With the growing volume of Internet of Things (IoT) network traffic, machine learning (ML)-based anomaly detection is more relevant than ever. Traditional batch learning models face challenges such as high maintenance and poor adaptability to rapid anomaly changes, known as concept drift. In contrast, streaming learning integrates online and incremental learning, enabling seamless updates and concept drift detection to improve robustness. This study investigates anomaly detection in streaming IoT traffic as binary classification, comparing batch and streaming learning approaches while assessing the limitations of current IoT traffic datasets. We simulated heterogeneous network data streams by carefully mixing existing datasets and streaming the samples one by one. Our results highlight the failure of batch models to handle concept drift, but also reveal persisting limitations of current datasets to expose model limitations due to low traffic heterogeneity. We also investigated the competitiveness of tree-based ML algorithms, well-known in batch anomaly detection, and compared it to non-tree-based ones, confirming the advantages of the former. Adaptive Random Forest achieved F1-score of 0.990 $\pm$ 0.006 at one-third the computational cost of its batch counterpart. Hoeffding Adaptive Tree reached F1-score of 0.910 $\pm$ 0.007, reducing computational cost by four times, making it a viable choice for online applications despite a slight trade-off in stability.

翻译：随着物联网（IoT）网络流量的日益增长，基于机器学习（ML）的异常检测变得愈发重要。传统的批量学习模型面临高维护成本和对快速异常变化（即概念漂移）适应性差等挑战。相比之下，流式学习结合了在线学习和增量学习，能够实现无缝更新和概念漂移检测，从而提升鲁棒性。本研究将流式物联网流量中的异常检测视为二元分类问题，比较了批量学习与流式学习方法，并评估了现有物联网流量数据集的局限性。我们通过精心混合现有数据集并逐一样本流式传输，模拟了异构网络数据流。实验结果凸显了批量模型在处理概念漂移方面的失败，同时也揭示了当前数据集因流量异质性低而难以充分暴露模型局限性的持续问题。我们还研究了在批量异常检测中广为人知的基于树的机器学习算法的竞争力，并将其与非树基算法进行了比较，证实了前者的优势。自适应随机森林（Adaptive Random Forest）的F1分数达到0.990 ± 0.006，其计算成本仅为对应批量模型的三分之一。霍夫丁自适应树（Hoeffding Adaptive Tree）的F1分数为0.910 ± 0.007，计算成本降低了四倍，尽管在稳定性上略有折衷，但仍是在线应用的可行选择。