Trinity-Controller ADWIN: An Accuracy Guided Sensitivity Control Framework for Streaming Intrusion Detection
DOI:
https://doi.org/10.63158/journalisi.v8i1.1421Keywords:
Streaming Intrusion Detection Systems, Concept Drift, ADWIN, Adaptive Learning, CIC-IDS2017, Real-Time CybersecurityAbstract
Concept drift can severely undermine the reliability of streaming Intrusion Detection Systems (IDS), especially in realistic network traffic where changes are gradual, recurring, and often masked by noise and class imbalance. Widely used statistical drift detectors such as ADWIN provide theoretical guarantees, yet in practice they can exhibit sensitivity oscillations, delayed adaptation under subtle drift, and disruptive reset behavior that leads to prolonged performance dips. This paper presents Trinity-Controller ADWIN, a unified drift-management framework that fuses three complementary signals: a Volatility Controller (VC) for statistically grounded drift detection, an Adaptive Rate Controller (ARC) that dynamically regulates ADWIN sensitivity, and a Performance-Based Controller (PBC) that monitors an Exponential Moving Average (EMA) of online accuracy to detect sustained model degradation. The proposed framework is evaluated using a Hoeffding Adaptive Tree classifier on a time-ordered streaming reconstruction of CICIDS2017, reflecting realistic temporal drift patterns. Across multiple drift regions, Trinity-Controller ADWIN achieves higher long-horizon accuracy stability, faster post-drift recovery, and fewer unnecessary resets than fixed ADWIN, VC-only, and VC+ARC baselines. Notably, in several drift segments the framework preserves post-drift accuracy above 90% of baseline while demonstrating near-zero recovery delay, indicating that adaptation occurs with minimal disruption. Overall, the results show that combining statistical drift evidence with direct performance-aware feedback yields a more robust and operationally reliable streaming IDS under evolving traffic conditions.
Downloads
References
[1] N. Malathy et al., “Real-time intrusion detection in IIoT stream data using window-based weighted ensemble techniques,” SN Comput. Sci., vol. 6, no. 1, p. 66, 2025.
[2] M. A. Shyaa et al., “Evolving cybersecurity frontiers: A comprehensive survey on concept drift and feature dynamics aware machine and deep learning in intrusion detection systems,” Eng. Appl. Artif. Intell., vol. 137, p. 109143, 2024.
[3] M. Antonijevic et al., “Intrusion detection in metaverse environment Internet of Things systems by metaheuristics-tuned two-level framework,” Sci. Rep., vol. 15, no. 1, p. 3555, 2025.
[4] F. Jemili, K. Jouini, and O. Korbaa, “Intrusion detection based on concept drift detection and online incremental learning,” Int. J. Pervasive Comput. Commun., vol. 21, no. 1, pp. 81–115, 2025.
[5] K. M. K. Kumar, M. V. S. Reddy, and K. Ullas, “Distributed intrusion detection system using Kafka and Spark streaming,” in Proc. 2025 Int. Conf. Visual Analytics and Data Visualization (ICVADV). IEEE, 2025.
[6] R. Sebopelo, “Adaptive-delta ADWIN for balancing sensitivity and stability in streaming IDS,” J. Inf. Syst. Informat., vol. 7, pp. 2876–2897, Sep. 2025.
[7] N. Gunasekara et al., “Recurrent concept drifts on data streams,” in Proc. Int. Joint Conf. Artif. Intell. (IJCAI), 2024.
[8] C. M. Garcia et al., “Concept drift adaptation in text stream mining settings: A systematic review,” ACM Trans. Intell. Syst. Technol., vol. 16, no. 2, pp. 1–67, 2025.
[9] L. Hu, Y. Lu, and Y. Feng, “Concept drift detection based on deep neural networks and autoencoders,” Appl. Sci., vol. 15, no. 6, p. 3056, 2025.
[10] D. Shang, G. Zhang, and J. Lu, “Novelty-aware concept drift detection for neural networks,” Neurocomputing, vol. 617, p. 128933, 2025.
[11] R. Marpu and B. Manjula, “Streaming machine learning algorithms with streaming big data systems,” Braz. J. Develop., vol. 10, no. 1, pp. 322–339, 2024.
[12] P. Lu et al., “Early concept drift detection via prediction uncertainty,” in Proc. AAAI Conf. Artif. Intell., vol. 39, no. 18, 2025.
[13] B. Gower-Winter et al., “Identifying predictions that influence the future: Detecting performative concept drift in data streams,” in Proc. AAAI Conf. Artif. Intell., vol. 39, no. 11, 2025.
[14] U. Ali and T. Mahmood, “A novel framework for concept drift detection using autoencoders for classification problems in data streams,” Int. J. Mach. Learn. Cybern., vol. 16, no. 1, pp. 397–418, 2025.
[15] A. Kraus and H. van der Aa, “Machine learning-based detection of concept drift in business processes,” Process Sci., vol. 2, no. 1, pp. 1–26, 2025.
[16] P. Porwik et al., “A novel method for drift detection in streaming data based on measurement of changes in feature ranks,” J. Artif. Intell. Soft Comput. Res., vol. 15, 2025.
