Machine learning-based Intrusion Detection Systems (IDSs) have become increasingly critical for identifying and mitigating network threats by analyzing data flows for anomalous or malicious activity. However, the dynamic nature of network environments makes static training data increasingly obsolete, leading to a reduction in detection accuracy, a phenomenon known as concept drift. In recent years, online learning approaches have been proposed to enable IDSs to detect drift and adapt to changing conditions. However, efforts have primarily focused on promptly detecting drift and developing fast incremental adaptation strategies, while overlooking two fundamental aspects, i.e., labeling cost and explainability. Labeling cost, defined as the time and resources involved in the data annotation process, is critical in an online setting, where domain experts are required to label data in real time resulting in a potentially serious shortage of labeled data. Moreover, explainability of machine learning model decisions is crucial to understand how concept drift affects system performance and how the model adapts its behavior to align with the new data distribution. To address these challenges, this paper proposes an online framework for IDS powered by an unsupervised, explainability-driven concept drift detector. The detector identifies concept drift without requiring labeled data and provides insights into its impact on model decision-making. The framework also includes an online adaptation strategy that minimizes labeling costs. Experimental evaluation on a real-world network dataset with various concept drift scenarios demonstrates the system’s effectiveness. The framework detects concept drift and adapts quickly when necessary, achieving performance comparable to state-of-the-art systems while reducing labeling costs. It also provides explainability of the drift’s impact and shows how the model’s decisions evolve over time.
Online framework for intrusion detection systems with explainable concept drift detection and adaptation phases / Drago, Salvatore; Lorusso, Manuel; Ferraro, Pierluca; De Paola, Alessandra; Lo Re, Giuseppe. - 4198:(2026). ( ITASEC & SERICS 2026 - Joint National Conference on Cybersecurity 2026 Cagliari, Italy 09-13/02/2026).
Online framework for intrusion detection systems with explainable concept drift detection and adaptation phases
Drago Salvatore
;
2026
Abstract
Machine learning-based Intrusion Detection Systems (IDSs) have become increasingly critical for identifying and mitigating network threats by analyzing data flows for anomalous or malicious activity. However, the dynamic nature of network environments makes static training data increasingly obsolete, leading to a reduction in detection accuracy, a phenomenon known as concept drift. In recent years, online learning approaches have been proposed to enable IDSs to detect drift and adapt to changing conditions. However, efforts have primarily focused on promptly detecting drift and developing fast incremental adaptation strategies, while overlooking two fundamental aspects, i.e., labeling cost and explainability. Labeling cost, defined as the time and resources involved in the data annotation process, is critical in an online setting, where domain experts are required to label data in real time resulting in a potentially serious shortage of labeled data. Moreover, explainability of machine learning model decisions is crucial to understand how concept drift affects system performance and how the model adapts its behavior to align with the new data distribution. To address these challenges, this paper proposes an online framework for IDS powered by an unsupervised, explainability-driven concept drift detector. The detector identifies concept drift without requiring labeled data and provides insights into its impact on model decision-making. The framework also includes an online adaptation strategy that minimizes labeling costs. Experimental evaluation on a real-world network dataset with various concept drift scenarios demonstrates the system’s effectiveness. The framework detects concept drift and adapts quickly when necessary, achieving performance comparable to state-of-the-art systems while reducing labeling costs. It also provides explainability of the drift’s impact and shows how the model’s decisions evolve over time.| File | Dimensione | Formato | |
|---|---|---|---|
|
Online_Framework_for_Intrusion_Detection_Systems_with_Explainable_Concept_Drift_Detection_and_Adaptation_Phases.pdf
accesso aperto
Descrizione: Online Framework for Intrusion Detection Systems with Explainable Concept Drift Detection and Adaptation Phases
Tipologia:
Versione Editoriale (PDF)
Licenza:
Creative commons
Dimensione
634.72 kB
Formato
Adobe PDF
|
634.72 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
