Shift Detection and Adaptation for Network Intrusion Detection

TL;DR

This paper introduces NetSight, an online framework for supervised network anomaly detection that adapts to distribution shifts without manual labeling, using pseudo-labeling and knowledge distillation.

Contribution

NetSight is a novel framework that enables continual, automatic adaptation to data shifts in network intrusion detection without manual intervention.

Findings

NetSight outperforms state-of-the-art methods with up to 11.72% F1-score improvement.

It effectively detects and adapts to distribution shifts in real-time network data.

Demonstrates robustness in dynamic network environments.

Abstract

Distribution shift, a change in the statistical properties of data over time, poses a critical challenge for deep learning anomaly detection systems. Existing anomaly detection systems often struggle to adapt to these shifts. Specifically, systems based on supervised learning require costly manual labeling, while those based on unsupervised learning rely on clean data, which is difficult to obtain, for shift adaptation. Both of these requirements are challenging to meet in practice. In this paper, we introduce NetSight, a framework for supervised anomaly detection in network data that continually detects and adapts to distribution shifts in an online manner. NetSight eliminates manual intervention through a novel pseudo-labeling technique and uses a knowledge distillation-based adaptation strategy to prevent catastrophic forgetting. Evaluated on three long-term network datasets, NetSight demonstrates superior adaptation performance compared to state-of-the-art methods that rely on manual labeling, achieving F1-score improvements of up to 11.72%. This proves its robustness and effectiveness in dynamic networks that experience distribution shifts over time.