Concept Drift Analysis and Malware Attack Detection System Using Secure Adaptive Windowing

1  Introduction

The current technological world of present era is changing and making it harder to protect systems and links against mischievous attacks or breaches. One sort of security technology is called an intrusion detection system (IDS) that has been designed to identify and prevent intrusions in a network system. Because it contains such a big amount of data and information, the Internet has a variety of issues in terms of making it a secure system. Businesses, industries, and different spheres of daily activity all use computer networks. Organizations and institutions all over the world have been obliged to build and employ modern networks for safety as a result of technological and business advancements [1].

A shift in the features of the data stream is known as concept drift. When properties of decision attributes as well as classes to be forecasted vary unexpectedly between two given time points, it is defined as concept drift. Classification quality may suffer as a result of this circumstance and learning mechanisms may suffer as a result [2]. In ML, concept drift relates to a shift in relationships between input and output data in a data stream. Data could be altered in any way. Other sorts of changes include (i) gradual changes over time, (ii) recurring or cyclical changes, and (iii) abrupt or sudden changes. Learning models must be able to adjust to changes swiftly and accurately. The ideal drift detection approach is used to detect incoming new communications autonomously. The drift detector appears to be the simplest classifier, however, it is not as straightforward as it appears. The model should usually be rebuilt as soon as feasible after returning the signal regarding the drift [3].

Learning techniques in embedded applications have been required by recent improvements in cyber-physical systems (CPS) to work in non-stationary, time-variant contexts [4]. Idea drift learning, sometimes referred to as learning in non-stationary contexts, concentrates on the environment's event-driven changes in CPS. Changes in feature data (x) and goal variables (y) altered underlying models developed by learning methods as a result of such evolving notions. Concept drift detection in CPS reduces negative compounding error impact and allows for cost-effective predictive maintenance [5]. In this setting, ensemble learning algorithms that include many supervised techniques determine it impossible as well as impractical to detect concept drifts.

A novel unsupervised ML method is required to solve these issues and to manage complicated data patterns as well as distributional assumption breaches buried in industrial applications of CPS data streams. In supervised ML problems, a machine learning classifier is trained using a given labeled dataset of training samples with the goal of predicting a target variable. Concept drift in this situation refers to the alteration over time of the relationship between the input data and the target variables.

Concept drift may emerge in dynamic environments, such as e-mail spam detection. In this dynamic environment, malicious opponents may attempt change their e-mails to avoid spam filters. Ineffective classifiers are unable to accurately categorize newer samples as a result of these changes in data distribution. necessitating the development of algorithms for responding to concept drifts [6].

The following are the chief contributions of this study paper:

•   To design novel architecture in concept drift analysis and detection of malware attacks like DDOS in the network

•   The network has been analyzed for detecting the intrusion and concept drift using secure adaptive windowing with website data authentication protocol (SAW_WDA) integrated with authentication protocol to avoid DDOS attacks and concept drift.

•   The user data of the network will be collected and classified using multilayer perceptron gradient decision tree (MLPGDT) classifiers.

•   Based on the classification output, the decision for the detection of attackers and authorized users will be identified.

The model of this essay is organized as follows. Section 2 of our report includes the associated work. Section 3 of our proposal presents the system model. Performance analysis is presented in Section 4. In Section 5, the conclusion of our research is presented.

2  Related Work

Idea drift is pertinent for malware detection when static file analysis is performed, according to earlier research [7]. Prior studies have looked into methods for identifying idea drift in malware families [8] and warning human analysts when it is found during malware detection. The efficiency of several machine learning properties for detecting fraudulent websites is examined in work [9] However, the use of Host and Content capabilities is the extent of their activity. Extract the Lexical features, as well as the Host and With features based on content, from each URL and then keep them in feature vector form. The supervised learning system uses these feature vectors as input to classify these URLs as harmful or benign. Random Forest (RF), Gradient Boosted Trees (GBT), and Feed Forward Neural Networks (FFNN) have supervised learning methods employed in our research. They use unsafe databases and benign URLs collected from diverse sources to train their algorithms. Although the suggested method is flexible and resistant to a range of dangers, it disregards the dynamic nature of websites. The same training data reaches the hands of criminals and the ability to spot patterns in detection methods tries to change some elements of harmful websites to go around the security [10].

