ADAPTIVE CONTINUAL LEARNING FOR INTRUSION DETECTION SYSTEMS: ENTROPY-BASED MEMORY MANAGEMENT AND DYNAMIC THRESHOLD CALIBRATION

Abstract

Objective: To develop an extended continuous learning framework for intrusion detection systems (IDS) that provides adaptive detection threshold setting under conceptual drift, theoretically grounded memory buffer management based on entropy criteria, and cross-domain knowledge transfer between different network environments.

Methodology: A dynamic threshold calibration mechanism based on online statistical tracking via exponential moving average (EMA) is proposed to adapt decision boundaries in real time with theoretical guarantees of limiting false positive rate (FPR). To optimally overcome catastrophic forgetting, an entropy memory management strategy is developed using a differential k-nearest neighbor estimator to approximate the latent space entropy. A cross-domain adaptation module based on maximum mean divergence (MMD) is integrated to ensure knowledge transfer without additional training. Empirical validation was performed on the NSL-KDD, CICIDS2017, and UNSW-NB15 benchmarks.

Results. On the complex CICIDS2017 dataset, the proposed method achieves an accuracy of 95.1% with a controlled false positive rate, outperforming state-of-the-art baseline methods. Improved robustness to sudden conceptual drift up to 23% with fast recovery within 3–5 batches is demonstrated. Entropy memory management provides significant improvements in detecting minority attack classes (R2L and U2R).

Scientific novelty. For the first time, a synergistic combination of dynamic threshold calibration with information-theoretic memory management for intrusion detection systems is proposed, which allows simultaneously solving the problems of drift adaptation and catastrophic forgetting with formal statistical guarantees.

Practical significance. The results confirm that integrating dynamic calibration with entropy memory management provides scalable and robust protection for next-generation networks.