Adaptive memory replay for network intrusion detection: Tackling data drift and catastrophic forgetting

IF 4.6 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-09-11 DOI:10.1016/j.comnet.2025.111712

Nasreen Fathima A H , Ansam Khraisat , Syed Ibrahim S P , Gang Li

{"title":"Adaptive memory replay for network intrusion detection: Tackling data drift and catastrophic forgetting","authors":"Nasreen Fathima A H , Ansam Khraisat , Syed Ibrahim S P , Gang Li","doi":"10.1016/j.comnet.2025.111712","DOIUrl":null,"url":null,"abstract":"<div><div>Network intrusion detection aims to identify anomalous activities in network traffic, while continual learning (CL) methods strive to preserve past knowledge and adapt to evolving threats. Memory replay-based CL approaches have been widely used and proven effective at mitigating catastrophic forgetting. However, previous research has primarily focused on addressing class imbalance and has largely relied on augmented and random memory replay strategies, which introduce significant computational overhead and limit practicality in real-time applications. To overcome these challenges, we propose Task-Aware Memory Replay (TAMR), a novel framework that prioritizes past experiences based on their relevance to the current task. By dynamically adjusting the importance of replayed samples, TAMR balances the integration of new attack patterns with the retention of critical historical knowledge, ensuring resilience against evolving threats and variations in normal traffic. Unlike traditional methods that employ random selection or augmented replays, TAMR selectively replays high-impact experiences, thereby optimizing memory usage and improving adaptability. Our experiments demonstrate that TAMR achieves real-time adaptability across five distinct NIDS datasets, ultimately delivering superior performance and computational efficiency in detecting even unknown attacks in dynamic network environments. In general, we highlight the potential of memory-based replay strategies for continual learning in detecting unknown attacks using a task-aware approach.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"272 ","pages":"Article 111712"},"PeriodicalIF":4.6000,"publicationDate":"2025-09-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128625006784","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Network intrusion detection aims to identify anomalous activities in network traffic, while continual learning (CL) methods strive to preserve past knowledge and adapt to evolving threats. Memory replay-based CL approaches have been widely used and proven effective at mitigating catastrophic forgetting. However, previous research has primarily focused on addressing class imbalance and has largely relied on augmented and random memory replay strategies, which introduce significant computational overhead and limit practicality in real-time applications. To overcome these challenges, we propose Task-Aware Memory Replay (TAMR), a novel framework that prioritizes past experiences based on their relevance to the current task. By dynamically adjusting the importance of replayed samples, TAMR balances the integration of new attack patterns with the retention of critical historical knowledge, ensuring resilience against evolving threats and variations in normal traffic. Unlike traditional methods that employ random selection or augmented replays, TAMR selectively replays high-impact experiences, thereby optimizing memory usage and improving adaptability. Our experiments demonstrate that TAMR achieves real-time adaptability across five distinct NIDS datasets, ultimately delivering superior performance and computational efficiency in detecting even unknown attacks in dynamic network environments. In general, we highlight the potential of memory-based replay strategies for continual learning in detecting unknown attacks using a task-aware approach.

Abstract Image

查看原文本刊更多论文

网络入侵检测的自适应记忆重放：处理数据漂移和灾难性遗忘

网络入侵检测旨在识别网络流量中的异常活动，而持续学习（CL）方法努力保留过去的知识并适应不断变化的威胁。基于记忆重播的CL方法已被广泛使用并被证明在减轻灾难性遗忘方面是有效的。然而，以前的研究主要集中在解决类不平衡问题上，并且很大程度上依赖于增强和随机内存重放策略，这带来了巨大的计算开销，并限制了实时应用的实用性。为了克服这些挑战，我们提出了任务感知记忆重放（task - aware Memory Replay， TAMR），这是一个基于过去经验与当前任务的相关性来优先考虑过去经验的新框架。通过动态调整重放样本的重要性，TAMR平衡了新攻击模式的集成与关键历史知识的保留，确保了对正常流量中不断变化的威胁和变化的弹性。与采用随机选择或增强回放的传统方法不同，TAMR选择性地回放高影响体验，从而优化内存使用并提高适应性。我们的实验表明，TAMR在五种不同的NIDS数据集上实现了实时适应性，最终在动态网络环境中检测甚至未知的攻击时提供了卓越的性能和计算效率。总的来说，我们强调了基于记忆的重放策略在使用任务感知方法检测未知攻击方面的持续学习潜力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.