![Page 1: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/1.jpg)
Data Stream Mining Techniques for Security ApplicationsYUN SING KOH
https://www.cs.auckland.ac.nz/~yunsing/
1
![Page 2: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/2.jpg)
Agenda
Introduction to data streams
Problem of Concept Drift
Some of our solutions
Concept Drift in Security Applications
2
![Page 3: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/3.jpg)
Data Streams
Data Stream Mining is the process of extracting knowledge structures from continuous data records.
A data stream is an ordered sequence of instances that in many applications of data stream mining can be read only once or a small number of times using limited computing and storage capabilities.
3
![Page 4: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/4.jpg)
Training:Learning a mapping function
y = f (x)
Application:Applying f to unseen data
y' = f (x')
Supervised Learning
4
![Page 5: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/5.jpg)
Problem Area…
Many data-stream analyses are dependent on speed for their value For instance, in automated stock trading, slower decisions are very likely
to gain less value than faster decisions
Many data-stream analyses run in resource-constrained situations For instance, smart sensors or weather monitoring stations may be
reliant on battery power. Time- and memory-hungry analyses may be infeasible in these environments
5
![Page 6: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/6.jpg)
Data Stream Properties 6
1. At high speed2. Infinite3. Can’t store them all
4. Can’t go back; or too slow 5. Evolving, non-stationary reality
1. One pass2. Low time per item - read, process, discard 3. Sublinear memory - only summaries or
sketches 4. Anytime, real-time answers5. The stream evolves over time
Properties What this means in an algorithmic sense?
![Page 7: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/7.jpg)
Predictive – Classification 7
zebra zebra zebra zebrapenguin penguin ?
x
f(x)
![Page 8: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/8.jpg)
Initial Model vs Online Model
Need to retrain! Things change over time
How often?
Data unused until next update! Value of data wasted
8
![Page 9: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/9.jpg)
Training:y = f (x)
Application:
y' = f?? (x')
Learning with concept drift
9
![Page 10: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/10.jpg)
Volume, Velocity, Variety & Variability
data comes from complex environment, and it evolves over time.
concept drift = underlying distribution of data is changing
10
![Page 11: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/11.jpg)
Concept Drift & Error rates
When there is a change in the class-distribution of the examples: The actual model does not
correspond any more to the actual distribution.
The error-rate increases
Basic Idea: Learning is a process. Monitor the quality of the learning
process: Monitor the evolution of the error
rate.
11
![Page 12: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/12.jpg)
Adaptation Methods
The adaptation model characterizes the changes in the decision model do adapt to the most recent examples.
Blind Methods: Methods that adapt the learner at regular intervals without considering
whether changes have really occurred.
Informed Methods: Methods that only change the decision model after a change was
detected. They are used in conjunction with a detection model.
12
![Page 13: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/13.jpg)
Desired Properties of a System To Handle Concept Drift
Adapt to concept drift asap
Distinguish noise from changes
Recognizing and reacting to reoccurring contexts
Adapting with limited resources
13
![Page 14: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/14.jpg)
Background - Concept DriftTypes of drift
1. Abrupt
2. Gradual
3. Incremental
Drift Volatility Rate of concept change
Example
14
Time
Con
cept
s
ChangesRate of Change
(drift intervals) v1 v2 v3
![Page 15: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/15.jpg)
Concept Drift Detection Mechansim
Seed (Reactive Technique)
ProSeed (Proactive Technique)
CPF (Recurrent Concepts)
15
![Page 16: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/16.jpg)
SEED Detector – Change Detector 16
…1000010001
David Tse Jung Huang, Yun Sing Koh, Gillian Dobbie, Russel Pears: Detecting Volatility Shift in Data Streams. ICDM 2014Part of MOA system:https://github.com/Waikato/moa/blob/master/moa/src/main/java/moa/classifiers/core/driftdetection/SEEDChangeDetector.java
B1 B2 B3 B4
As each instance of the data (predictive error rates) arrives it is stored in a block Bi each block can store up to x number of instances.
![Page 17: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/17.jpg)
SEED Detector – Change Detector 17
…0100001000 1
B1 B2 B3 B4
![Page 18: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/18.jpg)
SEED Detector – Change Detector 18
…010000100 1 0
B1 B2 B3 B4
![Page 19: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/19.jpg)
SEED Detector – Change Detector 19
…001000010 1 0 0
B1 B2 B3 B4
![Page 20: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/20.jpg)
SEED Detector – Change Detector 20
…000100001 1 0 0 0
B1 B2 B3 B4
![Page 21: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/21.jpg)
SEED Detector – Change Detector 21
…000010000 1 0 0 0 1
B1 B2 B3 B4
![Page 22: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/22.jpg)
SEED Detector – Change Detector 22
…… 1 0 0 0 1 0 0 0 0 1 0 0 1 1 1 1
B1 B2 B3 B4
![Page 23: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/23.jpg)
SEED Detector – Change Detector 23
…… 1 1 1 4
B1 B2 B3 B4
![Page 24: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/24.jpg)
SEED Detector – Change Detector 24
…… 1 1 1 4
B1 B2 B3 B4
WL WR
μ WL – μWR ≥ ε
ε is the drift thresholdTo check for drift, the window W is split into two sub-windows WL and WR and each of the boundaries between the blocks is considered as a potential drift.
