Adaptive-Delta ADWIN for Balancing Sensitivity and Stability in Streaming IDS
DOI:
https://doi.org/10.51519/journalisi.v7i3.1260Keywords:
concept drift, Intrusion detection system, Streaming data, ControllersAbstract
In dynamic traffic networks, intrusion detection systems (IDS) must handle dynamic data stream where traffic changes occur, and concept drift is customary. Traditional concept drift detection approaches often experience a challenge between sensitivity and stability, resulting in delayed adaptation and uncontrolled false alarms. This paper proposes an AdaptiveDelta ADWIN framework that tunes sensitivity detectors using online lightweight controllers: Volatility (VC), that tune a delta based on error volatility, and AlertRate Controller (ARC), which modulates the drift alarms frequency. The framework is implemented using Bagging ensemble of Hoeffding Adaptive Trees and evaluated on a network preprocessed traffic dataset. Comparative experiments opposed to a fixed, ultrasensitive delta detector illustrate that adaptive tuning authorizes timely drift detection while maintaining stability, decreasing false alarms by more than 25%, and enhancing predictive overall performance. AdaptiveDelta baseline maintains a stable accuracy approximately 80% 82% accentuating the importance of balancing detection sensitivity with operational stability in streaming IDS implementation. These results highlight the practical value of the proposed framework, which is lightweight, computationally efficient, and suitable for real-time deployment in streaming IDS environments.
Downloads
References
S. Neupane, M. A. Ferrag, S. Shu, and L. Maglaras, “Explainable intrusion detection systems (x-ids): A survey of current methods, challenges, and opportunities,” IEEE Access, vol. 10, pp. 112392–112415, 2022, doi: 10.1109/ACCESS.2022.3216617.
O. H. Abdulganiyu, T. A. Tchakoucht, and Y. K. Saheed, “A systematic literature review for network intrusion detection system (IDS),” Int. J. Inf. Secur., vol. 22, no. 5, pp. 1125–1162, 2023, doi: 10.1007/s10207-023-00682-2.
O. Arreche, T. Guntur, and M. Abdallah, “Xai-ids: Toward proposing an explainable artificial intelligence framework for enhancing network intrusion detection systems,” Appl. Sci., vol. 14, no. 10, p. 4170, 2024, doi: 10.3390/app14104170.
S. Arora, R. Rani, and N. Saxena, “A systematic review on detection and adaptation of concept drift in streaming data using machine learning techniques,” Wiley Interdiscip. Rev. Data Min. Knowl. Discov., vol. 14, no. 4, p. e1536, 2024, doi: 10.1002/widm.1536.
D. Lukats et al., “A benchmark and survey of fully unsupervised concept drift detectors on real-world data streams,” Int. J. Data Sci. Anal., vol. 19, no. 1, pp. 1–31, 2025, doi: 10.1007/s41060-024-00620-y.
F. Jemili, K. Jouini, and O. Korbaa, “Intrusion detection based on concept drift detection and online incremental learning,” Int. J. Pervasive Comput. Commun., vol. 21, no. 1, pp. 81–115, 2025, doi: 10.1108/IJPCC-12-2023-0358.
J. Weng, “Optimizing operational efficiency in business: Effective strategies for big data security,” unpublished, 2024.
S. Seth, K. K. Chahal, and G. Singh, “Concept drift–based intrusion detection for evolving data stream classification in IDS: approaches and comparative study,” Comput. J., vol. 67, no. 7, pp. 2529–2547, 2024, doi: 10.1093/comjnl/bxae023.
W. Xing and J. Shen, “Security control of cyber–physical systems under cyber attacks: A survey,” Sensors, vol. 24, no. 12, p. 3815, 2024, doi: 10.3390/s24123815.
N. Malathy et al., “Real-time intrusion detection in IIoT stream data using window-based weighted ensemble techniques,” SN Comput. Sci., vol. 6, no. 1, p. 66, 2025, doi: 10.1007/s42979-024-03597-4.
A. Khanan et al., “From bytes to insights: A systematic literature review on unraveling IDS datasets for enhanced cybersecurity understanding,” IEEE Access, vol. 12, pp. 59289–59317, 2024, doi: 10.1109/ACCESS.2024.3392338.
N. Kalpani et al., “Cutting-edge approaches in intrusion detection systems: A systematic review of deep learning, reinforcement learning, and ensemble techniques,” Iran J. Comput. Sci., pp. 1–31, 2025, doi: 10.1007/s42044-025-00246-8.