Among the machine learning techniques suggested in [11] for identifying fake websites are (Lagrangian Support Vector Machine) LSVM, (Logistic regression) LR, Random Forest (RF), Naive Bayes (NB), and statistical techniques for finding Concept Drifts in websites. Only a few studies have produced practical results, according to the author in [12], intending to foster research on intelligent security techniques based on a cyclic process that begins with the discovery of new threats and ends with the analysis and development of prevention measures. The authors of [13] propose a novel Gradient Boosting Decision Tree (GBDT) training technique with narrower sensitivity limitations and much better noise allocations. To slight the sensitivity boundaries by analyzing the gradient characteristic and the contributions of each tree in GBDTs, they suggest flexibly regulate the gradients of training data for every iteration and leaf node clipping Furthermore, they develop a unique boosting structure to distribute the privacy budget among trees, reducing the precision loss even further. Their studies reveal that our technique outperforms other baselines in terms of model accuracy. Jiang et al. conducted a comprehensive review of several articles that used ML in security domains, resulting in a taxonomy of machine learning models and their applications in cybersecurity [14]. Because label data is rarely available in real-world applications, [15] classified existing solutions for detecting abnormalities in changing data using unsupervised algorithms. The research [16] looked at adversarial assaults on PDF malware detectors.

The state-of-the-art of ML for data streams was emphasized by the author in [17], who presented possible research options. A lot of research is not valid in many use situations, according to [18], which focuses on label acquisition and model deployment. In [19], the author conducted a comparative examination of several methodologies for dealing with imbalanced data, applying them to various data distributions and application domains. [20] Investigated some of the limitations and challenges of Deep Learning (DL) methods in a traditional ML workflow for malware detection as well as classification in literature such as open benchmarks, class imbalance, concept drift, model interpretability, and adversarial learning.

3  System Model

The novel design in concept drift analysis and malware attack detection is covered in this section. Here the website with concept drift has been predicted and analyzed for DDOS attack in the network. When the data drift is detected, the web server has been analyzed and predicted to be concept drift. Then SAW_WDA has been employed for minimizing the concept drift and intrusion of the network. The data of users has been collected and classified using MLPGDT where the decision has been made based on classified output whether the malware user or authorized user. Fig. 1 depicts the total system architecture.

Figure 1: shows the proposed systems’ overall architecture

3.1 Secure Adaptive Windowing with Website Data Authentication Protocol (SAW_WDA)

The intrusion detection system and concept drift of the network has been analyzed using secure adaptive windowing with website data authentication protocol (SAW_WDA). To detect the adaptive windowing change, we have performed the SAW_WDA protocol. The detailed SAW_WDA protocol is given below:

When no obvious change is found, the window is dynamically magnified, and when a change is determined it is compressed. In section W0 · W1 of W, the cut value is evaluated as under. Let W stand for W length, ^µW for the average of W's elements, and W for the average of µt for t ∈ W. Let n0 show the size of W0, n1 show the size of W0, and W1 and n show the length of W, resulting in n = n0 + n1. W0 and the predicted values are characterized by W1 To achieve the most stringent performance guarantees are given by Eq. (1)

m=11/n0+1/n1(harmonic mean ofn0andn1)δ′=δn,andϵcut=12m⋅ln⁡4δ′(1)

If we undertake S as a data stream and E is an ensemble. When the case is received, the internal change detector D is used to train the online classifier gradually. The ensemble member’s Ci ∈ E are weighted after every incoming instance, rather than calculating component classifiers by Eq. (2).

