ReCDA: Concept Drift Adaptation with Representation Enhancement for Network Intrusion Detection

Shuo Yang; Xinran Zheng; Jinze Li; Jinfeng Xu; Xingjun Wang; Edith C.H. Ngai

doi:10.1145/3637528.3672007

ReCDA: Concept Drift Adaptation with Representation Enhancement for Network Intrusion Detection

Shuo Yang
, Xinran Zheng
, Jinze Li
, Jinfeng Xu
, Xingjun Wang
, Edith C.H. Ngai^*

^*Corresponding author for this work

The University of Hong Kong
Tsinghua University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

13 Scopus citations

Abstract

The deployment of learning-based models to detect malicious activities in network traffic flows is significantly challenged by concept drift. With evolving attack technology and dynamic attack behaviors, the underlying data distribution of recently arrived traffic flows deviates from historical empirical distributions over time. Existing approaches depend on a significant amount of labeled drifting samples to facilitate the deep model to handle concept drift, which faces labor-intensive manual labeling and the risk of label noise. In this paper, we propose ReCDA, a Concept Drift Adaptation method with Representation enhancement, which consists of a self-supervised representation enhancement stage and a weakly-supervised classifier tuning stage. Specifically, in the initial stage, ReCDA introduces drift-aware perturbation and representation alignment to facilitate the model in acquiring robust representations from drift-aware and drift-invariant perspectives. Moreover, in the subsequent stage, a meticulously crafted instructive sampling strategy and a robust representation constraint encourage the model to learn discriminative knowledge about benign and malicious activities during fine-tuning, thereby enhancing performance further. We conduct comprehensive evaluations on several benchmark datasets under varying degrees of concept drift. The experiment results demonstrate the superior adaptability and robustness of the proposed method.

Original language	English
Title of host publication	KDD 2024 - Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining
Publisher	Association for Computing Machinery
Pages	3818-3828
Number of pages	11
ISBN (Electronic)	9798400704901
DOIs	https://doi.org/10.1145/3637528.3672007
State	Published - 24 Aug 2024
Externally published	Yes
Event	30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, KDD 2024 - Barcelona, Spain Duration: 25 Aug 2024 → 29 Aug 2024

Publication series

Name	Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining
ISSN (Print)	2154-817X

Conference

Conference	30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, KDD 2024
Country/Territory	Spain
City	Barcelona
Period	25/08/24 → 29/08/24

Keywords

concept drift
intrusion detection
network security

Access to Document

10.1145/3637528.3672007

Cite this

Yang, S., Zheng, X., Li, J., Xu, J., Wang, X., & Ngai, E. C. H. (2024). ReCDA: Concept Drift Adaptation with Representation Enhancement for Network Intrusion Detection. In KDD 2024 - Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining (pp. 3818-3828). (Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining). Association for Computing Machinery . https://doi.org/10.1145/3637528.3672007

Yang, Shuo ; Zheng, Xinran ; Li, Jinze et al. / ReCDA : Concept Drift Adaptation with Representation Enhancement for Network Intrusion Detection. KDD 2024 - Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. Association for Computing Machinery , 2024. pp. 3818-3828 (Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining).

@inproceedings{24c2cdbd84074988b3be06d3fe022a44,

title = "ReCDA: Concept Drift Adaptation with Representation Enhancement for Network Intrusion Detection",

abstract = "The deployment of learning-based models to detect malicious activities in network traffic flows is significantly challenged by concept drift. With evolving attack technology and dynamic attack behaviors, the underlying data distribution of recently arrived traffic flows deviates from historical empirical distributions over time. Existing approaches depend on a significant amount of labeled drifting samples to facilitate the deep model to handle concept drift, which faces labor-intensive manual labeling and the risk of label noise. In this paper, we propose ReCDA, a Concept Drift Adaptation method with Representation enhancement, which consists of a self-supervised representation enhancement stage and a weakly-supervised classifier tuning stage. Specifically, in the initial stage, ReCDA introduces drift-aware perturbation and representation alignment to facilitate the model in acquiring robust representations from drift-aware and drift-invariant perspectives. Moreover, in the subsequent stage, a meticulously crafted instructive sampling strategy and a robust representation constraint encourage the model to learn discriminative knowledge about benign and malicious activities during fine-tuning, thereby enhancing performance further. We conduct comprehensive evaluations on several benchmark datasets under varying degrees of concept drift. The experiment results demonstrate the superior adaptability and robustness of the proposed method.",

keywords = "concept drift, intrusion detection, network security",

author = "Shuo Yang and Xinran Zheng and Jinze Li and Jinfeng Xu and Xingjun Wang and Ngai, \{Edith C.H.\}",