D. N. Assis and V. M. A. Souza, “ADWIN-U: Adaptive windowing for unsupervised drift detection on data streams,” Knowl. Inf. Syst., pp. 1–30, 2025, doi: 10.1007/s10115-025-02523-1.
A. H. Alqahtani, “An incremental hybrid adaptive network-based IDS in software defined networks to detect stealth attacks,” arXiv preprint arXiv:2404.01109, 2024, doi: 10.48550/arXiv.2404.01109.
R. Rigo-Mariani and A. Yakub, “Decision tree variations and online tuning for real-time control of a building in a two-stage management strategy,” Energies, vol. 17, no. 11, p. 2730, 2024, doi: 10.3390/en17112730.
J. Zhu et al., “Machine learning-enhanced lightweight rule-based control strategy for building energy demand response,” Build. Simul., Beijing: Tsinghua Univ. Press, 2025, doi: 10.1007/s12273-025-1275-1.
K. Roshan and A. Zafar, “Ensemble adaptive online machine learning in data stream: A case study in cyber intrusion detection system,” Int. J. Inf. Technol., vol. 16, no. 8, pp. 5099–5112, 2024, doi: 10.1007/s41870-024-01727-y.
C. Surianarayanan, S. Kunasekaran, and P. R. Chelliah, “A high-throughput architecture for anomaly detection in streaming data using machine learning algorithms,” Int. J. Inf. Technol., vol. 16, no. 1, pp. 493–506, 2024, doi: 10.1007/s41870-023-01585-0.
K. A. Mohamed Junaid, D. Paulraj, and T. Sethukarasi, “A comprehensive ensemble classification techniques detecting and managing concept drift in dynamic imbalanced data streams,” Wireless Netw., vol. 31, no. 1, pp. 19–30, 2025, doi: 10.1007/s11276-024-03742-0.
S. Yang et al., “Self-supervised adaptation method to concept drift for network intrusion detection,” IEEE Trans. Dependable Secure Comput., 2025, doi: 10.1109/TDSC.2025.3599321.
L. Zhao et al., “The future of artificial intelligence in intrusion detection: Review and research agenda,” Big Data Cogn. Comput., vol. 8, no. 3, p. 42, 2024, doi: 10.3390/bdcc8030042.
S. Ouchani and Y. Belghith, “Adversarial attacks and defense methods for intrusion detection systems: A survey,” Appl. Sci., vol. 13, no. 6, p. 3815, 2023, doi: 10.3390/app13063815.
A. M. Torky, M. R. Hussein, A. E. Hassanien, and A. E. Torkey, “Explainable artificial intelligence (XAI) for cybersecurity: A comprehensive review and research directions,” Comput. Sci. Rev., vol. 50, p. 100580, 2023, doi: 10.1016/j.cosrev.2023.100580.
K. T. Ghaffar, M. A. Ferrag, L. Shu, A. Derhab, and L. Maglaras, “Explainable artificial intelligence for intrusion detection systems: A survey,” Comput. Secur., vol. 130, p. 103564, 2023, doi: 10.1016/j.cose.2023.103564.
P. Brás and J. Murai, “A survey of intrusion detection systems in cloud computing,” J. Cloud Comput., vol. 12, no. 1, p. 69, 2023, doi: 10.1186/s13677-023-00462-y.
R. F. de Mello, A. A. de Carvalho, and J. Gama, “Advances in data stream learning,” Wiley Interdiscip. Rev. Data Min. Knowl. Discov., vol. 13, no. 2, p. e1481, 2023, doi: 10.1002/widm.1481.
J. Lu et al., “Learning under concept drift: A review,” IEEE Trans. Knowl. Data Eng., vol. 31, no. 12, pp. 2346–2363, 2019, doi: 10.1109/TKDE.2018.2876857.
D. K. Ienco, R. G. Pensa, and R. Meo, “From context to concept drift: Detecting changes in learning data,” IEEE Trans. Knowl. Data Eng., vol. 25, no. 5, pp. 1146–1159, 2013, doi: 10.1109/TKDE.2012.103.
H. M. Gomes et al., “A survey on ensemble learning for data stream classification,” ACM Comput. Surv., vol. 50, no. 2, pp. 1–36, 2017, doi: 10.1145/3054925.
J. Montiel, J. Read, A. Bifet, and T. Abdessalem, “Scikit-multiflow: A multi-output streaming framework,” J. Mach. Learn. Res., vol. 19, no. 72, pp. 1–5, 2018.
