Conformal prediction for labelling and updating online models in the presence of concept drift in cybersecurity

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-06-14 DOI:10.1016/j.jisa.2025.104120

David Escudero García , Noemí DeCastro-García

{"title":"Conformal prediction for labelling and updating online models in the presence of concept drift in cybersecurity","authors":"David Escudero García , Noemí DeCastro-García","doi":"10.1016/j.jisa.2025.104120","DOIUrl":null,"url":null,"abstract":"<div><div>Machine learning is used for detecting malicious activity in cybersecurity contexts since it provides more adaptable models than signature-based solutions. One of the main challenges in applying machine learning to detect malicious activity is the presence of concept drift, which is a change in data distribution over time. Online models that are updated dynamically are usually applied to handle drift. However, these models require new labelled instances to be updated. Reliable labels are typically scarce, expensive to obtain, and not immediately available, which makes building an effective model difficult. In this work, we propose applying online models with conformal prediction, which provides statistical guarantees, to obtain reliable pseudo-labels to update the model and mitigate the absence of ground truth in new data. Although the use of conformal pseudo-labels produces significant improvements in some cases, these are inconsistent across datasets and models, which limits the applicability of the approach.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104120"},"PeriodicalIF":3.8000,"publicationDate":"2025-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625001577","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Machine learning is used for detecting malicious activity in cybersecurity contexts since it provides more adaptable models than signature-based solutions. One of the main challenges in applying machine learning to detect malicious activity is the presence of concept drift, which is a change in data distribution over time. Online models that are updated dynamically are usually applied to handle drift. However, these models require new labelled instances to be updated. Reliable labels are typically scarce, expensive to obtain, and not immediately available, which makes building an effective model difficult. In this work, we propose applying online models with conformal prediction, which provides statistical guarantees, to obtain reliable pseudo-labels to update the model and mitigate the absence of ground truth in new data. Although the use of conformal pseudo-labels produces significant improvements in some cases, these are inconsistent across datasets and models, which limits the applicability of the approach.

查看原文本刊更多论文

网络安全中存在概念漂移的在线模型标记和更新的保形预测

机器学习被用于检测网络安全环境中的恶意活动，因为它提供了比基于签名的解决方案更具适应性的模型。应用机器学习检测恶意活动的主要挑战之一是概念漂移的存在，这是数据分布随时间的变化。动态更新的在线模型通常用于处理漂移。然而，这些模型需要更新新的标记实例。可靠的标签通常是稀缺的，昂贵的，并不是立即可用的，这使得建立一个有效的模型变得困难。在这项工作中，我们建议应用具有保形预测的在线模型，它提供了统计保证，以获得可靠的伪标签来更新模型并减轻新数据中缺乏基础真值的情况。虽然使用共形伪标签在某些情况下产生了显著的改进，但这些改进在数据集和模型之间是不一致的，这限制了该方法的适用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.