CD-AHAL: A Concept Drift-Aware Hybrid Active Learning Framework for Network Intrusion Detection

Phuoc Anh Dung Nguyen, Viet Hung Nguyen, Van Thang Tran, Van Quy Hoang, Tat Thang Nguyen, Thien Huy Le, Huong Bui
Author affiliations

Authors

  • Phuoc Anh Dung Nguyen Faculty of Information Technology, HUTECH University, 475A Dien Bien Phu Street, Thanh My Tay Ward, Ho Chi Minh City, Viet Nam https://orcid.org/0009-0000-8881-7143
  • Viet Hung Nguyen Faculty of Information Technology, HUTECH University, 475A Dien Bien Phu Street, Thanh My Tay Ward, Ho Chi Minh City, Viet Nam
  • Van Thang Tran Faculty of Information Technology, HUTECH University, 475A Dien Bien Phu Street, Thanh My Tay Ward, Ho Chi Minh City, Viet Nam
  • Van Quy Hoang Thuy Loi University (TLU), 175 Tay Son Street, Kim Lien Ward, Ha Noi, Viet Nam
  • Tat Thang Nguyen GEO IT Center, VNPT Information Technology Company, VNPT Group, VNPT Tower, 57 Huynh Thuc Khang Street, Lang Ward, Ha Noi, Viet Nam https://orcid.org/0009-0004-1067-9800
  • Thien Huy Le Hoa Sen College, Lot 11, Street No. 5, Quang Trung Software City, Trung My Tay Ward, Ho Chi Minh City, Viet Nam
  • Huong Bui Faculty of Information Technology, HUTECH University, 475A Dien Bien Phu Street, Thanh My Tay Ward, Ho Chi Minh City, Viet Nam https://orcid.org/0000-0003-4838-1538

DOI:

https://doi.org/10.15625/1813-9663/24229

Keywords:

Network intrusion detection, IoT security, CD-AHAL, CNN–GRU–Attention, Class imbalance, Concept drift, Active learning

Abstract

This paper proposes a solution to the challenges posed by the proliferation of IoT devices, which has expanded cyber attack surfaces characterized by continuous changes over time (Concept Drift). Traditional Network Intrusion Detection Systems (NIDS) often suffer from severe performance degradation when facing novel attacks due to a lack of adaptability. This paper introduces CD-AHAL, a hybrid security framework that integrates a CNN–BiGRU–Attention deep learning architecture with an Uncertainty-aware Active Learning strategy, employing an automatic labeling mechanism via a simulated Oracle. The system is evaluated through a two-stage process: (1) Offline training to establish a foundational knowledge base; and (2) Online evaluation on a synthetic data stream exhibiting concept drift. To demonstrate comprehensive effectiveness, we compare CD-AHAL against three baseline architectural variants—CNN-GRU, CNN-Attention, and GRU-Attention—operating in a static (non-updating) mode. Experimental results demonstrate that while static models suffer from accuracy degradation in changing environments, CD-AHAL is capable of autonomously detecting drift and rapidly recovering performance, thereby maintaining superior average Accuracy and F1-Score.

Downloads

Published

15-06-2026

How to Cite

[1]P. A. D. Nguyen, “CD-AHAL: A Concept Drift-Aware Hybrid Active Learning Framework for Network Intrusion Detection”, J. Comput. Sci. Cybern., Jun. 2026.

Issue

Section

Articles