J. Montiel et al., “River: Machine learning for streaming data in Python,” J. Mach. Learn. Res., vol. 21, no. 110, pp. 1–6, 2020.
A. Bifet and R. Gavaldà, “Learning from time-changing data with adaptive windowing,” in Proc. SIAM Int. Conf. Data Mining, 2007, pp. 443–448, doi: 10.1137/1.9781611972771.42.
J. Gama, I. Žliobaitė, A. Bifet, M. Pechenizkiy, and A. Bouchachia, “A survey on concept drift adaptation,” ACM Comput. Surv., vol. 46, no. 4, pp. 1–37, 2014, doi: 10.1145/2523813.
I. Žliobaitė, M. Pechenizkiy, and J. Gama, “An overview of concept drift applications,” in Big Data Analysis: New Algorithms for a New Society, Berlin, Germany: Springer, 2016, pp. 91–114, doi: 10.1007/978-4-431-56426-0_4.
M. Baena-García et al., “Early drift detection method,” in Proc. 4th Int. Workshop on Knowledge Discovery from Data Streams, 2006, pp. 77–86.
J. B. Gama, P. Medas, G. Castillo, and P. Rodrigues, “Learning with drift detection,” in Proc. Brazilian Symp. Artificial Intelligence, 2004, pp. 286–295, doi: 10.1007/978-3-540-28645-5_29.
G. Ditzler and R. Polikar, “Incremental learning of concept drift from streaming imbalanced data,” IEEE Trans. Knowl. Data Eng., vol. 25, no. 10, pp. 2283–2301, 2013, doi: 10.1109/TKDE.2012.136.
I. Katakis, G. Tsoumakas, and I. Vlahavas, “Tracking recurring contexts using ensemble classifiers: An application to email filtering,” Knowl. Inf. Syst., vol. 22, pp. 371–391, 2010, doi: 10.1007/s10115-009-0191-3.
S. Ramírez-Gallego et al., “Survey on data preprocessing for data stream mining: Current status and future directions,” Neurocomputing, vol. 239, pp. 39–57, 2017, doi: 10.1016/j.neucom.2017.01.078.
A. Bifet, G. Holmes, B. Pfahringer, and R. Kirkby, “MOA: Massive online analysis,” J. Mach. Learn. Res., vol. 11, pp. 1601–1604, 2010.
D. Dua and C. Graff, “UCI machine learning repository,” Univ. California, Irvine, School of Information and Computer Sciences, 2017. [Online]. Available: http://archive.ics.uci.edu/ml
A. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed analysis of the KDD CUP 99 data set,” in Proc. IEEE Symp. Comput. Intell. Secur. Defense Appl., 2009, pp. 1–6, doi: 10.1109/CIDSA.2009.5356528.
M. Tavallaee, N. Stakhanova, and A. A. Ghorbani, “Toward credible evaluation of anomaly-based intrusion-detection methods,” IEEE Trans. Syst. Man Cybern. C, vol. 40, no. 5, pp. 516–524, 2010, doi: 10.1109/TSMCC.2010.2048428.
M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, “A survey of network-based intrusion detection data sets,” Comput. Secur., vol. 86, pp. 147–167, 2019, doi: 10.1016/j.cose.2019.06.005.
I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization,” in Proc. ICISSP, 2018, pp. 108–116, doi: 10.5220/0006639801080116.
I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, “Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy,” in Proc. ICISSP, 2019, pp. 1–9, doi: 10.5220/000736450001009.
N. Moustafa and J. Slay, “UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set),” in Proc. Mil. Commun. Inf. Syst. Conf. (MilCIS), 2015, pp. 1–6, doi: 10.1109/MilCIS.2015.7348942.
N. Moustafa and J. Slay, “The evaluation of network anomaly detection systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set,” Inf. Secur. J. Glob. Perspect., vol. 25, no. 1–3, pp. 18–31, 2016, doi: 10.1080/19393555.2015.1125974.
M. Habibi Lashkari, G. Draper-Gil, M. Mamun, and A. A. Ghorbani, “Characterization of Tor traffic using time based features,” in Proc. ICISSP, 2017, pp. 253–262, doi: 10.5220/0006105602530262.
A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “Toward developing a systematic approach to generate benchmark datasets for intrusion detection,” Comput. Secur., vol. 31, no. 3, pp. 357–374, 2012, doi: 10.1016/j.cose.2011.12.012.
