Figure - available from: Soft Computing
This content is subject to copyright. Terms and conditions apply.
![An example of GP crossover (left) and mutation (right). In GP crossover two random subtrees of the parents are selected and swapped and generate two new individuals. Here, the function set contains Avg,+,-\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\text {Avg}, +, -$$\end{document} and ×\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\times $$\end{document}, and the terminal set contains problem variables and some random numbers. In GP mutation, a random subtree of the parent is selected and substituted with a new random subtree](publication/343374846/figure/fig1/AS:960247086714896@1605952154520/An-example-of-GP-crossover-left-and-mutation-right-In-GP-crossover-two-random.png)
An example of GP crossover (left) and mutation (right). In GP crossover two random subtrees of the parents are selected and swapped and generate two new individuals. Here, the function set contains Avg,+,-\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\text {Avg}, +, -$$\end{document} and ×\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\times $$\end{document}, and the terminal set contains problem variables and some random numbers. In GP mutation, a random subtree of the parent is selected and substituted with a new random subtree
Source publication
![An example combiner function FE\documentclass[12pt]{minimal}...](publication/343374846/figure/fig2/AS:960247086723110@1605952154674/An-example-combiner-function-FEdocumentclass12ptminimal-usepackageamsmath_Q320.jpg)
Intrusion detection tools have largely benefitted from the usage of supervised classification methods developed in the field of data mining. However, the data produced by modern system/network logs pose many problems, such as the streaming and non-stationary nature of such data, their volume and velocity, and the presence of imbalanced classes. Cla...
Citations
... Operating on the analysis of network traffic, IDS discerns patterns indicative of potential security breaches. Upon detecting an intrusion, the IDS promptly alerts network administrators, empowering them to take necessary actions to counteract the threat [7]. ...
... There are three different ways to model concept drift: window-related, weight-related, and an ensemble of classification models. The former selects samples from a sliding window, while the latter weights samples and removes them based on their weight [7]. ...
Intrusions are constantly evolving and changing, and to keep up with these changes, it is necessary to have models that detect these changes, also known as concept drifts, and offer the ability to update the model without starting the learning process from scratch. In our contribution, we have opted for a new approach to intrusion detection based on concept drift detection and online incremental learning, named DDM-ORF. Our approach is based on the Detection Drift Method (DDM) and Online Random Forest algorithm (ORF). The model has shown very good accuracy compared to traditional approaches and an ability to handle massive data, providing multi-class classification that allows for determining insights. The proposed system achieves very good classification results, along with good processing speed that meets real-world scenarios. Apache Spark Structured Streaming provides important functionalities for dealing with streaming data and enables the deployment of the proposed system DDM-ORF in real-world applications.
... IDS work by analyzing network tra c and looking for patterns that indicate a potential security breach. When an intrusion is detected, the IDS alerts the network administrator, who can take appropriate action to mitigate the threat [7]. ...
... There are three different ways to model concept drift: window-related, weight-related, and an ensemble of classi cation models. The former selects samples from a sliding window, while the latter weights samples and removes them based on their weight [7]. ...
Intrusions are constantly evolving and changing, and to keep up with these changes, it is necessary to have models that detect these changes, also known as concept drifts, and offer the ability to update the model without starting the learning process from scratch. In our contribution, we have opted for a new approach to intrusion detection based on concept drift detection and online incremental learning, named DDM-ORF. Our approach is based on the Detection Drift Method (DDM) and Online Random Forest algorithm (ORF). The model has shown very good accuracy compared to traditional approaches and an ability to handle massive data, providing multi-class classification that allows for determining insights. The proposed system achieves very good classification results, along with good processing speed that meets real-world scenarios. Apache Spark Structured Streaming provides important functionalities for dealing with streaming data and enables the deployment of the proposed system DDM-ORF in real-world applications.
... The active acceleration strategy has mechanisms to detect concept drift,the strategy characterises and quantifies concept drift by identifying change points or change intervals. Moreover, it will discard the current classifier and reconstruct the classifier when concept drift is detected [6]. The active acceleration strategy is divided into two steps: change detection and model construction. ...
