Continual Learning for Intrusion Detection Under Evolving Network Threats

Guo, Chaoqun; Li, Xihan; Cheng, Jubao; Yang, Shunjie; Gong, Huiquan

Continual Learning for Intrusion Detection Under Evolving Network Threats

Chaoqun Guo, Xihan Li, Jubao Cheng, Shunjie Yang and Huiquan Gong ()
Additional contact information
Chaoqun Guo: School of Software Engineering, Beijing Jiaotong University, Beijing 100044, China
Xihan Li: School of Software Engineering, Beijing Jiaotong University, Beijing 100044, China
Jubao Cheng: School of Software Engineering, Beijing Jiaotong University, Beijing 100044, China
Shunjie Yang: School of Software Engineering, Beijing Jiaotong University, Beijing 100044, China
Huiquan Gong: School of Software Engineering, Beijing Jiaotong University, Beijing 100044, China

Future Internet, 2025, vol. 17, issue 10, 1-25

Abstract: In the face of ever-evolving cyber threats, modern intrusion detection systems (IDS) must achieve long-term adaptability without sacrificing performance on previously encountered attacks. Traditional IDS approaches often rely on static training assumptions, making them prone to forgetting old patterns, underperforming in label-scarce conditions, and struggling with imbalanced class distributions as new attacks emerge. To overcome these limitations, we present a continual learning framework tailored for adaptive intrusion detection. Unlike prior methods, our approach is designed to operate under real-world network conditions characterized by high-dimensional, sparse traffic data and task-agnostic learning sequences. The framework combines three core components: a clustering-based memory strategy that selectively retains informative historical samples using DP-Means; multi-level knowledge distillation that aligns current and previous model states at output and intermediate feature levels; and a meta-learning-driven class reweighting mechanism that dynamically adjusts to shifting attack distributions. Empirical evaluations on benchmark intrusion detection datasets demonstrate the framework’s ability to maintain high detection accuracy while effectively mitigating forgetting. Notably, it delivers reliable performance in continually changing environments where the availability of labeled data is limited, making it well-suited for real-world cybersecurity systems.

Keywords: intrusion detection; continual learning; semi-supervised learning; class imbalance; knowledge distillation; meta-learning (search for similar items in EconPapers)
JEL-codes: O3 (search for similar items in EconPapers)
Date: 2025
References: Add references at CitEc
Citations:

Downloads: (external link)
https://www.mdpi.com/1999-5903/17/10/456/pdf (application/pdf)
https://www.mdpi.com/1999-5903/17/10/456/ (text/html)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:gam:jftint:v:17:y:2025:i:10:p:456-:d:1764925

Access Statistics for this article

Future Internet is currently edited by Ms. Grace You

More articles in Future Internet from MDPI
Bibliographic data for series maintained by MDPI Indexing Manager ().