Wo=∑1≤t≤TW(sc(P(t))),We=W(sc(C))−Wo(2)

W(sc(P(t1))∩sc(P(t2)))=a1

For all1≤t1,t2≤T

A1={W(sc(P(t1)))ift1=t20ift1≠t2

A(sc(Pls(t1))∩sc(Cf))+∑1≤t2≤T,t2≠t1A(sc(Pls(t1))∩sc(Pus(t2)))≥0.6×A(sc(Pls(t1)))

For all1≤t1≤T

W(sc(P(t1))∩sc(C))=W(sc(P(t1)))(3)

For all1≤t1≤T

When the underlying function that creates instances evolves, concept drift is said to occur. Formally, it can be described as any situation where the joint probability shifts. Thus, it may appear as a change in the class prior probabilities, a change in the class-conditional PDF, or a combination of the two. The transition probability of road segment Rj at time t − 1 is used to compute the under-mention method that can enter road segment Ri at time t given by Eq. (4). Here ‘traffic’ denotes the average network traffic.

Pr(Rjat t−1∣Riat t)=pj= trafficj∑p=1ntrafficp

Sc(P(t))={(x↼,y↼,z↼)∈R3∣px,p(t)≤x↼≤px,P(t)+lx,P(t),py,P(t)≤y↼≤py,P(t)+ly,P(t),pz,P(t)≤z↼≤pz,P(t)+lz,P(t)}

sc©={(x↼,y↼,z↼)∈R3∣0≤x↼≤Lx,0≤y↼≤Ly,0≤z↼≤Lz}

sc(Cf)={(x↼,y↼,z↼)∈R3∣0≤x↼≤Lx,0≤y↼≤Ly,z↼=0}

sc(Cfh)={(x↼,y↼)∈R2∣(x↼,y↼)∈sc(Cf)}(4)

Assume that E is an ensemble and S is a data stream. When the case is received, the internal change detector D is used to train the online classifier gradually. Each incoming instance results in a weighting of the ensemble members Ci and E, rather than calculating component classifiers by Eq. (2).

E=−∑j(pj⋅log⁡pj)(5)

The Hoeffding bound asserts that the estimated mean will not deviate from the true mean by more than with probability 1 by Eq. (6) after n independent observations of range R.

E =R2ln⁡(1/δ)2n(6)

where a user-defined confidence parameter δ ∈ (0, 1) is used. Let’s call the two subwindows W0 and W1. With 1−δ probability, we obtains |μW0 − μW1 | ≤ 2ε.

Such that ε is Hoeffding bound while μW0 and μW1 are average of two sub-windows.

P(t):pP(t)=(pI,P(t),pj,P(t),pk,P(t))∈I++3,lP(t)

=(lI,P(t),lj,P(t),lk,P(t))∈I++3

LI,P(t)=lx,P(t)1x,lj,P(t)=ly,P(t)1y,lk,P(t)=lz,P(t)1z

Li=Lx1x,Lj=Ly1y,Lk=Lz1z(7)

I++n is then-dimensional space of positive integers.

Assume that W’s true mean is ????. |????????0 − ????| ≤ ε and |????????1 − ????| ≤ ε might be obtained independently, according to the Hoeffding bound. After that, they can be turned into −ε ≤ |????????0 − ????| ≤ ε and −ε ≤ |???? − ????????1 | ≤ ε. In addition, these two inequalities together by Eq. (8).

|M W0−μW1|≤2ε

|μW0−μW1|≤2R2ln⁡(1δ)n(8)

Two equal-length sub windows made up sliding window W. From WL to WR, the Kullback-Leibler distance is given by Eq. (9).

KL(WL∥WR)=∑x∈XpWL(x)log⁡pWL(x)pWR(x)(9)

We make sure that the sum is calculated over X atoms (in a discrete setting, X is the event space). When the distance exceeds the threshold calculated using, a change is recognized (4). Then window WL’s older portion is taken out.

s is the discrete-window analog of the operator sc given by Eq. (10)

The method takes as inputs a confidence value (0, 1) and a sequence of real values x1, ... , xt. Note that, the value of xt is only accessible at time point t. According to a certain Dt distribution, each xt is independently formed for each t. Indicate the anticipated value and variance with t and t2t when xt is drawn following Dt.