![Page 25: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/25.jpg)
SEED Detector – Change Detector 25
…… 1 1 1 4
B1 B2 B3 B4
WL WR
μ WL – μWR ≥ ε
ε is the drift threshold
![Page 26: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/26.jpg)
SEED Detector – Change Detector 26
…… 1 1 1 4
B1 B2 B3 B4
WL WR
μ WL – μWR ≥ ε
ε is the drift threshold
![Page 27: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/27.jpg)
SEED Detector – Change Detector 27
…… 1 1 1 4
B1 B2 B3 B4
WL WR
μ WL – μWR ≥ ε
ε is the drift threshold
ε normally set using a statistical bound i.e. Hoeffding bound
![Page 28: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/28.jpg)
SEED Detector – Change Detector 28
…… 1 0 0 0 1 0 0 0 0 1 0 0 1 1 1 1
B1 B2 B3 B4
μ WL – μWR ≤ ε Homogeneous
ε Homogeneous is the merge threshold
Using every boundary as potential drift point is excessive. SEED performs block compressions to merge consecutive blocks that are homogeneous in nature.
![Page 29: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/29.jpg)
SEED Detector – Change Detector 29
…… 1 0 0 0 1 0 0 0 0 1 0 0 1 1 1 1
B1 B2 B3 B4
μ WL – μWR ≤ ε Homogeneous
ε Homogeneous is the merge threshold
Using every boundary as potential drift point is excessive. SEED performs block compressions to merge consecutive blocks that are homogeneous in nature.
![Page 30: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/30.jpg)
SEED Detector – Change Detector 30
…… 1 0 0 0 1 0 0 0 0 1 0 0 1 1 1 1
B1 – B3 B4
μ WL – μWR ≤ ε Homogeneous
ε Homogeneous is the merge threshold
![Page 31: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/31.jpg)
SEED Detector – Change Detector 31
…… 1 0 0 0 1 0 0 0 0 1 0 0 1 1 1 1
B1 – B3 B4
μ WL – μWR ≤ ε Homogeneous
ε Homogeneous is the merge threshold
WL WR
![Page 32: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/32.jpg)
Volatility Shift in Data Streams
It is useful to understand characteristics of a stream, such as volatility.
Example: Machine performance and maintenance Drift: Deviations in machine performance.
Volatility: Monitoring the deviations.
32David Tse Jung Huang, Yun Sing Koh, Gillian Dobbie, Russel Pears: Detecting Volatility Shift in Data Streams. ICDM 2014
![Page 33: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/33.jpg)
Example of Drift Volatility Error rate stream showing drift
points Drift volatility (rate of change)
33
p1p2
p3
![Page 34: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/34.jpg)
Volatility Shift in Data Streams
A stream has a high volatility if drifts are detected frequently and has a low volatility if drifts are detected infrequently.
Streams can have similar characteristics but be characterized as stable and non-volatile in one field of application and extremely volatile in another.
34
Input Stream
Drift Detector
Drift Points
Volatility Detector
Volatility Shifts
![Page 35: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/35.jpg)
Volatility Detector Example There are two main components in our volatility detector: a buffer
and a reservoir.
The buffer is a sliding window that keeps the most recent samples of drift intervals acquired from a drift detection technique.
The reservoir is a pool that stores previous samples which ideally represent the overall state of the stream.
35
𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 𝑉𝑉𝑉𝑉𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑉𝑉 =𝜎𝜎𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝜎𝜎𝐵𝐵𝐵𝐵𝑅𝑅𝐵𝐵𝐵𝐵𝑅𝑅𝑅𝑅𝑅𝑅𝐵𝐵
Shift in Relative Variance:
Given a user defined confidence threshold β ϵ[0,1], a shift in relative variance occurs when
𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 𝑉𝑉𝑅𝑅𝑉𝑉𝑅𝑅𝑅𝑅𝑉𝑉𝑉𝑉𝑅𝑅 > 1.0 + β𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅𝑅 𝑉𝑉𝑅𝑅𝑉𝑉𝑅𝑅𝑅𝑅𝑉𝑉𝑉𝑉𝑅𝑅 < 1.0 − β
![Page 36: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/36.jpg)
Real World Results 36
Sensor Stream Forest Covertype Poker Hand
Each stream was evaluated using a Hoeffding Tree to produce the binary stream thatrepresents the classification errors then passed to our drift detector.
