CDDA-MD: An efficient malicious traffic detection method based on concept drift detection and adaptation technique

With the rapid development of network environment, cyber attacks have become one of the major threats to network security, and maintaining network security requires accurate detection of malicious traffic generated by cyber attacks. However, due to the dynamic nature of network behavior, data distribution in network traffic may change over time, i.e., appearing concept drift phenomenon, and the emergence of concept drift causes existing malicious traffic detection models to suffer from the problem of decreased detection efficiency. To address this challenge, we propose a Concept Drift Detection and Adaptation-based Malicious traffic Detection method called CDDA-MD. Firstly, the network traffic is segmented using sliding window technique and the data samples are analyzed on the basis of each window. And then, a long short-term memory network (LSTM) is utilized to capture the long-term dependencies in the time-series features of network traffic; At the same time, a multi-head self-attention mechanism is introduced to provide larger weights for the important features. Moreover, we replace the ReLU activation function in LSTM with Tanh to overcome the neuron “death” problem, and replace the Adam optimizer with Nadam to accelerate convergence, thereby improving the detection performance. Next, the concept drift is detected based on the idea of error rate, and the detected concept drift data is used for incremental learning to make the model adapt to current network environment. Finally, based on the detected concept drift, malicious traffic detection operations are performed to effectively maintain the security of cyberspace. Experiments on four network traffic show that compared with existing state-of-the-art methods, the proposed CDDA-MD method improves 0.3%, 1.2% , 1.16% and 1.9% in F1-measure, 0.25%, 1.1%, 1.44% and 1.72% in TPR, respectively; It also has better stability.