Revealing the Frailty of Static Benchmarks: The DyNA-IDS Framework for Concept Drift Adaptation in Time-Series Network Intrusion Detection
摘要
While many machine learning-based Network Intrusion Detection Systems (NIDS) have demonstrated near-perfect classification accuracy on static datasets, this “static perfection” often masks their inherent fragility when confronting continuously evolving, real-world cyber threats. When the evaluation paradigm shifts from static cross-validation to more realistic time-series scenarios, the performance of these models undergoes catastrophic degradation due to the presence of “concept drift.” To address the adaptability challenge of static models in dynamic environments, this paper proposes a novel dynamic dual-autoencoder framework—DyNA-IDS—capable of efficient online learning and self-adaptation in non-stationary data streams. The core of this framework is a unique, unsupervised drift detection module composed of a “benchmark autoencoder” (trained on benign traffic) and a “drift autoencoder” (trained on attack traffic) operating in parallel. Innovatively discarding traditional fixed-threshold methods, it instead utilizes a dual-stream parallel Kolmogorov-Smirnov (K-S) test mechanism. This approach continuously monitors the distribution of the reconstruction error difference between the two autoencoders across both long and short time scales, enabling the synchronous and highly sensitive perception of both gradual and sudden drifts. Once a drift is confirmed, a composite loss function, which includes an elastic regularization term, guides the entire framework through an incremental joint training process. This serves to effectively mitigate catastrophic forgetting while adapting to new attack patterns. Experimental results on a large-scale, public time-series network traffic dataset show that DyNA-IDS exhibits exceptional performance on dynamic data streams, achieving an average F1-score of 0.996 and significantly outperforming static models as well as multiple classic baseline drift detection methods. This research not only provides a robust, end-to-end framework for addressing concept drift in NIDS but also highlights the importance of evaluating models in dynamic environments, offering a solid theoretical and practical foundation for building truly resilient, next-generation cybersecurity systems. The source code is available at: https://github.com/GZHU-Innovation-Intersection-Lab/DyNA-IDS .