Hierarchical Multiclass Continual Learning for Network Intrusion Detection

The evolution of Internet and its related communication technologies have consistently increased the risk of cyberattacks. In this context, a crucial role is played by Intrusion Detection Systems (IDSs), which are security devices designed to identify and mitigate attacks to modern networks. In the last decade, data-driven approaches based on Machine Learning (ML) have gained more and more popularity for executing the classification tasks required by signature-based IDSs. However, typical ML models adopted for this purpose are trained in static settings while new attacks - and variants of known attacks - dynamically emerge over time. As a consequence, there is the need of keeping the IDS capability constantly updated, which poses peculiar challenges especially in resourced-constrained scenarios. To this end, we propose a novel hierarchical model based on a binary classification of benign and malicious traffic performed by a Bayesian Neural Network that is trained continuously and efficiently by exploiting Continual Learning. A generative multiclass classifier is then adopted to incrementally classify new kinds of attacks with respect to the malicious traffic. We prove the effectiveness of our approach showing that it removes the need of storing network traffic data samples related to historical data, representative of all the kinds of attacks, while ensuring good detection capabilities.