King's College London

Research portal

INSOMNIA: Towards Concept-Drift Robustness in Network Intrusion Detection

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review

Giuseppina Andresini, Feargus Pendlebury, Fabio Pierazzi, Corrado Loglisci, Annalisa Appice, Lorenzo Cavallaro

Original languageEnglish
Title of host publicationProceedings of the 14th ACM Workshop on Artificial Intelligence and Security (AISec)
Accepted/In press8 Sep 2021


  • insomnia

    insomnia.pdf, 1.38 MB, application/pdf

    Uploaded date:30 Sep 2021

    Version:Accepted author manuscript

King's Authors


Despite decades of research in network traffic analysis and incredible advances in artificial intelligence, network intrusion detection systems based on machine learning (ML) have yet to prove their worth. One core obstacle is the existence of concept drift, an issue for all adversary-facing security systems. Additionally, specific challenges set intrusion detection apart from other ML-based security tasks, such as malware detection.

In this work, we offer a new perspective on these challenges. We propose INSOMNIA, a semi-supervised intrusion detector which continuously updates the underlying ML model as network traffic characteristics are affected by concept drift. We use active learning to reduce latency in the model updates, label estimation to reduce labeling overhead, and apply explainable AI to better interpret how the model reacts to the shifting distribution.

To evaluate INSOMNIA, we extend TESSERACT—a framework originally proposed for performing sound time-aware evaluations of ML-based malware detectors—to the network intrusion domain. Our evaluation shows that accounting for drifting scenarios is vital for effective intrusion detection systems.

Download statistics

No data available

View graph of relations

© 2020 King's College London | Strand | London WC2R 2LS | England | United Kingdom | Tel +44 (0)20 7836 5454