Adaptive Intrusion Detection System: Hybrid K-Means and Random Forest Approach with Concept Drift Detection

Authors

  • Eric Garcıa-Huitzitl Instituto Nacional de Astrofísica, Óptica y Electrónica
  • Lázaro Bustio-Martínez Universidad Iberoamericana Ciudad de México
  • René Cumplido Instituto Nacional de Astrofísica, Óptica y Electrónica

DOI:

https://doi.org/10.13053/cys-29-1-5528

Keywords:

Adaptive IDS, concept drift, hybrid approach, clustering, classification

Abstract

The ever-evolving data landscape presents significant challenges, such as concept drift, where shifts in statistical distributions within data streams pose critical cybersecurity threats. Traditional machine learning, which relies on static models, struggles with concept drift, underscoring the necessity for adaptive approaches specifically designed for streaming data. This paper investigates methodologies aimed at enhancing security in dynamic data environments. A hybrid concept drift detection method that combines error rate analysis with data distribution monitoring is proposed. Additionally, to update the training dataset, the approach employs a combination of sliding window-based data capture and drift analysis, along with K-Means clustering and a Random Forest classifier. This includes the use of two types of sliding windows: fixed and adaptive. Adaptive Random Forest classifier is used to anomaly detection and retraining the model. Experiments were conducted on the NSL-KDD dataset to detectand quantify the severity of concept drift, utilizing techniques such as Principal Component Analysis and Spearman’s Correlation Coefficient. Consequently, the performance of the Intrusion Detection System to adapt to these changes was also evaluated. The proposed adaptive model demonstrates significant enhancements, with Adaptive Random Forest achieving a classification accuracy of 98.66%. Furthermore, precision, detection rate, and F1-score rates of 99.52%, 97.74%, and 99.78%, respectively, are achieved. All this while maintaining a low false alarm rate of 1.14%.

Downloads

Published

2025-03-24

Issue

Vol. 29 No. 1 (2025): 29(1) 2025

Section

Articles of the Thematic Section (2)

License 

Hereby I transfer exclusively to the Journal "Computación y 
Sistemas", published by the Computing Research Center (CIC-IPN),
the Copyright of the aforementioned paper. I also accept that these 
rights will not be transferred to any other publication, in any other 
format, language or other existing means of developing.
I certify that the paper has not been previously disclosed or simultaneo
usly submitted to any other publication, and that it does not contain 
material whose publication would violate the Copyright or other 
proprietary rights of any person, company or institution. I certify that 
I have the permission from the institution or company where I work or 
study to publish this work.
The representative author accepts the responsibility for the publication
of this paper on behalf of each and every one of the authors. 
This transfer is subject to the following conditions:
  • The authors retain all ownership rights (such as patent rights) of this work, except for the publishing rights transferred to the CIC, through this document.
  • Authors retain the right to publish the work in whole or in part in any book they are the authors or publishers. They can also make use of this work in conferences, courses, personal web pages, and so on.
  • Authors may include working as part of his thesis, for non-profit distribution only.