A Class-incremental and Few-shot learning model for Intrusion detection under Concept drift

RESEARCH CREW
22:20 06/07/2026

Network Intrusion Detection Systems (NIDS) based on machine learning must evolve after deployment to detect emerging threats very soon with a few labeled samples, while without catastrophic forgetting or degrading due to concept drift. Existing methods address these issues in isolation, lacking a unified pipeline for tabular network traffic. This paper presents MAML-CIL-Drift, a unified framework integrating three components: (i) First-Order Model-Agnostic Meta-Learning (FOMAML) for rapid adaptation to unseen attacks using only a few samples; (ii) an outer-step Class-Incremental Learning (CIL) mechanism with a herding replay buffer, mitigating forgetting while preserving the meta-objective; and (iii) a label-free Maximum Mean Discrepancy (MMD) drift detector with in-stream percentile calibration to autonomously trigger updates. Evaluated on the CICIDS 2018 dataset under a strict temporal split, our framework achieves 0.948 accuracy on known classes and 0.696 on unseen classes from few-shot support. Following incremental updates, novel class accuracy improves to 0.846 (+0.150) and base class accuracy slightly increases to 0.908 (+0.026), demonstrating effective adaptation without forgetting. Furthermore, the self-calibrating drift detector reliably orchestrates updates with zero false alarms. These results indicate that our framework enables NIDS to autonomously adapt to drifting traffic and novel attacks without expert intervention.

TIN LIÊN QUAN
Despite the dominance of Transformer-based models in software vulnerability detection, the extent to which their learned security logic generalizes across different programming languages remains a critical open question. To address this, we propose a comprehensive evaluation framework organized into three phases spanning five distinct experimental scenarios, aiming to rigorously dissect...
Security testing of REST APIs remains difficult because real-world OpenAPI specifications are often incomplete, many security flaws are inherently stateful, and prevailing stateful fuzzers still optimize primarily for structural exploration rather than OWASP-aligned risk categories. Based on this gap, this paper presents APIGFUZZ, a graph-driven, OWASP-aware black-box REST API fuzzing...