ADAM & RAL: Adaptive Memory Learning and Reinforcement Active Learning for Network Monitoring

Abstract : Network-traffic data commonly arrives in the form of fast data streams; online network-monitoring systems continuously analyze these kinds of streams, sequentially collecting measurements over time. Continuous and dynamic learning is an effective learning strategy when operating in these fast and dynamic environments, where concept drifts constantly occur. In this paper, we propose different approaches for stream-based machine learning, able to analyze network-traffic streams on the fly, using supervised learning techniques. We address two major challenges associated to stream-based machine learning and online network monitoring: (i) how to dynamically learn from and adapt to non-stationary data and patterns changing over time, and (ii) how to deal with the limited availability of ground truth or labeled data to continuously tune a supervised learning model. We introduce ADAM & RAL, two stream-based machine-learning approaches to tackle these challenges. ADAM implements multiple stream-based machine-learning models and relies on an adaptive memory strategy to dynamically adapt the size of the system's learning memory to the most recent data distribution, triggering new learning steps when concept drifts are detected. RAL implements a stream-based active-learning strategy to reduce the amount of labeled data needed for stream-based learning, dynamically deciding on the most informative samples to integrate into the continuous learning scheme. Using a reinforcement learning loop, RAL improves prediction performance by additionally learning from the goodness of its previous sample-selection decisions. We focus on a particularly challenging problem in network monitoring: continuously tuning detection models able to recognize network attacks over time. By continuously learning from and detecting concept drifts within real network measurements, we show that ADAM & RAL can continuously achieve high detection accuracy and limit the amount of training data needed to detect attacks over dynamic network data streams.
Complete list of metadatas

Cited literature [35 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-02301393
Contributor : Sarah Wassermann <>
Submitted on : Monday, September 30, 2019 - 1:54:20 PM
Last modification on : Thursday, October 3, 2019 - 1:14:28 AM
Long-term archiving on: Monday, February 10, 2020 - 5:36:22 AM

File

cnsm_2019.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-02301393, version 1

Citation

Sarah Wassermann, Thibaut Cuvelier, Pavol Mulinka, Pedro Casas. ADAM & RAL: Adaptive Memory Learning and Reinforcement Active Learning for Network Monitoring. 15th International Conference on Network and Service Management (CNSM), IFIP, Oct 2019, Halifax, Canada. ⟨hal-02301393⟩

Share

Metrics

Record views

51

Files downloads

64