<![CDATA[One of the main challenges in anomaly detection for Windows Event Logs and Sysmon is distribution shift, where changes in data distribution invalidate the model's learned normality reference. This study evaluates how data filtering setting value boundaries classified as normal affects the model's ability to handle distribution shifts across three experimental scenarios. This research is among the first to systematically quantify the trade-off between filtering efficiency and model adaptability across varying magnitudes of distribution shifts in anomaly detection systems. The experimental design employs three scenarios: Scenario 1 evaluates filtering under complete cross-environment shift using Dataset A for training and Dataset B for testing, Scenario 2 examines filtering with partial Dataset B training data, and Scenario 3 validates model adaptability without filtering constraints. The goal is to determine whether filtering improves performance under small, adaptable shifts and to measure its impact under large shifts that push the distribution far from the initial training data. Shift magnitude is measured using Jensen Shannon Divergence and Hellinger Distance, followed by evaluation of model performance through precision, recall and F1-score. Results show that filtering can help for minor shifts but substantially impairs adaptation under substantial distributional changes: filtered models remain constrained by prior baseline behavior and fail to learn new patterns, while unfiltered models adapt successfully and maintain accurate detection. These findings suggest critical implications for designing adaptive anomaly detection systems in dynamic operational environments where changes frequently alter normal behavior patterns. Future approaches should incorporate adaptive filtering mechanisms that dynamically adjust baseline boundaries rather than relying solely on static training data distributions.]]>
Copyrights © 2025
