Augmented Memory Replay-based Continual Learning Approaches for Network Intrusion Detection Department of Computer Science and Engineering

In this appendix, we present additional details of our proposed work which we could not accommodate in the main paper due to space constraints. Specifically, we shed more light on the following aspects: Network intrusion detection system Continual learning with shallow methods Detailed illustration of configuration changes Datasets details Data preprocessing and feature selection Task formulation Task similarity via optimal transport dataset distance Training time comparison of the proposed ECBRS with the baselines Additional experiments with anomaly detection datasets Ablation studies Implementation, hardware details, and hyperparameter selection Occurrence of task dissimilarity between two different tasks is rare Limitations and broader impact A.1 Network intrusion detection system A prototype architecture of network intrusion detection (NID) training and inference system is given in Figure 1. NID comprises two parts: the training module and the anomaly detection engine. The core functionality of the training module is to build the model for intrusion detection using various training datasets. We are building a continual learning network-based intrusion detection model in our work. The training can be periodic or triggered by an event like decay in intrusion detection accuracy. The entire training process can be performed in parallel without affecting the inference process using the MLOps platform for stream processing. After training, the model is deployed to the anomaly/intrusion detection engine. The anomaly detection engine is the visible component of the entire system. It has an in-built feature extractor to extract the essential features from the incoming traffic on the fly. These features are fed to the anomaly detection engine to identify anomaly pattern(s). Further, the proposed model does not require colossal system infrastructure (with a lot of memory and processing resources) as it uses a simple multi-layer perceptron (with about 5 to 6 hidden layers). This MLP architecture has low complexity (capacity) compared to larger models like ResNet with stacked convolution operations. Therefore, our model can also be deployed on edge devices with limited resources. Furthermore, our solution is based on neural networks models, and we recommend using MLOps for low-latency inference in real-world deployments. A.2 Continual learning with shallow methods In our work, shallow methods are the non-neural network-based approaches. These include methods like random forest, support vector machine, logistic regression, etc.