S(PLs(t))={(t↼,J↼,k↼)∈I++3∣pI,P(t)≤τ≤pI,p(t)+lI,p(t)–1,pj,p(t)≤j↼(10)

≤pj,p(t)+lj,P(t)–1,k↼=pk,p(t)}

S(Plsh(t))={(i↼,j↼)∈I++2∣(I↼,J↼,pk,P(t))∈s(PIs(t))}

S(Pus(t))={(l↼,j↼,k↼)∈I++3∣pI,P(t)≤l↼≤pI,p(t)+lI,p(t)–1,pj,p(t)≤j↼

≤pj,p(t)+lj,p(t)–1,k↼=pk,p(t)+lk,p(t)–1}

S(C)={(I↼,j↼,k↼)∈I++3∣1≤I↼≤LI,1≤j↼≤Lj,1≤k↼≤Lk}

S(Cfh)={(l↼,j↼)∈I++2∣(l↼,j↼,1)∈s(Cf)}(11)

One can infer that the window will begin to contract after “O” (“ln(1/)/” “” “2” ) steps if t has been fixed at a value for a long time and suddenly changes to a value.

ρi,j(t)={max{ρt,(t−1)∣(τ,J↼)∈s(Plsh(t))}ρi,j(t−1)…{+lk,P(t)for(i,j)∈s(Plsh(t))for(i,j)∉s(Plsh(t)),

ρI,j(0)=0for(I,j)∈s(Cfh)

ρI,j(t)≤Lkfor(I,j)∈s(PLsh(t))

Num({(i↼,j )∈s(Plsh(t))∣ρtJ(t−1)≥ρI,j(t−1)for (I,j)∈s(Ptsh(t))})≥0.6×lI,P(t)×lj,P(t)

e−∑k=1MaxW−1akh=h2+(3− MaxW)h+1− MaxW +(−1/h)MaxW−1h(h+1)2ϵ

Proof: MaxW refers to the window size at time point t=tMaxW. Thus, the (e−∑k=1MaxW−1ak)/h is the privacy budget at t=tMaxW.(e−∑k=1MaxW−1ak)/h and ∑k=1MaxW−1ak=∑k=1Max−1{ϵ/h(h+1). (−1/h)k−1+ϵ/(h+1)}. After evaluation,

∑k=1MaxW−1ak=ϵh(h+1)∑k=1MaxW−1{(−1h)k−1+h}=ϵh(h+1){1−(−1/h)MaxW−11+1/h+h⋅(MaxW−1)}(12)

Thus,

e−∑k = 1Max−1akh = h2+(3−MaxW)h+1−MaxW +(−1/h)MaxW−1h(h + 1)2ϵ(13)

3.2 Multilayer Perceptron Gradient Decision Tree (MLPGDT)

Consider an M − 1 intermediate layer and one final output layer in a multi-layered feed-forward arrangement. The equivalent output for each layer for a given input data x is in Rdi, where i ∈ {0, 1, 2. . . M}. We aim to learn Fi: Rdi−1 → Rdi mappings for each layer i where the value if i > 0. The final output oM aims to minimize empirical loss L on the training dataset. The loss L is commonly calculated using mean squared errors or cross-entropy with additional regularization components. Backpropagation can be used to efficiently complete such learning tasks when each Fi is parametric and differentiable. The chain rule is used to evaluate gradients of the loss function concerning each specification at each layer, and then gradient descent is used to update the parameters. The output for intermediate layers is considered the model's new representation once training is completed.

Formally, MLPGDT lowers the following regularized objective by Eq., given a convex loss function l and a training dataset. This given dataset has n cases (tuples) and d features.

