On Handling Class Imbalance in Continual Learning based Network Intrusion Detection Systems

Modern-day cyber threats are growing more rapidly than ever before. To effectively defend against them, Anomaly-based Network intrusion detection systems (A-NIDS) must evolve continuously. Traditional machine learning techniques are ineffective in handling sequentially evolving tasks, and Neural Networks (NNs) in particular suffer from Catastrophic Forgetting (CF) of old tasks when trained on new ones. Continual Learning (CL) strategies help to mitigate CF by imposing constraints while training NNs on sequentially evolving data like network traffic. However, applying the CL framework in the design of A-NIDS is not straightforward due to the heavy Class Imbalance (CI) in the network traffic datasets. As a result, the performance of the system is very sensitive to the task execution order. In this work, we propose a CL based A-NIDS by applying sample replay with Class Balancing Reservoir Sampling (CBRS) to mitigate CI in a Class Incremental Setting (CIS). Using the CICIDS-2017 dataset, experiments are conducted by permuting the majority class across the different task execution orders using the proposed CL based A-NIDS. We find that using auxiliary memory with context-aware sample replacing strategies, CF can be reduced to a greater extent, as opposed to data augmentation techniques which may alter the original data distribution and increase training time (with oversampling methods).