[17] X. Li and Q. Gu, “Understanding SGD with exponential moving average: A case study in linear regression,” arXiv preprint arXiv:2502.14123, 2025.
[18] O. Madani, “Sparse moving averages for lifelong open-ended probabilistic prediction,” in Proc. 2025 ACM Int. Workshop Security and Privacy Analytics, 2025.
[19] G. Bandarupalli, “Efficient deep neural network for intrusion detection using CIC-IDS-2017 dataset,” in Proc. 2025 1st Int. Conf. Adv. Comput. Sci., Electr., Electron. Commun. Technol. (CE2CT). IEEE, 2025.
[20] R. Dube, “Faulty use of the CIC-IDS2017 dataset in information security research,” J. Comput. Virol. Hack. Tech., vol. 20, no. 1, pp. 203–211, 2024.
[21] D. K. Putra et al., “Comparative analysis of machine learning algorithms in detecting DDoS attacks on CICIDS2017 dataset,” J. Intell. Syst. Inf. Technol., vol. 2, no. 2, 2025.
[22] A. Esteban, A. Zafra, and S. Ventura, “MIHT: A Hoeffding tree for time series classification using multiple instance learning,” in Proc. Int. Conf. Intell. Data Eng. Autom. Learn. (IDEAL). Cham, Switzerland: Springer, 2025.
[23] H. I. Bensaoula and S. N. Bahloul, “Enhanced green accelerated Hoeffding trees for improved data stream classification,” Comput. Sci. J. Moldova, vol. 98, no. 2, pp. 159–187, 2025.
[24] A. Gupta and S. Babu, “Real-time transaction fraud detection using adaptive Hoeffding trees for concept-drift resilience,” Int. J. Comput. Model. Appl., vol. 2, no. 3, pp. 1–8, 2025.
[25] K. Köbschall, L. Hartung, and S. Kramer, “Adaptive differentiable trees for transparent learning on data streams,” Mach. Learn., vol. 114, no. 11, p. 253, 2025.
[26] J. V. Guerrero Cano, G. J. Aguiar, and A. Cano, “Anticipating to change: A proactive approach for concept drift adaptation in data streams,” Mach. Learn., vol. 115, no. 1, p. 3, 2026.
[27] D. Joshi and M. Shukla, “A pre-emptive resilient ML approach for drift detection in real-time stream data,” in Proc. 2025 Artif. Intell. Smart Technol. Sustainability Conf. (AISTS). IEEE, 2025.
[28] F. Pizarro et al., “Low-overhead learning: Quantized shallow neural networks at the service of genetic algorithm optimization,” Biomimetics, vol. 10, no. 11, p. 762, 2025.
[29] M. Liu et al., “LiedNet: A lightweight network for low-light enhancement and deblurring,” IEEE Trans. Circuits Syst. Video Technol., 2025.
[30] V. Jain and A. Mitra, “Real-time threat detection in cybersecurity: Leveraging machine learning algorithms for enhanced anomaly detection,” in Machine Intelligence Applications in Cyber-Risk Management. Hershey, PA, USA: IGI Global, 2025, pp. 315–344.
[31] S. Antony Joseph Raj and M. Madiajagan, “HAMC-ID: Hybrid attention-based meta-classifier for intrusion detection,” Sci. Rep., 2025.
[32] J. Igual et al., “Linear adaptive filtering for regression in data streams,” Int. J. Data Sci. Anal., pp. 1–16, 2025.
[33] A. M. Paim et al., “Efficient instance selection in tree-based models for data streams classification,” in Proc. 40th ACM/SIGAPP Symp. Appl. Comput. (SAC), 2025.
[34] R. Morshedi and S. M. Matinkhah, “Intrusion detection in IoT using deep recurrent neural networks: A complex network approach to modeling emergent cyberattack behaviors,” Complexity, vol. 2025, p. 9693472, 2025.
[35] Z. I. Khan, M. M. Afzal, and K. N. Shamsi, “A comprehensive study on CIC-IDS2017 dataset for intrusion detection systems,” Int. Res. J. Adv. Eng. Hub, vol. 2, no. 2, pp. 254–260, 2024.
[36] M. Arcos-Argudo, R. Bojorque, and A. Torres, “A deterministic comparison of classical machine learning and hybrid deep representation models for intrusion detection on NSL-KDD and CICIDS2017,” Algorithms, vol. 18, no. 12, p. 749, 2025.
[37] J. Li et al., “Concept drift adaptation by exploiting drift type,” ACM Trans. Knowl. Discov. Data, vol. 18, no. 4, pp. 1–22, 2024.
[38] S. Senthilkumar and S. K. Balasubramanian, “Advancing multi-class intrusion detection: A comparative evaluation of LSTM and Bi-LSTM on class-imbalanced CIC-IDS-2017,” Turk. J. Eng., vol. 9, no. 3, pp. 578–590, 2025.