Because the insufficient new distribution training samples after concept drift occurs in streaming data, the performance of online learning model degrades and cannot quickly recover. Therefore, an adaptive hybrid ensemble method for accelerate adaptation of concept drift(AHE\_A$^2$CD) is proposed. After concept drift occurs, the proposed method extracts local information from the streaming data through the weighted base classifiers located in the classifier pool. The local information is supplemented into the current data block through expanding the data to make up for the lack of current distribution data after concept drift occurs and to build an efficient local base learner that conforms to the current data distribution. On this basis, the key data information at different stages is extracted by local base learner, and the current data is adaptively selected by the data distribution to construct diverse global base learner. Through the hybrid ensemble of the high-performance local base learner and the diverse global base learner, this method can adaptively learn the changing streaming data and improve the adaptability after concept drift occurs. Experimental results show that this method can accelerate the convergence of the online learning model after concept drift occurs and improve the real-time performance of streaming data classification.
... The goal of our contribution is to propose a novel framework for IDS with the capability to handle the majority of variations of CD. It uses ensemble learning based on the Genetic Programming Combiner [24] to deal with both CD and class imbalance issues in IDS. Our proposed framework features the embedding of incremental learning variants of classifiers by providing three options to the user: gradual learning, preserving previous knowledge when features change, and restoring previously gained knowledge when its corresponding features are active again. ...
... One approach proposed in [24] is an ensemble-based framework for online IDS, where the ensemble is updated through an incremental stream-oriented learning scheme. This approach uses genetic programming (GP) to derive a combiner function and is supported by a system architecture that integrates drift detection and adaptation. ...
... Some operators are max, average, and weighted average. The classifiers range from to [24]. ...
Concept drift (CD) in data streaming scenarios such as networking intrusion detection systems (IDS) refers to the change in the statistical distribution of the data over time. There are five principal variants related to CD: incremental, gradual, recurrent, sudden, and blip. Genetic programming combiner (GPC) classification is an effective core candidate for data stream classification for IDS. However, its basic structure relies on the usage of traditional static machine learning models that receive onetime training, limiting its ability to handle CD. To address this issue, we propose an extended variant of the GPC using three main components. First, we replace existing classifiers with alternatives: online sequential extreme learning machine (OSELM), feature adaptive OSELM (FA-OSELM), and knowledge preservation OSELM (KP-OSELM). Second, we add two new components to the GPC, specifically, a data balancing and a classifier update. Third, the coordination between the sub-models produces three novel variants of the GPC: GPC-KOS for KA-OSELM; GPC-FOS for FA-OSELM; and GPC-OS for OSELM. This article presents the first data stream-based classification framework that provides novel strategies for handling CD variants. The experimental results demonstrate that both GPC-KOS and GPC-FOS outperform the traditional GPC and other state-of-the-art methods, and the transfer learning and memory features contribute to the effective handling of most types of CD. Moreover, the application of our incremental variants on real-world datasets (KDD Cup ‘99, CICIDS-2017, CSE-CIC-IDS-2018, and ISCX ‘12) demonstrate improved performance (GPC-FOS in connection with CSE-CIC-IDS-2018 and CICIDS-2017; GPC-KOS in connection with ISCX2012 and KDD Cup ‘99), with maximum accuracy rates of 100% and 98% by GPC-KOS and GPC-FOS, respectively. Additionally, our GPC variants do not show superior performance in handling blip drift.
... An IDS has proven indispensable in providing security protection, primarily for the detection of adversarial threats. It can monitor suspicious activities and protect sensitive information by monitoring data flow, alerting administrators to any warnings or threats against the system [5]. In the literature, IDS is often approached as a machine/deep learning problem where a classification model is trained to identify attacks based on the current state of the network, as captured by a predefined feature space [6]. ...
... One of these powerful non-trainable ensembles learning framework methods for stream data classification is Genetic Programming (GP)-combiner that enables using more than one classifier under a tree representation and provides various operators for aggregating the classifiers outcomes. Furthermore, it allows re-training of the aggregation when a drift happens in the data stream [5]. ...
... The goal of this article is to extend the framework of the GP-combiner ensemble to be feature drift aware [5]. The extension is performed using developed DFS based on multiobjective Particle Swarm Optimisation (PSO) that supports searching for a variable length of features [21]. ...
