AB-HT: An Ensemble Incremental Learning Algorithm for Network Intrusion Detection Systems

Most machine learning models used in network intrusion detection system (IDS) studies are batch models which require all targeted intrusions to be present in the training data. This approach is slow because computer networks produce massive amounts of data. Furthermore, new network intrusion variants continuously emerge. Retraining the model using these extensive and evolving data takes time and resources. This study proposes AB-HT: an ensemble incremental learning algorithm for IDSs. AB-HT utilizes incremental Adaptive Boosting (AdaBoost) and Hoeffding Tree algorithms. AB-HT model could detect new intrusions without retraining the model using old training data. Thus, it could reduce the computational resources needed to retrain the model while maintaining the model’s performance. We compared it to an AdaBoost-Decision Tree model, a batch learning model, to analyze the effectiveness of the incremental learning approach. Then we compared it to other incremental learning models, the Hoeffding Tree (HT) and Hoeffding Anytime Tree (HATT) models. The experimental results showed that the proposed incremental model had shorter training times than the AdaBoost-Decision Tree model in the long run. Also, on average, the AB-HT model has 18% higher F1-score values than the HT and HATT models. These advantages show that the AB-HT algorithm has promising potential to be used in the IDS field.