S. Li, W. Meng, and W. Li, “Design of intrusion detection system based on anomaly behavior,” J. Phys. Conf. Ser., vol. 1237, p. 032020, 2019, doi: 10.1088/1742-6596/1237/3/032020.
M. A. Ferrag, L. Shu, X. Yang, A. Derhab, and L. Maglaras, “Security and privacy for green IoT-based agriculture: Review, blockchain solutions, and challenges,” IEEE Access, vol. 8, pp. 32031–32053, 2020, doi: 10.1109/ACCESS.2020.2973178.
Y. Xin et al., “Machine learning and deep learning methods for cybersecurity,” IEEE Access, vol. 6, pp. 35365–35381, 2018, doi: 10.1109/ACCESS.2018.2836950.
W. Wang, Y. Sheng, J. Wang, X. Zeng, and J. Ye, “HAST-IDS: Learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection,” IEEE Access, vol. 6, pp. 1792–1806, 2018, doi: 10.1109/ACCESS.2017.2779270.
N. Shone, T. N. Ngoc, V. D. Phai, and Q. Shi, “A deep learning approach to network intrusion detection,” IEEE Trans. Emerg. Topics Comput. Intell., vol. 2, no. 1, pp. 41–50, 2018, doi: 10.1109/TETCI.2017.2772792.
R. Vinayakumar, K. Soman, and P. Poornachandran, “Applying convolutional neural network for network intrusion detection,” in Proc. Int. Conf. Adv. Comput. Commun. Informatics (ICACCI), 2017, pp. 1222–1228, doi: 10.1109/ICACCI.2017.8126009.
C. Yin, Y. Zhu, J. Fei, and X. He, “A deep learning approach for intrusion detection using recurrent neural networks,” IEEE Access, vol. 5, pp. 21954–21961, 2017, doi: 10.1109/ACCESS.2017.2762418.
R. Vinayakumar, M. Alazab, K. P. Soman, P. Poornachandran, A. Al-Nemrat, and S. Venkatraman, “Deep learning approach for intelligent intrusion detection system,” IEEE Access, vol. 7, pp. 41525–41550, 2019, doi: 10.1109/ACCESS.2019.2895334.
Y. Zhang, P. Chen, X. Guo, Z. Lin, and Y. Yu, “Deep learning for network intrusion detection: A survey,” in Proc. IEEE Conf. Comput. Commun. Workshops (INFOCOM WKSHPS), 2019, pp. 1–6, doi: 10.1109/INFCOMW.2019.8845074.
R. Vinayakumar, K. P. Soman, and P. Poornachandran, “A deep learning approach for intelligent network intrusion detection system,” in Proc. IEEE Int. Conf. Intell. Secur. Inform. (ISI), 2017, pp. 1–6, doi: 10.1109/ISI.2017.8004872.
Z. Wang, “Deep learning-based intrusion detection with adversaries,” IEEE Access, vol. 6, pp. 38367–38384, 2018, doi: 10.1109/ACCESS.2018.2854609.
M. Lopez-Martin, B. Carro, and A. Sanchez-Esguevillas, “Application of deep reinforcement learning to intrusion detection for supervised problems,” Expert Syst. Appl., vol. 141, p. 112963, 2020, doi: 10.1016/j.eswa.2019.112963.
Y. Liang, K. P. Chow, K. H. Pun, and H. C. Chan, “Deep reinforcement learning for network intrusion detection,” in Proc. IEEE Int. Conf. Commun. (ICC), 2020, pp. 1–6, doi: 10.1109/ICC40277.2020.9148869.
Downloads
Published
Issue
Section
License
Authors Declaration
- The Authors certify that they have read, understood, and agreed to the Journal of Information Systems and Informatics (JournalISI) submission guidelines, policies, and submission declaration. The submission has been prepared using the provided template.
- The Authors certify that all authors have approved the publication of this manuscript and that there is no conflict of interest.
- The Authors confirm that the manuscript is their original work, has not received prior publication, is not under consideration for publication elsewhere, and has not been previously published.
- The Authors confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
- The Authors confirm that the manuscript is not copied from or plagiarized from any other published work.
- The Authors declare that the manuscript will not be submitted for publication in any other journal or magazine until a decision is made by the journal editors.
- If the manuscript is finally accepted for publication, the Authors confirm that they will either proceed with publication immediately or withdraw the manuscript in accordance with the journal’s withdrawal policies.
- The Authors agree that, upon publication of the manuscript in this journal, they transfer copyright or assign exclusive rights to the publisher, including commercial rights
