In the realm of cybersecurity, the detection of Concept Drift holds the potential to improve the adaptability and effectiveness of security systems. In particular, Security Information and Event Management (SIEM) frameworks can benefit from real-time Drift Detection, enabling prompt detection of changing attack patterns, and consequent update of the detection criteria. To explore such an opportunity, the proposed approach extends a previously introduced SIEM solution with Concept Drift Detectors. An experimental evaluation is presented using two well-known unsupervised detectors on a merged dataset featuring Concept Drift, taking into consideration metrics such as Error Rate, Precision, Recall, and Window Average Error Rate. The results demonstrate that the integrated mechanism successfully identifies Concept Drift, triggering SIEM alerts and prompting timely updates to correlation rules. The experiment’s implications, limitations, and future directions are discussed, emphasizing the importance of continuous improvement in cybersecurity measures.
An Innovative Approach to Real-Time Concept Drift Detection in Network Security
Uccello F.;D'Antonio S.;
2024-01-01
Abstract
In the realm of cybersecurity, the detection of Concept Drift holds the potential to improve the adaptability and effectiveness of security systems. In particular, Security Information and Event Management (SIEM) frameworks can benefit from real-time Drift Detection, enabling prompt detection of changing attack patterns, and consequent update of the detection criteria. To explore such an opportunity, the proposed approach extends a previously introduced SIEM solution with Concept Drift Detectors. An experimental evaluation is presented using two well-known unsupervised detectors on a merged dataset featuring Concept Drift, taking into consideration metrics such as Error Rate, Precision, Recall, and Window Average Error Rate. The results demonstrate that the integrated mechanism successfully identifies Concept Drift, triggering SIEM alerts and prompting timely updates to correlation rules. The experiment’s implications, limitations, and future directions are discussed, emphasizing the importance of continuous improvement in cybersecurity measures.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.