FIRCE: A Framework for Intrusion Response and Conformal Evaluation
For network security practitioners, FIRCE provides a robust method to handle concept drift in intrusion detection systems, improving responsiveness to evolving threats.
FIRCE augments supervised IDS classifiers with conformal evaluation-based uncertainty quantification and drift detection, introducing an Approximate Cross-Conformal Evaluator and adaptive chunking. On a custom IoT testbed and benchmark datasets, it enables efficient drift detection and model retraining.
Machine learning-based intrusion detection systems deployed in real-world environments frequently suffer from model degradation due to concept drift, where changes in traffic patterns invalidate training assumptions. To address this, we present FIRCE, a Framework for Intrusion Response and Conformal Evaluation that augments supervised IDS classifiers with conformal evaluation-based uncertainty quantification and drift detection. FIRCE supports four conformal evaluation strategies: Inductive, Cross, Approximate Transductive, and our proposed Approximate Cross-Conformal Evaluator, which achieves robust performance with minimal calibration overhead. FIRCE also introduces an adaptive chunking mechanism that dynamically adjusts evaluation granularity in response to stream volatility, improving drift responsiveness while preserving computational efficiency. Using a custom IoT testbed of 10 commercial devices and time-series network captures under simulated attack and drift conditions, we demonstrate FIRCE's ability to detect distributional shifts and trigger model retraining. We additionally benchmark FIRCE on the CICIDS2018 and UNSW-NB15 datasets to validate its generalizability. Experimental results show that conformal evaluation-based drift detection, combined with adaptive chunking, enables an efficient and robust response to evolving threats.