Intrusion Detection Systems (IDS) serve as critical components in safeguarding network security by detecting malicious activities. Although IDS has recently been treated primarily through the lens of machine learning, challenges persist, particularly with high-dimensional data and feature drift. Feature drift pertains to the dynamic nature of feature significance, which can fluctuate over time, complicating the task of stable and effective intrusion detection. The existing Genetic Programming (GP)-combiner based ensemble classifier framework demonstrates notable efficiency in online intrusion detection, especially in accommodating concept drift. However, it does not adequately address the specific type of concept drift known as feature drift. To rectify this gap, this article proposes a refined version of GP-combiner, named Dynamic Feature Aware GP Ensemble (DFA-GPE). This advanced framework incorporates an improved variant of Variable Length Multi-Objective Particle Swarm Optimization (VLMO-PSO) to dynamically manage feature drift. The proposed VLMO-PSO employs a smart population initialization strategy based on Bernoulli distribution and symmetric uncertainty. It also utilizes a unique set of transfer functions that map the mobility equation outcomes to the decision space. To further optimize the process, the framework introduces a novel exemplar selection method, striking a balance between exploration and exploitation. DFA-GPE’s final feature selection decisions are informed by statistical analyses of feature weights, effectively addressing the challenge of dynamic feature selection as a multi-objective optimization problem that simultaneously enhances accuracy and conserves memory. Comprehensive evaluation of DFA-GPE on two benchmark datasets, namely HIKARI 2021 and TON_IoT 2020, reveals its robust performance across all metrics. From experiment results, our framework attains 99.09% and 92.64% accuracy on both datasets, respectively, while simultaneously reducing memory consumption. Hence, DFA-GPE emerges as a comprehensive framework adept at tackling the most pertinent issues related to stream data classification within IDS, notably outperforming existing methodologies.
... When the environmental context changes, the relationship between drought-flood and the influencing factors would shift unexpectedly, correlating to concept drift in the data stream [45]. We used an online bagging of Hoeffding adaptive trees (OBHAT) model to dynamically detect the response of drought and flood events to human activities and climate change. ...
Wetlands are important environmental resources that are vulnerable to droughts and floods. Studying drought-flood events and their driving factors is essential for wetland resource planning and management. However, climate change and human activities present dynamic challenges that traditional approaches are unable to simulate dynamically in a rapidly changing environment. This makes quantitative analysis difficult. Our research focused on the innovative use of the data stream model, namely online bagging of Hoeffding adaptive trees, to quantify drought and flood drivers in response to climate change and human activity. The proposed approach was applied to a river-lake system, the Dongting Lake wetland. The frequency and duration characteristics of drought-flood events were analyzed. In addition, the cyclical changes of droughts and floods were analyzed by wavelet analysis. Then, drought-flood indicators as well as climatic and hydrological factors were entered into a dynamic data stream model for quantitative calculations. The results showed that the water conservancy projects largely reduced flood events while aggravating droughts. The frequency of floods decreased by 4.91% and the frequency of droughts increased by 6.81% following the construction of the Gezhouba Hydro-project and the Three Gorges Dam. Precipitation and Sankou streamflow were two dominant factors in the Dongting Lake drought and flood events, both of which had a feature importance value of approximately 0.3. This research showed how the data stream model can be used in a changing environment and the applicability of the conclusions reached through real-world instances. Moreover, these quantitative outputs can help in the sustainable utilization of Dongting Lake wetland resources.
... Testing of latency time in the distributed Spark system on different machines was carried out by adjusting the number of executing cores. An online classification system for intrusion detection data based on the use of an assembly classification model was proposed in Folino et al. (2020) which defines the assembly function as non-trainable assembly functions and discovers it data guided via Genetic Program (GP) methods. The system architecture that integrates various types of functionality, including drift detection mechanisms, simple model inductions / replacements, and the efficient GP measurement of the combiner is supported by their approach. ...
... • Emphasize the decision of the classifier, but only in those sub-regions of decision space where classifier shows proficiency (strictly under the assumption that this proficiency can be determined with validation) and Using ensemble approaches could improve detection rates and accuracy while lowering false alarm rates Folino et al. (2020Folino et al. ( ) 2020 Intrusion detection based on the use of an assembly classification ...
... • Emphasize the decision of the classifier, but only in those sub-regions of decision space where classifier shows proficiency (strictly under the assumption that this proficiency can be determined with validation) and Using ensemble approaches could improve detection rates and accuracy while lowering false alarm rates Folino et al. (2020Folino et al. ( ) 2020 Intrusion detection based on the use of an assembly classification ...
This paper proposes a heterogeneous ensemble classifier configuration for a multiclass intrusion detection problem. The ensemble is composed of k-nearest neighbors, artificial neural networks, and naïve Bayes classifiers. The decisions of these classifiers are combined with weighted majority voting, where optimal weights are generated by ant colony optimization for continuous search spaces. As a comparison basis, we have also implemented the ensemble configuration with the unweighted majority voting or Winner Takes All strategy. To ensure the maximum variety of classifiers, we have implemented three versions of each classification algorithm by varying each classifier’s parameters making a total of nine diverse experts for the ensemble. For our empirical study, we used the full NSL-KDD dataset to classify network traffic into one of five different classes. Our results indicate that the ensemble configuration using ACOR-optimized weights is capable of resolving the conflicts between multiple classifiers and improving the overall classification accuracy of the ensemble.