[39] M. E. Sobhani, A. T. Rodela, and D. M. Farid, “Adaptive TreeHive: Ensemble of trees for enhancing imbalanced intrusion classification,” PLOS ONE, vol. 20, no. 9, e0331307, 2025.
[40] Z. A. Sheikh et al., “Generalizability assessment of learning-based intrusion detection systems for IoT security: Perspectives of data diversity,” Secur. Privacy, vol. 8, no. 2, e70014, 2025.
[41] S. Alzu, F. Stahl, and M. Al-Khafajiy, “Detect, decide, explain: An intelligent framework for zero-day network attack detection,” in Proc. Int. Conf. Innovative Techniques and Applications of Artificial Intelligence. Cham, Switzerland: Springer, 2025.
[42] T. Luo and R. Li, “A dynamic hidden state correction and feedback-driven online adaptation framework for network intrusion detection,” in Proc. 2025 Asia–Europe Conf. Cybersecurity, Internet of Things and Soft Computing (CITSC). IEEE, 2025.
[43] G. R. Devi et al., “A machine learning approach to real-time network attack identification,” in Proc. 2025 9th Int. Conf. Inventive Systems and Control (ICISC). IEEE, 2025.
[44] D. Lukats et al., “A benchmark and survey of fully unsupervised concept drift detectors on real-world data streams,” Int. J. Data Sci. Anal., vol. 19, no. 1, pp. 1–31, 2025.
[45] S. Arora, R. Rani, and N. Saxena, “A systematic review on detection and adaptation of concept drift in streaming data using machine learning techniques,” WIREs Data Min. Knowl. Discov., vol. 14, no. 4, e1536, 2024.
[46] F. Sharief et al., “Multi-class imbalanced data handling with concept drift in fog computing: A taxonomy, review, and future directions,” ACM Comput. Surv., vol. 57, no. 1, pp. 1–48, 2024.
[47] N. Harshit and K. Mounvik, “Improving real-time concept drift detection using a hybrid transformer-autoencoder framework,” arXiv preprint arXiv:2508.07085, 2025.
[48] V. Agate et al., “Enhancing IoT network security with concept drift-aware unsupervised threat detection,” in Proc. IEEE Symp. Computers and Communications (ISCC), 2024.
[49] S. Seth, K. K. Chahal, and G. Singh, “Concept drift-based intrusion detection for evolving data stream classification in IDS: Approaches and comparative study,” Comput. J., vol. 67, no. 7, pp. 2529–2547, 2024.
[50] S. Yang et al., “Recda: Concept drift adaptation with representation enhancement for network intrusion detection,” in Proc. 30th ACM SIGKDD Conf. Knowledge Discovery and Data Mining (KDD), 2024.
[51] A. S. Chamkar, Y. Maleh, and N. Gherabi, “Security operation center,” in The Art of Cyber Defense: From Risk Assessment to Threat Intelligence, 2024, p. 271.
[52] L. Zhao and Y. Shen, “Proactive model adaptation against concept drift for online time series forecasting,” in Proc. 31st ACM SIGKDD Conf. Knowledge Discovery and Data Mining, vol. 1, 2025.
[53] K. Wan, Y. Liang, and S. Yoon, “Online drift detection with maximum concept discrepancy,” in Proc. 30th ACM SIGKDD Conf. Knowledge Discovery and Data Mining (KDD), 2024.
[54] K. Wang et al., “TS-DM: A time segmentation-based data stream learning method for concept drift adaptation,” IEEE Trans. Cybern., 2024.
[55] V. Sharma and M. Kumar, “Improving intrusion detection with hybrid deep learning models: A study on CIC-IDS2017, UNSW-NB15, and KDD CUP 99,” J. Inf. Syst. Eng. Manag., vol. 10, 2025.
[56] F. Hinder, V. Vaquet, and B. Hammer, “One or two things we know about concept drift—A survey on monitoring in evolving environments. Part A: Detecting concept drift,” Front. Artif. Intell., vol. 7, p. 1330257, 2024.
[57] M. Cantone, C. Marrocco, and A. Bria, “On the cross-dataset generalization of machine learning for network intrusion detection,” arXiv preprint arXiv:2402.10974, 2024.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Journal of Information Systems and Informatics
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors Declaration
- The Authors certify that they have read, understood, and agreed to the Journal of Information Systems and Informatics (JournalISI) submission guidelines, policies, and submission declaration. The submission has been prepared using the provided template.
- The Authors certify that all authors have approved the publication of this manuscript and that there is no conflict of interest.
- The Authors confirm that the manuscript is their original work, has not received prior publication, is not under consideration for publication elsewhere, and has not been previously published.
- The Authors confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
- The Authors confirm that the manuscript is not copied from or plagiarized from any other published work.
- The Authors declare that the manuscript will not be submitted for publication in any other journal or magazine until a decision is made by the journal editors.
- If the manuscript is finally accepted for publication, the Authors confirm that they will either proceed with publication immediately or withdraw the manuscript in accordance with the journal’s withdrawal policies.
- The Authors agree that, upon publication of the manuscript in this journal, they transfer copyright or assign exclusive rights to the publisher, including commercial rights
