This study investigates the efficacy of machine learning models, specifically Random Forest, in anomaly detection systems when trained on complete flow records and tested on partial flow data. We explore the performance disparity that arises when models are applied to incomplete data typical in real-world, real-time network environments. Our findings demonstrate a significant decline in model performance, with precision and recall dropping by up to 30\% under certain conditions when models trained on complete flows are tested against partial flows. Conversely, models trained and tested on consistently complete or partial datasets maintain robustness, highlighting the importance of dataset consistency in training. The study reveals that a minimum of 7 packets in the test set is required for maintaining reliable detection rates. These results underscore the need for tailored training strategies that can effectively adapt to the dynamics of partial data, enhancing the practical applicability of anomaly detection systems in operational settings.

翻译：本研究探讨了机器学习模型（特别是随机森林）在异常检测系统中的效能，当模型在完整流记录上训练并在部分流数据上测试时的情况。我们研究了当模型应用于现实世界实时网络环境中典型的不完整数据时出现的性能差异。我们的研究结果表明，当在完整流上训练的模型针对部分流进行测试时，在某些条件下，模型的精确率和召回率下降高达30%，性能显著下降。相反，在一致完整或一致部分数据集上训练和测试的模型保持了鲁棒性，这突显了训练中数据集一致性的重要性。研究揭示，测试集中至少需要7个数据包才能维持可靠的检测率。这些结果强调了需要制定能够有效适应部分数据动态特性的定制化训练策略，以增强异常检测系统在操作环境中的实际适用性。