Concept drift can severely undermine the reliability of streaming Intrusion Detection Systems (IDS), especially in realistic network traffic where changes are gradual, recurring, and often masked by noise and class imbalance. Widely used statistical drift detectors such as ADWIN provide theoretical guarantees, yet in practice they can exhibit sensitivity oscillations, delayed adaptation under subtle drift, and disruptive reset behavior that leads to prolonged performance dips. This paper presents Trinity-Controller ADWIN, a unified drift-management framework that fuses three complementary signals: a Volatility Controller (VC) for statistically grounded drift detection, an Adaptive Rate Controller (ARC) that dynamically regulates ADWIN sensitivity, and a Performance-Based Controller (PBC) that monitors an Exponential Moving Average (EMA) of online accuracy to detect sustained model degradation. The proposed framework is evaluated using a Hoeffding Adaptive Tree classifier on a time-ordered streaming reconstruction of CICIDS2017, reflecting realistic temporal drift patterns. Across multiple drift regions, Trinity-Controller ADWIN achieves higher long-horizon accuracy stability, faster post-drift recovery, and fewer unnecessary resets than fixed ADWIN, VC-only, and VC+ARC baselines. Notably, in several drift segments the framework preserves post-drift accuracy above 90% of baseline while demonstrating near-zero recovery delay, indicating that adaptation occurs with minimal disruption. Overall, the results show that combining statistical drift evidence with direct performance-aware feedback yields a more robust and operationally reliable streaming IDS under evolving traffic conditions.
Copyrights © 2026