• 2,059 change points were found• 30 volatility shifts• intervals between 150 to 600
• 2,611 change points found• 20 volatility shifts• intervals between 100 to 450
• 1,150 change points found• 21 volatility shifts• intervals between 1500 to 2500
![Page 37: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/37.jpg)
Proactive Drift Detection System
Modelling Drift Volatility Trends Goals:
Predict location of next drift Drift Prediction Method using Probabilistic Networks
Use predictions to develop proactive drift detection methods Adaptation of Drift Detection Method SEED
Adaptation of data structure using compression
37Kylie Chen, Yun Sing Koh, Patricia Riddle: Proactive drift detection: Predicting concept drifts in data streams using probabilistic networks. IJCNN 2016: 780-787
![Page 38: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/38.jpg)
Modelling Drift Volatility Trends
Progressive volatility change Rapid volatility change
38
![Page 39: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/39.jpg)
Example of Drift Prediction Method
Example of drift intervals
100 100 100 300 300 300 300 400 400 400
1. Identify volatility change points (Volatility Detector)
2. Outlier removal to construct pattern from drift interval windows
3. Match patterns to stored patterns
4. Update probabilistic network
39
100 100 100 300p1
p1 100 100 100
300 300 300 400p2
p1 p21.0
Pattern Reservoir
p2 300 300 300
?
![Page 40: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/40.jpg)
Proactive Drift Detection System
Data ModelDrift
Detector(SEED)
Volatility Detector
Drift Prediction Method (DPM)
Proactive Drift
Detector(ProSEED)
40
Revise model
Drift Points Drift Point EstimatesError Rate
Output Signal• Drift• Warning• No Change
Changes in Drift Rate
![Page 41: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/41.jpg)
Adapting the data structure of SEED
Extend the SEED Detector to use predicted drifts from our Drift Prediction Method
Adaptation of data compression of SEED detector
no compression in blocks where we expect drift
Example of error stream
00011000100110110111
Expected Predicted drifts at time steps 6 and 18
0001 | 1000 | 1001 | 1011 | 0111
c1 c2 c3 c4
0001 | 1000 | 10011011 | 0111
c1 c2 c3
41
![Page 42: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/42.jpg)
Results - Proactive Drift Detection (Bernoulli)
0
5000
10000
ProSEED SEED DDM
True Positives on Bernoulli Streams
Bernoulli R. Bernoulli P.
42
Detector Bernoulli R. Bernoulli P.
ProSEED 33.10 44.32
SEED 213.34 210.50
DDM 97.41 100.98
Average Number of False Positives
![Page 43: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/43.jpg)
0
5000
10000
ProSEED SEED DDM
True Positives on CIRCLES Streams
CIRCLES R. CIRCLES P.
Results - Proactive Drift Detection (CIRCLES)
43
Detector CIRCLES R. CIRCLES P.
ProSEED 271.44 10.05
SEED 481.77 531.62
DDM 306.94 380.32
Average Number of False Positives
![Page 44: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/44.jpg)
Concept Profiling Framework (CPF)
Concept Profiling Framework (CPF), a meta-learner that uses a concept drift detector and a collection of classification models to perform effective classification on data streams with recurrent concept, through relating models by similarity of their classifying behaviour.
Existing state-of-the-art methods for recurrent drift classification often rely on resource-intensive statistical testing or ensembles of classifiers (time and memory overhead that can exclude them from use for particular problems)
44
Recurring Concept
Robert Anderson, Yun Sing Koh, Gillian Dobbie: CPF: Concept Profiling Framework for Recurring Drifts in Data Streams. Australasian Conference on Artificial Intelligence 2016: 203-214 (Best Student Paper Award.)
![Page 45: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/45.jpg)
Concept Profiling Framework 45
Current Classifier Drift
Detector
Existing Classifiers
Meta-learner
Classifier Error
Drift State
Find representative models
Reuse/ Create New Classifier
Fading
Classification (Output Prediction)
Data Stream
Classifier Collection
![Page 46: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/46.jpg)
Concept Profiling Framework 46
Current Classifier Drift
Detector
Existing Classifiers
Meta-learner
Classifier Error
Drift State
Find representative models
Reuse/ Create New Classifier
Fading
Classification (Output Prediction)
Data Stream
Classifier Collection
Data Stream instances are handled by the current classifier.
