A Few-Shot Class-Incremental Learning Method for Network Intrusion Detection

With the rapid development of information technologies, the security of cyberspace has become increasingly serious. Network intrusion detection is a practical scheme to protect network systems from cyber attacks. However, as new vulnerabilities and unknown attack types are constantly emerging, only a few samples of such attacks can be captured for analysis, which cannot be handled by the existing detection methods deployed in real systems. To handle this problem, we propose a few-shot class-incremental learning method called Branch Fusion Strategy based Network Intrusion Detection (BFS-NID for short), which can continuously learn new attack classes with only a few samples. BFS-NID includes a feature extractor module and a branch classifier learning module. The feature extractor module uses a vision transformer to learn better feature representations in a self-supervised manner, and the parameters of the feature extractor are fixed to avoid catastrophic forgetting when the model learns incrementally. The branch classifier learning module sets re-projection for different branch sessions to enhance the feature representation ability between classes and employs a branch fusion strategy to associate the context of learned attack classes with new classes in different sessions. We conducted extensive experiments on two popular network intrusion detection benchmark datasets (CIC-IDS2017 and CSE-CIC-IDS2018) and the results demonstrate that BFS-NID surpasses the baselines and achieves the best performance.