NOCTOWL

This is the official repository for NOCTOWL 🦉 (Network intrusiOn deteCTiOn With online tree-based Learning). NOCTOWL is a lightweight, explainable anomaly detection model based on binary decision trees. It enhances the base tree with leaf-node clustering, batch-wise analysis, and sampling strategies to detect anomalies and concept drift. This repository contains the code and instructions to reproduce the experiments.

Datasets

The datasets are available at this link.

Put all the downloaded csv files in the ./datesets/ folder.

Requirements

Before running the experiments, please install the requirements:

pip install -r requirements.txt

All experiments have been tested with Python 3.11.2.

Run the experiments

To run the experiments, execute the following command:

python3 main.py --dataset <name> [OPTIONS]

The available options are:

• --dataset: to specify the name of the dataset
• --mode: to specify the run name
• --max_depth: max depth of the tree
• --dist_threshold: threshold to determine whether the batch data are useful or should be discarded.
• --homogeneity_gain_threshold: minimum homogeneity gain required to split a node.
• --min_point_per_leaf: minimum number of samples required per leaf.
• --delay: number of batches to wait before obtaining the labels.
• --sampling: fraction of samples to use for tree update during training.

Citation

@article{DBLP:journals/access/PederzoliPCBTIG25,
  author       = {Sara Pederzoli and
                  Matteo Paganelli and
                  Michele Luca Contalbo and
                  Riccardo Benassi and
                  Donato Tiano and
                  Stefano Iannucci and
                  Francesco Guerra},
  title        = {{NOCTOWL:} Adaptive Tree-Based Model for Network Anomaly Detection
                  Under Delayed and Sampled Label Availability},
  journal      = {{IEEE} Access},
  volume       = {13},
  pages        = {197899--197911},
  year         = {2025}
}