Adaptive memory replay for network intrusion detection: Tackling data drift and catastrophic forgetting

Network intrusion detection aims to identify anomalous activities in network traffic, while continual learning (CL) methods strive to preserve past knowledge and adapt to evolving threats. Memory replay-based CL approaches have been widely used and proven effective at mitigating catastrophic forgetting. However, previous research has primarily focused on addressing class imbalance and has largely relied on augmented and random memory replay strategies, which introduce significant computational overhead and limit practicality in real-time applications. To overcome these challenges, we propose Task-Aware Memory Replay (TAMR), a novel framework that prioritizes past experiences based on their relevance to the current task. By dynamically adjusting the importance of replayed samples, TAMR balances the integration of new attack patterns with the retention of critical historical knowledge, ensuring resilience against evolving threats and variations in normal traffic. Unlike traditional methods that employ random selection or augmented replays, TAMR selectively replays high-impact experiences, thereby optimizing memory usage and improving adaptability. Our experiments demonstrate that TAMR achieves real-time adaptability across five distinct NIDS datasets, ultimately delivering superior performance and computational efficiency in detecting even unknown attacks in dynamic network environments. In general, we highlight the potential of memory-based replay strategies for continual learning in detecting unknown attacks using a task-aware approach.