Addressing Concept Drift in IoT Anomaly Detection: Drift Detection, Interpretation, and Adaptation

Abstract

Anomaly detection plays a vital role as a crucial security measure for edge devices in Artificial Intelligence and Internet of Things (AIoT). With the rapid development of IoT (Internet of Things), changes in system configurations and the introduction of new devices can lead to significant alterations in device relationships and data flows within the IoT, thereby triggering concept drift. Previously trained anomaly detection models fail to adapt to the changed distribution of streaming data, resulting in a high number of false positive events. This paper aims to address the issue of concept drift in IoT anomaly detection by proposing a comprehensive Concept Drift Detection, Interpretation, and Adaptation framework (CDDIA). We focus on accurately capturing the concept drift of normal data in unsupervised scenarios. To interpret drift samples, we integrate a search optimization algorithm and the SHAP method, providing a comprehensive interpretation of drift samples at both the sample and feature levels. Simultaneously, by utilizing the sample-level interpretation results for filtering new and old samples, we retrain the anomaly detection model to mitigate the impact of concept drift and reduce the false positive rate. This integrated strategy demonstrates significant advantages in maintaining model stability and reliability. The experimental results indicate that our method outperforms five baseline methods in adaptability across three datasets and provides interpretability for samples experiencing concept drift.