[31]	31	OLINDDA	渐进漂移	是	自动
	2011[32]	11	ECSMiner	所有类型	是	不更新
	2021[34]	33	GMM	所有类型	是	自动更新
	2022[35]	39	DRPM	所有类型	是	不更新
基于滑动窗口的方法	2018[40]	56	NN-DVI	所有类型	是	自动
	2012[41]	25	EWMA	渐进漂移	是	自动
	2012[42]	86	CVFDT	突变漂移、渐增漂移、复发式漂移	是	不更新
基于聚类的方法	2015[48]	15	DDM	突变漂移、渐增漂移、渐进漂移	是	不更新
	2022[49]	58	ProM	所有类型	是	自动
	2008[53]	29	PAM	突变漂移、渐增漂移	是	不更新
基于深度学习的方法	2011[59]	63	Learn++.NSE	突变漂移、渐增漂移、渐进漂移	否	自动
基于深度学习的方法	2020[60]	59	OS-ELMs	所有类型	是	自动

数据集名称	数据类型	用途	引用文献
KDD Cup数据集	网络流量数据	网络入侵检测	[2]、[34]、[47]
UNSW-NB15数据集	校园网络的流量数据	网络异常检测	[38]、[40]
CICIDS2017数据集	网络异常检测数据集	用于评估和比较网络异常检测算法的性能	[32]
NSL-KDD数据集	网络流量数据	用于网络入侵检测任务	[31]、[35]、[51]