The paper introduces NOCTOWL, an online, interpretable network intrusion detection system designed for streaming environments subject to distributional shifts, with delayed and partial label availability. The method combines the inherently explainable structure of a decision tree with a clustering-based strategy to create interpretable data partitions and incrementally adjust them in response to distribution shifts. The model further incorporates selective sampling to adapt to evolving distributions while preventing unnecessary growth. Experiments on five benchmark datasets simulating realistic operating conditions demonstrate that NOCTOWL achieves competitive performance compared to state-of-the-art systems, while maintaining robustness under constrained annotation budgets.

NOCTOWL: Adaptive Tree-Based Model for Network Anomaly Detection Under Delayed and Sampled Label Availability / Pederzoli, S.; Paganelli, M.; Contalbo, M. L.; Benassi, R.; Tiano, D.; Iannucci, S.; Guerra, F.. - In: IEEE ACCESS. - ISSN 2169-3536. - 13:(2025), pp. 197899-197911. [10.1109/ACCESS.2025.3633419]

NOCTOWL: Adaptive Tree-Based Model for Network Anomaly Detection Under Delayed and Sampled Label Availability

Pederzoli S.
;Paganelli M.;Contalbo M. L.;Benassi R.;Tiano D.;Guerra F.
2025

Abstract

The paper introduces NOCTOWL, an online, interpretable network intrusion detection system designed for streaming environments subject to distributional shifts, with delayed and partial label availability. The method combines the inherently explainable structure of a decision tree with a clustering-based strategy to create interpretable data partitions and incrementally adjust them in response to distribution shifts. The model further incorporates selective sampling to adapt to evolving distributions while preventing unnecessary growth. Experiments on five benchmark datasets simulating realistic operating conditions demonstrate that NOCTOWL achieves competitive performance compared to state-of-the-art systems, while maintaining robustness under constrained annotation budgets.
2025
Inglese
IEEE ACCESS
13
197899
197911
WOS:001626856800031
2-s2.0-105022604912
Transformers; Data models; Network intrusion detection; Concept drift; Autoencoders; Training; Computer architecture; Robustness; Anomaly detection; network intrusion detection systems; time series analysis
open
info:eu-repo/semantics/article
Contributo su RIVISTA::Articolo su rivista
262
NOCTOWL: Adaptive Tree-Based Model for Network Anomaly Detection Under Delayed and Sampled Label Availability / Pederzoli, S.; Paganelli, M.; Contalbo, M. L.; Benassi, R.; Tiano, D.; Iannucci, S.; Guerra, F.. - In: IEEE ACCESS. - ISSN 2169-3536. - 13:(2025), pp. 197899-197911. [10.1109/ACCESS.2025.3633419]
Pederzoli, S.; Paganelli, M.; Contalbo, M. L.; Benassi, R.; Tiano, D.; Iannucci, S.; Guerra, F.
7
   Panacea: A Model-Based Framework for Self-Protecting Systems
   Panacea
   MUR
   Progetti di Ricerca di Rilevante Interesse Nazionale (PRIN) 2022
   2022Y45XE3
File in questo prodotto:
File Dimensione Formato  
NOCTOWL_Adaptive_Tree-Based_Model_for_Network_Anomaly_Detection_Under_Delayed_and_Sampled_Label_Availability.pdf

Open access

Tipologia: VOR - Versione pubblicata dall'editore
Licenza: [IR] creative-commons
Dimensione 1.29 MB
Formato Adobe PDF
Visualizza/Apri
1.29 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

Licenza Creative Commons
I metadati presenti in IRIS UNIMORE sono rilasciati con licenza Creative Commons CC0 1.0 Universal, mentre i file delle pubblicazioni sono rilasciati con licenza Attribuzione 4.0 Internazionale (CC BY 4.0), salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11380/1391549
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? 0
social impact