L`=∑il(y`i,yi)+∑kΩ(fk)

yj(p)=f(∑i=1nxi(p)⋅wij−θj)(14)

where a regularisation term is “(f) = ” “1” /“2” “V” “” “2”. The λ regularization parameter is R, and the leaf weight is V. At the t-th iteration, GBDT minimizes the following objective function by forming an approximation function of the loss by Eq. (15).

L`(t)=∑i=1n[gift(xi)+12ft2(xi)]+Ω(ft)

Yk(p)=f(∑i=1mxjk(p)⋅wjk(p)–θk)

E=E+(ek(p))22(15)

G(IL,IR)=(∑i∈ILgi)2|IL|+λ+(∑i∈IRgi)2|IR|+λ(16)

To discover the split that optimizes the gain, GBDT explores all feature values. If the current node fails to match the splitting criteria, With the best leaf value provided by Eq, it turns into a leaf node (17).

V(I)=−∑i∈Igi|I|+λ(17)

Each A shrinkage rate is frequently applied to the leaf values, similar to the learning rate η in stochastic optimization, to reduce the effects of every specific tree and make room for subsequent trees to be enhanced model. Let f be a randomized function and ε be a positive real number. If given datasets, say D and D0, differ in at least one case or tuple and differ in any output O of function f, the function f is said to give -differential privacy as given by Eq. (18).

Pr[f(D)∈O]≤ec⋅Pr[f(D′)∈O](18)

Here ε denotes the secrecy budget. The Laplace and exponential methods are commonly utilized to obtain ε-differential privacy by summing noise calibrated to a function's sensitivity. Error gradients for neurons in the output layer are calculated as follows (19):

δk(p)=f⋅ek(p)(19)

where f ' is the derived function for activation and error ek(p)=yd,k(p)−yk(p) is given by the following equations Eq. (20) through Eq. (22).

f′(x)=e−x(1+e−x)2=f(x)⋅(1−f(x))(20)

f′(x)=2a⋅e−a⋅x(1+e−a⋅x)2=a2⋅(1−f(x))⋅(1+f(x))(21)

δk(p)=yk(p)⋅(1−yk(p))⋅ek(p)(22)

Weight gradients between the hidden and output layers have been updated by Eq. (23).

Δwy(p)=Δwj(p)+xi(p)⋅δj(p)

wij=wij+η⋅Δwij(23)

This term is proportionate to the most recent weight modification, i.e., the values used to alter the weights are saved and have a direct impact on all subsequent adjustments by Eq. (24).

Δwij(p)=Δwij(p)+α⋅Δwij(p−1)(24)

The variable learning rate technique [19] not only uses different learning frequency for each weight but also changes the learning parameters in each repetition based on the gradients’ successive indications by Eq. (25).

ηp(p)={u⋅ηy(p−1),sgn(wvj(p))= sgn(bvj(p−1))d⋅ηy(p−1),sgn(bvξ(p))=− sgn(wj(p−1))}(25)

We use the softmax extension of the single-pole sigmoid to classify the given n classes. Each class is corresponding to a binary output of the network as given by Eq. (26).

yk=eyk∑i=1neyi(26)

Letting g∗=maxI∈D|gI|, we have ΔG≤3g∗2(∑i∈ILgi)2. Let ∂gs h=0 and ∂Σee~ ILgi h=0, we can get gs=0 and ∑I∈ILgI=0. Matching stationary point and border (i.e., gs=±g∗ and ∑I∈ILgI=±nig∗), determine gs=−g∗,∑I∈ILgI=nig∗ (or gs=g∗ and ∑I∈I2gI=−nig∗) and nl→∞, Eq. (9) can achieve maximum. Where If is the filtered instance set and Ifc is remaining denote the approximation error of GDF on leaf values as ξI=|V(I)–V(Ifc)|. Then, ξI≤p(|g↼f|+gl∗).