... In practice, the IDS alerts will escalate and become primarily false positives, motivating administrators to disregard them while an updated ML model is not yet available. In the literature, authors often assume periodic model updates will be performed, but they either consider it an orthogonal problem or overlook the challenges posed by model retraining task [11]. Model updates for pattern recognition demand the collection of up-to-date events, expert assistance for event labeling, and the mentioned computationally-expensive model retraining [3]. ...
... An outdated ML model must be updated as soon as possible. However, identifying expired models is a challenging task [11] as the network administrator must manually evaluate whether the current model's accuracy still meets the accuracy measured at the test phase. In general, proposed approaches for such tasks rely upon supervised settings (e.g., drift detection mechanisms) that assume the proper event label is always available [14]. ...
Several works have used machine learning techniques for network-based intrusion detection over the past few years. While proposed schemes have been able to provide high detection accuracies, they do not adequately handle the changes in network traffic behavior as time passes. Researchers often assume that model updates can be performed periodically as needed, although this is not easily feasible in real-world scenarios. This paper proposes a new intrusion detection model based on a reinforcement learning approach that aims to support extended periods without model updates. The proposal is divided into two strategies. First, it applies machine learning scheme as a reinforcement learning task to long-term learning -maintaining high reliability and high classification accuracies over time. Second, model updates are performed using a transfer learning technique coped with a sliding window mechanism that significantly decreases the need for computational resources and human intervention. Experiments performed using a new dataset spanning 8TB of data and four years of real network traffic indicate that current approaches in the literature cannot handle the evolving behavior of network traffic. Nevertheless, the proposed technique without periodic model updates achieves similar accuracy rates to traditional detection schemes implemented with semestral updates. In the case of performing periodic updates on our proposed model, it decreases the false positives up to 8%, false negatives up to 34%, with an accuracy variation up to only 6%, while demanding only seven days of training data and almost five times fewer computational resources when compared to traditional approaches.
... Therefore, concept-drifting learning algorithms must be adaptive to evolving concepts. A variety of concept-drift learning methods have been proposed over the past decades [18,23,66,72,136,137]. ...
Developing effective and efficient data stream classifiers is challenging for the machine learning community because of the dynamic nature of data streams. As a result, many data stream learning algorithms have been proposed during the past decades and achieve great success in various fields. This paper aims to explore a specific type of challenge in learning evolving data streams, called concept evolution (emergence of novel classes). Concept evolution indicates that the underlying patterns evolve over time, and new patterns (classes) may emerge at any time in streaming data. Therefore, data stream classifiers with emerging class detection have received increasing attention in recent years due to the practical values in many real-world applications. In this article, we provide a comprehensive overview of the existing works in this line of research. We discuss and analyze various aspects of the proposed algorithms for data stream classification with concept evolution detection and adaptation. Additionally, we discuss the potential application areas in which these techniques can be used. We also provide a detailed overview of evaluation measures and datasets used in these studies. Finally, we describe the current research challenges and future directions for data stream classification with novel class detection.
... Each variable can not only learn independently in its own channel but also be effectively correlated to make the learning process of different variables independent and shared. Therefore, a network intrusion detection model based on multiple spatiotemporal models in LSTM is proposed in this paper [30]. In fact, the essence of the intrusion detection is a classifier model, in which the network flow mixed with abnormal data can be detected. ...
... In order to prevent overfitting and improve the generalization performance of the model, we use recurrent dropout regularization to reduce overfitting in the training process. In other words, the input unit of a certain layer is randomly set to 0 with a certain probability, and the purpose is to break the accidental correlation in the training data of this layer [30]. On the input data of the model, the dataset is transformed into the form of input data required by the model through feature extraction and preprocessing of the imported dataset. ...
Aimed at the existing problems in network intrusion detection, this paper proposes an improved LSTM combined with spatiotemporal structure for intrusion detection. The unsupervised spatiotemporal encoder is used to intelligently extract the spatial characteristics of network traffic data samples. It can not only retain the overall/nonlocal characteristics of the data samples but also extract the most essential deep features of the data samples. Finally, the extracted features are used as input of the LSTM model to realize classification and identification for intrusion samples. Experimental verification shows that the accuracy and false alarm rate of the intrusion detection model based on the neural network are significantly better than those of other traditional models.