![Page 47: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/47.jpg)
Concept Profiling Framework 47
Current Classifier Drift
Detector
Existing Classifiers
Meta-learner
Classifier Error
Drift State
Find representative models
Reuse/ Create New Classifier
Fading
Classification (Output Prediction)
Data Stream
Classifier CollectionThe drift detector detects warning and drift states based on classification error.
![Page 48: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/48.jpg)
Concept Profiling Framework 48
Current Classifier Drift
Detector
Existing Classifiers
Meta-learner
Classifier Error
Drift State
Find representative models
Reuse/ Create New Classifier
Fading
Classification (Output Prediction)
Data Stream
Classifier Collection
On drift the meta-learner chooses the next classifier by reusing an existing classifier or creating a new classifier.
![Page 49: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/49.jpg)
Concept Profiling Framework 49
Current Classifier Drift
Detector
Existing Classifiers
Meta-learner
Classifier Error
Drift State
Find representative models
Reuse/ Create New Classifier
Fading
Classification (Output Prediction)
Data Stream
Classifier Collection
Fading mechanism controls the number of existing classifiers in the pool.
![Page 50: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/50.jpg)
CPF: Synthetic datasets
Our technique generally achieved better accuracy while taking less time and memory than RCD
50
![Page 51: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/51.jpg)
CPF: Real-world datasets
Our technique generally maintained similar accuracy while taking less time and memory than RCD
51
![Page 52: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/52.jpg)
Concept Drift in Security ApplicationsRED QUEEN’S RACE
52Red TeamBlue Team
![Page 53: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/53.jpg)
Credit Card Fraud Detection 53
Image credit: Andrea Dal Pozzolo. Adaptive Machine Learning for Credit Card Fraud Detection. 2015
![Page 54: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/54.jpg)
Challenges in Fraud Detection Systems using Machine Learning
Frauds represent a small fraction of all the daily transactions (class unbalance).
Frauds distribution evolves over time because of seasonality and new attack strategies (concept drift) .
The true nature (class) of the majority of transactions is typically known only several days after the transaction took place, since only few transactions are timely checked by investigators (uncertain class labels).
54
[1] Andrea Dal Pozzolo, Olivier Caelen, Yann-Ael Le Borgne, Serge Waterschoot, and Gianluca Bontempi. Learned lessons in credit card fraud detection from a practitioner perspective. Expert Systems with Applications, 41(10):4915–4928, 2014.[2] Andrea Dal Pozzolo, Reid A. Johnson, Olivier Caelen, Serge Waterschoot, Nitesh V Chawla, and Gianluca Bontempi. Using HDDT to avoid instances propagation in unbalanced and evolving data streams. In International Joint Conference on Neural Networks (IJCNN), 2014, pages 588–594. IEEE, 2014.[3] Andrea Dal Pozzolo, Giacomo Boracchi, Olivier Caelen, Cesare Alippi, and Gianluca Bontempi. Credit card fraud detection and concept-drift adaptation with delayed supervised information. In Joint Conference on Neural Networks (IJCNN), 2015 International. IEEE, 2015.
![Page 55: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/55.jpg)
Concept Drift in Malware Families 55
![Page 56: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/56.jpg)
Challenges in Malware Detection using Machine Learning
Traditional batch-learning based methods are typically plagued by two challenges that make them unsuitable for real-world large-scale malware detection:
Population drift: the population of malware is constantly evolving e.g. exploiting new vulnerabilities, and evading novel detection techniques. collection of malware identified today unrepresentative of malware generated
in the future.
Volume: Batch learners have to be frequently re-trained using huge volumes of data, explains the paper. severe scalability issues when used in the Android malware detection context
where we have millions of samples already and thousands streaming in every day. Retraining frequently with such a volume renders them computationally impractical.
56
![Page 57: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/57.jpg)
Concept Drift in Malware Families 57
Annamalai Narayanan, Yang Liu, Lihui Chen, Jinliang Liu: Adaptive and scalable Android malware detection through online learning. IJCNN 2016: 2484-2491A. Narayanan, M. Chandramohan, L. Chen and Y. Liu: Context-Aware, Adaptive, and Scalable Android Malware Detection Through Online Learning, in IEEE Transactions on Emerging Topics in Computational Intelligence, vol. 1, no. 3, pp. 157-175, June 2017.Roberto Jordaney, Kumar Sharad, Santanu Kumar Dash, Zhi Wang et al.: Transcend: detecting concept drift in malware classification models. Proceedings of the 26th USENIX Security Symposium (USENIX Security 2017). 2017.
![Page 58: Data Stream Mining Techniques for Security Applications](https://reader030.vdocument.in/reader030/viewer/2022040808/624d84625feec941217b393a/html5/thumbnails/58.jpg)
Thank you and Questions?
58