Abstract
Network Intrusion Detection Systems (NIDS) are essential for protecting digital infrastructure but are hampered by the evolving nature of cyber threats and the limitations of traditional machine learning models, which are typically trained on static datasets. Continual Learning (CL) offers a unique opportunity to allow NIDS to improve dynamically over time, but suffer from a variety of practical challenges, most notably catastrophic forgetting - the dramatic loss of previously learned knowledge when adapting to new data. This thesis presents an empirical evaluation of continual learning methods for mitigating catastrophic forgetting in the NIDS domain. It systematically compares regularization-based, replay-based, and model-agnostic meta-learning (MAML) approaches within both domain-incremental and class-incremental learning scenarios, using real-world datasets (ACI-IoT and CIC-IDS2017). A novel utility function is also introduced to assess model repair impact and determine optimal retraining points. While the CL techniques themselves are not novel, their testing and application in the NIDS context represents a significant contribution. Key findings indicate that replay-based methods are the most effective at mitigating catastrophic forgetting and maintaining detection performance. Additionally, the traditional downsides of replay-based methods prove negligible in the network security domain thanks to the small data footprint of network packets. Regularization-based methods like EWC often overfit to recent data and exhibit poor retention, while MAML shows promise in binary but not multiclass settings. This research delivers actionable insights for designing future adaptive NIDS architectures, and direction for further research within the field. The utility function provides a foundation for efficient retraining policies. Together, these contributions advance the application of continual learning within cybersecurity and machine learning.