Enhancing network intrusion detection by lifelong active online learning

Machine learning has been widely used to build intrusion detection models in detecting unknown attack traffic. How to train a model properly in order to attain the desired intrusion detection is an important topic. In contrast to offline learning, online learning proves more practical as it can update models simultaneously in the detecting process to comply with real network traffic. Active learning is an effective way to realize online learning. Among existing active learning mechanisms proposed to perform intrusion detection, most fail to meet the real online environment or to run persistently. This paper presents a new active online learning mechanism to secure better intrusion detection performance. The new mechanism advances related works in bringing the lifelong learning practice to fit in the online environment. It uses the efficient random forest (RF) as the detection model to train samples and adds a new tree to train a new batch of data when updating the model at each online stage, to pursue lifelong learning. By training a new batch of data only, it can keep the previously trained weights from being updated so as to preserve the past knowledge. Our mechanism is experimentally proved to yield better overall results than existing mechanisms: It produces superior training efficiency and detection performance-with the least training time, best training data quality and much reduced training data quantity.