Adaptive Multi-Arm Bandit Framework for Detecting Network Intrusions in Real Time

School of Cyber Science and Engineering, Wuhan University, Wuhan, Hubei Province, 430072, China

2023302181047@whu.edu.cn

Abstract

Network intrusion detection remains a critical challenge in cybersecurity, particularly in dynamic environments with evolving attack patterns. This paper proposes an innovative Multi-Armed Bandit (MAB) framework that addresses the limitations of traditional static machine learning models by dynamically selecting and adapting among three detection algorithms: Random Forest (RF), Recurrent Neural Network, and Extreme Gradient Boosting (XGBoost) in real-time. This approach sets each machine learning model as an independent arm and uses real-time F1-scores as rewards for optimal arm selection. Evaluations on the CIC-IDS2017 dataset demonstrate the framework's good performance, achieving an exceptional F1-score of 0.969 and accuracy of 0.943, significantly outperforming both random selection (F1: 0.939) and static Random Forest (F1: 0.950) approaches. Among various MAB algorithms tested, Thompson Sampling (TS) exhibited the strongest performance with an F1-score of 0.963 and accuracy of 0.941, demonstrating remarkable effectiveness in balancing exploration-exploitation trade-offs. The framework's consistent performance across multiple datasets (including CIC-IDS2018, UNSW-NB15, and NSL-KDD) confirms its robustness and generalization capability, suggesting substantial potential for real-world deployment in complex network environments. These results highlight the MAB framework's adaptive advantages and position it as a promising solution for next-generation intrusion detection systems.