note = "Publisher Copyright: {\textcopyright} 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.; 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, KDD 2024 ; Conference date: 25-08-2024 Through 29-08-2024",

year = "2024",

month = aug,

day = "24",

doi = "10.1145/3637528.3672007",

language = "英语",

series = "Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining",

publisher = "Association for Computing Machinery ",

pages = "3818--3828",

booktitle = "KDD 2024 - Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining",

address = "美国",

}

Yang, S, Zheng, X, Li, J, Xu, J, Wang, X & Ngai, ECH 2024, ReCDA: Concept Drift Adaptation with Representation Enhancement for Network Intrusion Detection. in KDD 2024 - Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Association for Computing Machinery , pp. 3818-3828, 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, KDD 2024, Barcelona, Spain, 25/08/24. https://doi.org/10.1145/3637528.3672007

ReCDA: Concept Drift Adaptation with Representation Enhancement for Network Intrusion Detection. / Yang, Shuo; Zheng, Xinran; Li, Jinze et al.
KDD 2024 - Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. Association for Computing Machinery , 2024. p. 3818-3828 (Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - ReCDA

T2 - 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, KDD 2024

AU - Yang, Shuo

AU - Zheng, Xinran

AU - Li, Jinze

AU - Xu, Jinfeng

AU - Wang, Xingjun

AU - Ngai, Edith C.H.

PY - 2024/8/24

Y1 - 2024/8/24

N2 - The deployment of learning-based models to detect malicious activities in network traffic flows is significantly challenged by concept drift. With evolving attack technology and dynamic attack behaviors, the underlying data distribution of recently arrived traffic flows deviates from historical empirical distributions over time. Existing approaches depend on a significant amount of labeled drifting samples to facilitate the deep model to handle concept drift, which faces labor-intensive manual labeling and the risk of label noise. In this paper, we propose ReCDA, a Concept Drift Adaptation method with Representation enhancement, which consists of a self-supervised representation enhancement stage and a weakly-supervised classifier tuning stage. Specifically, in the initial stage, ReCDA introduces drift-aware perturbation and representation alignment to facilitate the model in acquiring robust representations from drift-aware and drift-invariant perspectives. Moreover, in the subsequent stage, a meticulously crafted instructive sampling strategy and a robust representation constraint encourage the model to learn discriminative knowledge about benign and malicious activities during fine-tuning, thereby enhancing performance further. We conduct comprehensive evaluations on several benchmark datasets under varying degrees of concept drift. The experiment results demonstrate the superior adaptability and robustness of the proposed method.

AB - The deployment of learning-based models to detect malicious activities in network traffic flows is significantly challenged by concept drift. With evolving attack technology and dynamic attack behaviors, the underlying data distribution of recently arrived traffic flows deviates from historical empirical distributions over time. Existing approaches depend on a significant amount of labeled drifting samples to facilitate the deep model to handle concept drift, which faces labor-intensive manual labeling and the risk of label noise. In this paper, we propose ReCDA, a Concept Drift Adaptation method with Representation enhancement, which consists of a self-supervised representation enhancement stage and a weakly-supervised classifier tuning stage. Specifically, in the initial stage, ReCDA introduces drift-aware perturbation and representation alignment to facilitate the model in acquiring robust representations from drift-aware and drift-invariant perspectives. Moreover, in the subsequent stage, a meticulously crafted instructive sampling strategy and a robust representation constraint encourage the model to learn discriminative knowledge about benign and malicious activities during fine-tuning, thereby enhancing performance further. We conduct comprehensive evaluations on several benchmark datasets under varying degrees of concept drift. The experiment results demonstrate the superior adaptability and robustness of the proposed method.

KW - concept drift

KW - intrusion detection

KW - network security

UR - https://www.scopus.com/pages/publications/85203667003

U2 - 10.1145/3637528.3672007

DO - 10.1145/3637528.3672007

M3 - 会议稿件

AN - SCOPUS:85203667003

T3 - Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining

SP - 3818

EP - 3828

BT - KDD 2024 - Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

PB - Association for Computing Machinery

Y2 - 25 August 2024 through 29 August 2024

ER -

Yang S, Zheng X, Li J, Xu J, Wang X, Ngai ECH. ReCDA: Concept Drift Adaptation with Representation Enhancement for Network Intrusion Detection. In KDD 2024 - Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining. Association for Computing Machinery . 2024. p. 3818-3828. (Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining). doi: 10.1145/3637528.3672007

ReCDA: Concept Drift Adaptation with Representation Enhancement for Network Intrusion Detection

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this