Anomaly-aware class-incremental learning (ACIL) framework for network intrusion detection systems
摘要
The rising frequency and sophistication of cyberattacks underscore the urgent need for adaptive Network Intrusion Detection Systems (NIDS). Traditional systems, though effective against known threats, struggle to adapt to evolving traffic patterns and novel attack vectors. A central challenge is catastrophic forgetting, whereby models overwrite prior knowledge when updated with new data, undermining their reliability in dynamic environments. Continual learning (CL) offers a promising paradigm for mitigating this challenge by enabling incremental adaptation without complete retraining. Yet, its systematic application and evaluation within NIDS remain limited. To address this gap, we introduce the Anomaly-Aware Class-Incremental Learning (ACIL), a framework designed to evaluate CL strategies under realistic network conditions. ACIL operationalizes anomaly-awareness by structuring task streams to reflect natural traffic imbalance: benign flows dominate early stages, while rare attack classes are introduced incrementally. This setup more faithfully represents the challenges of evolving intrusion detection by reflecting natural traffic imbalance, in contrast to uniform or artificially balanced learning. We assess ACIL on three widely recognized datasets CIC-IDS-2017, CIC-IDS-2018, and NSL-KDD using multiple state-of-the-art CL methods. Results show that CL strategies enhance adaptability and mitigate forgetting relative to static baselines, but notable trade-offs persist, especially for minority and late-emerging classes. These findings establish ACIL as a standardized evaluation framework for continual learning in cybersecurity and emphasize the need for anomaly-aware mechanisms to develop resilient NIDS in dynamic threat landscapes.