Attack-adaptive network intrusion detection systems for IoT networks through class incremental learning

The advent of the Internet of Things (IoT) has ushered in an era of unprecedented connectivity and convenience, enabling everyday objects to gather and share data autonomously, revolutionizing industries, and improving quality of life. However, this interconnected landscape poses cybersecurity challenges, as the expanded attack surface exposes vulnerabilities ripe for exploitation by malicious actors. The surge in network attacks targeting IoT devices underscores the urgency for robust and evolving security measures. Class Incremental Learning (CIL) emerges as a dynamic strategy to address these challenges, empowering Machine Learning (ML) and Deep Learning (DL) models to adapt to evolving threats while maintaining proficiency in detecting known ones. In the context of IoT security, characterized by the constant emergence of novel attack types, CIL offers a powerful means to enhance Network Intrusion Detection Systems (NIDS) resilience and network security. This paper aims to investigate how CIL methods can support the evolution of NIDS within IoT networks ($i$) by evaluating both attack detection and classification tasks— optimizing hyperparameters associated with the incremental update or to the traffic input definition—and ($ii$) by addressing also key research questions related to real-world NIDS challenges—such as the explainability of decisions, the robustness to perturbation of traffic inputs, and scenarios with a scarcity of new-attack samples. Leveraging 4 recently-collected and comprehensive IoT attack datasets, the study aims to evaluate the effectiveness of CIL techniques in classifying 0-day attacks.