Quantifying concept drifting in network traffic using ROC curves from Naive Bayes classifiers

Concept drifting poses a real challenge for network models which depends on statistical heuristics learned from the data stream, for example Anomaly Based Detection/Prevention Systems. These models tend to become inconsistent over a period of time as the underlying data stream like network traffic tends to change and get affected by evolution of concept drift. Change in network traffic pattern is inevitable, it impacts the enterprises which are dynamic in nature especially cloud-centric enterprises. These changes in the network pattern can be of short time period or they can be persistent for longer time duration. Change in network traffic pattern is not always because of malicious activity, changes can be benign and thus impacting the performance of the IDS/IPS model. There is a need to quantify concept drifts and incorporate them in the model. In this paper we have proposed a supervised learning model to quantify the concept drift in the network traffic. The proposed model uses adaptive learning strategies with fixed training window to constantly evolve the model. Classification of data is done by Naive Bayes Classifier. ROC curve generated from Naive Bayes classifiers has been used as a de facto method for identifying concept drift. Classifications have been carried out on entire dataset and also on specific flow attributes like source ip, destination ip, source port, destination port, flags and protocols. In this paper we demonstrate the capabilities of the proposed model to identify drift in the network pattern and also which flow attributes have contributed in concept drifting using ROC curve.