The incline of case xi is initialized as gI=±nig∗ at the start of the training. Allow gl∗=±nig∗ be the greatest feasible 1-norm gradient in the initialization. It’s worth noting that g ∗ l is unaffected by training data and is solely dependent on the loss function l. The values of 1-norm gradients tend to drop as the number of trees in training rises because the loss function l is convex. As a result, the majority of examples have a smaller 1-average incline than gl∗ during the whole training procedure. As a result, use gl∗ threshold to filter training examples. Filter the cases that have a 1-norm gradient greater than gl∗ at the start of each iteration. In this cycle, just the lasting cases are used as input to create a new differentially private decision tree. It's worth noting that filtered illustrations may still be used in the training of later trees. Assure that the gradients of the used instances are no bigger than gl∗ using a gradient-based data filtering strategy like this.

ξI=|∑i∈Ifgi+∑i∈Ifgi|I|+λ−∑i∈Ifgi(1−p)|I|+λ|

=p|∑i∈Ifgi|If|+ pλ|+p||I|(|I|+λ)((1−p)|I|+λ)∑i∈Ijgi|

≤|∑i∈Ifgi|I|+λ|+|(1|I|+λ−1(1–p)|I|+λ)∑I∈Ifgi|

≤p|∑I∈Ifgi|If||+p|∑I∈Ijgi(1–p)|I||≤p(|g↼f|+gi∗)≤p(|g↼f|+gi∗)(27)

For the sake of simplicity, assume the instance’s label is −1 and the gradient is gl∗. Consider V1=−gi1+λ≥−gi∗ for the first tree. The enhancement in prediction value on the first tree is −ngl∗, because the shrinkage rate is η by Eq. (28).

|V2|≤‖∂l(−1,y)∂y|y=ηVi‖≈‖∂l(−1,y)∂y|y=0+ηV1‖≤gi∗(1−η)(28)

In the same way, |VI|≤gi∗(1–η)t–1 is obtained.

4  Performance Analysis

Python was used to test the suggested technique on Windows 10. In addition, the OpenCV library was used to recognize and test datasets. The following is a description of the dataset.

DDoS 2016:The data were obtained in a controlled setting and included four types of malicious network attacks: Hypertext Transfer Protocol (HTTP) Flood, SQL Injection Dos (SIDDOS), User Datagram Protocol (UDP) Flood, and Smurf. There are 27 characteristics, 5 classes, and 734,627 records in the dataset.

UNSW-NB15: It was created in a small network environment over a short period of time (31 h), using the IXIA Perfect Storm tool, and it combines real average network traffic activities with fictitious attack behaviors, producing 175,341 records for training and 82,332 records for testing.

IXIA tool was used to simulate nine different sorts of attacks. Basic, content, time, and further produced features based on statistical characteristics of connections are among the 49 features available for study in the dataset.

CICIDS 2017: The Canadian Institute for Cybersecurity (CIC) made the data available to the public. In the creation process, There are two different types of user profiles, multistage attacks like Heart bleed, and several DoS and DDoS attacks were used. The CICFlowMeter utility extracts 80 network traffic features from the data. The background traffic was generated using user profiles based on the abstract human behavior of 25 users using HTTP, File Transfer Protocol (FTP), HTTPS, Secure Shell (SSH), and email protocols. Traffic was created for a brief time (5 days).

The suggested strategy and existing methods are compared in Table 1 in terms of accuracy, precision, recall, and F-1 score. Here comparative analysis has been carried out for various datasets namely LR, LSVM, feed foreword neural network (FFNN), and SAW_WDA_MLPGDT.

The comparison of multiple data sets’ accuracy, precision, recall, and F-1 scores is shown in Figs. 2–4. Comparative analysis is made between the proposed SAW_WDA_MLPGDT and existing LR, LSVM, and FFNN. Based on this comparison research, the suggested technique found the virus and concept drift of the website with the best accuracy. The above results show enhanced output in web data classification and website concept drift detection.

Figure 2: Analysis based on the DDoS 2016 dataset

Figure 3: Analysis based on the UNSW-NB15 dataset

Figure 4: Analysis based on the CICIDS 2017 dataset

The proposed SAW_WDA_MLPGDT is compared to existing LR, LSVM, and FFNN with the DDoS 2016 dataset, UNSW-NB15 dataset, and CICIDS 2017 dataset. Figs. 2–4 show a comparison of the DDoS 2016 dataset, UNSW-NB15 dataset, and CICIDS 2017 dataset in terms of accuracy, precision, recall, and F-1 score.

Table 2 shows the output for the proposed technique in terms of malware and concept drift detection. After applying the proposed protocol, the data transmission rate, delay, and security have been evaluated.

Fig. 5 shows a parametric analysis of malware detection and concept drift comparison between existing and proposed techniques. This comparison research showed that the suggested method produced the best results for reducing concept drift on the website. This comparison research showed that the suggested method produced the best results for reducing concept drift on the website and detect malware DDOS attacks in the network. Here the data transmission efficiency has been calculated in terms of throughput and minimal end-end delay. Malware attack mitigation has been calculated by network security in which the proposed technique has enhanced the security of the network and concept drift analysis has been made after establishing the proposed protocol.

Figure 5: Parametric analysis of malware detection and concept drift mitigation in terms of (a) Throughput, (b) End-end delay, (c) network security, (d) network concept drift

5  Conclusion

This paper proposed a novel technique for designing the architecture in concept drift analysis and detection of malware attacks like DDOS in the network. The network has been analyzed for detecting the intrusion and concept drift using secure adaptive windowing with website data authentication protocol (SAW_WDA) integrated with authentication protocol to avoid DDOS attacks and concept drift. The user data of the network will be collected and classified using multilayer perceptron gradient decision tree (MLPGDT) classifiers. Based on the classification output, the decision for the detection of attackers and authorized users will be identified. The experimental results show output based on intrusion detection and concept drift analysis system in terms of throughput, end-end delay, network security, network concept drift, and results based on the classification in terms of accuracy, memory, and precision, and F-1 score.

Funding Statement: The Taif University Deanship of Scientific Research supported this endeavor (Project Number: 1-443-4), for which the authors are grateful to Taif University for their kind support.

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.

References

1. S. Singhal, U. Chawla and R. Shorey, “Machine learning & concept drift based approach for malicious Website detection,” in 2020 Int. Conf. on Communication Systems & Networks (COMSNETS), location-Bangalore, India, pp. 582–585, 2020. [Google Scholar]

2. D. Pradheep, R. Gokul, V. Naveen and J. Vijayarani, “Anomaly intrusion detection based on concept drift,” Global Journal of Computer Science and Technology, vol. 20, no. 2, pp. 14–22, 2020. [Google Scholar]

3. L. Yang, W. Guo, Q. Hao, A. Ciptadi, A. Ahmadzadeh et al., “CADE: Detecting and explaining concept drift samples for security applications,” in Proc. 30th USENIX Security Symp., Anaheim, CA, USA, pp. 2327–2344, 2021. [Google Scholar]

4. H. Alsuwat, E. Alsuwat, M. Valtorta, J. Rose and C. Farkas, “Modeling concept drift in the context of discrete Bayesian networks,” in 11th Int. Conf. on Knowledge Discovery and Information Retrieval (KDIR 2019), Portugal, Polytechnic Institute of Setubal/INSTICC, pp. 214–224, 2019. [Google Scholar]

5. D. Jayaratne, D. D. Silva, D. Alahakoon and X. Yu, “Continuous detection of concept drift in industrial cyber-physical systems using closed-loop incremental machine learning,” Discover Artificial Intelligence, vol. 1, no. 1, pp. 1–13, 2021. [Google Scholar]

6. J. Gama, I. Zliobaite, A. Bifet, M. Pechenizkiy and A. Bouchachia, “A survey on concept drift adaptation,” ACM Computing Surveys (CSUR), vol. 46, no. 4, pp. 44:1–44:37, 2014. [Google Scholar]

7. I. Kumpulainen, “Adapting to concept drift in malware detection,” Ph.D. dissertation, Aalto University, Finland, 2020. [Google Scholar]

8. F. Ceschin, H. M. Gomes, M. Botacin, A. Bifet, B. Pfahringer et al., “Machine learning (in) security: A stream of problems,” arXiv preprint arXiv:2010.16045, 2010. [Google Scholar]

9. D. Mulimani, S. G. Totad, P. Patil and S. V. Seeri, “Adaptive ensemble learning with concept drift detection for intrusion detection,” Data Engineering and Intelligent Computing, vol. 1, no. 1, pp. 331–339, 2021. [Google Scholar]

10. Y. Sun, Z. Wang, H. Liu, C. Du and J. Yuan, “Online ensemble using adaptive windowing for data streams with concept drift,” International Journal of Distributed Sensor Networks, vol. 12, no. 5, Art. no. 4218973, pp. 1–9, 2016. [Google Scholar]

11. Q. Chang and A. Sebghati, “Efficient algorithm based on adaptive window-model predictive control for automatic stacking in warehouse center,” IEEE Access, vol. 9, no. 1, pp. 94813–94825, 2021. [Google Scholar]

12. G. Jo, K. Jung and S. Park, “An adaptive window size selection method for differentially private data publishing over infinite trajectory stream,” Journal of Advanced Transportation, vol. 2018, no. 12, pp. 1–11, 2018. [Google Scholar]

13. Q. Li, Z. Wu, Z. Wen and B. He, “Privacy-preserving gradient boosting decision trees,” in Proc. of the AAAI Conf. on Artificial Intelligence, New York, USA, pp. 784–791, 2020. [Google Scholar]

14. M. C. Popescu, V. E. Balas, L. Perescu-Popescu and N. Mastorakis, “Multilayer perceptron and neural networks,” WSEAS Transactions on Circuits and Systems, vol. 8, no. 7, pp. 579–588, 2009. [Google Scholar]

15. J. Feng, Y. Yu and Z. H. Zhou, “Multilayer perceptron and neural networks,” Advances in Neural Information Processing Systems, vol. 31, no. 1, pp. 3551–3561, 2018. [Google Scholar]

16. H. Alla, L. Moumoun and Y. Balouki, “A multilayer perceptron neural network with selective-data training for flight arrival delay prediction,” Scientific Programming, vol. 2021, no. 1, pp. 1–12, 2021. [Google Scholar]

17. M. Mohammadpourfard, Y. Weng, M. Pechenizkiy, M. Tajdinian and B. Mohammadi-Ivatloo, “Ensuring cybersecurity of smart grid against data integrity attacks under concept drift,” International Journal of Electrical Power & Energy Systems, vol. 119, no. 1, Art. no. 105947, pp. 1–13, 2020. [Google Scholar]

18. T. H. M. Le, B. Sabir and M. A. Babar, “Automated software vulnerability assessment with concept drift,” in 2019 IEEE/ACM 16th Int. Conf. on Mining Software Repositories (MSR), Montreal, Canada, pp. 371–382, 2019. [Google Scholar]

19. G. Andresini, F. Pendlebury, F. Pierazzi, C. Loglisci, A. Appice et al., “INSOMNIA: Towards concept-drift robustness in network intrusion detection,” in Proc. of the 14th ACM Workshop on Artificial Intelligence and Security, Virtual Event Republic of Korea, pp. 111–122, 2021. [Google Scholar]

20. R. Xu, Y. Cheng, Z. Liu, Y. Xie and Y. Yang, “Improved long short-term memory based anomaly detection with concept drift adaptive method for supporting IoT services,” Future Generation Computer Systems, vol. 112, no. 1, pp. 228–242, 2020. [Google Scholar]