本研究分析KDD Cup 99、NSL-KDD、UNSW-NB15以及CIC-IDS2017等四種常見的入侵偵測資料集，最後選擇使用CIC-IDS2017資料集。接下來評估了基於記憶回放、參數獨立與正規化等三大類的機器終生學習方法，並選擇基於正規化的elastic weight consolidation (EWC)方法作為本研究訓練模型之方法。
本研究將CIC-IDS2017資料集切割為八個子集，每個子集都為一個任務，並將其分為7個帶有攻擊流量的任務，加上1個全正常流量的任務。接著，以機器終生學習中的EWC方法、一般監督式訓練方法(本研究中稱為標準學習方法standard learning, STD)，與合併資料集的多任務訓練方法(multi-task training, MTT)，依序以7個任務訓練模型。藉由驗證32與128時間步之LSTM與seq2seq模型經過不同方法訓練後，對於整個資料集的Backward Transfer、平均正確率及誤判率之高低，探討EWC方法是否解決深度學習入侵偵測系統的災難性遺忘問題，與時間步(timestep)對EWC的影響，最後選出一個FNR最低的模型，對其表現較差的任務進行再訓練。
實驗結果顯示，經由EWC學習方法之模型，不僅在該任務訓練的當下可學習其流量特徵，對於過去任務也有相當程度的記憶。以經過EWC方法再訓練的32時間步LSTM模型為例，Backward Transfer為-5.976%、平均正確率為92.884%、FPR為6.156%、FNR為40.168%，其中除FPR之外，其他指標優於多任務訓練方法(MTT)之模型，Backward Transfer改善-4.360%、平均正確率改善0.845%、FNR改善12.491%，此外EWC方法訓練時間成本也較MTT節省378.8秒。入侵偵測系統需定期更新以避免模型過時而降低其防禦能力，本實驗證明機器終生學習可讓模型在短時間內學習新的流量特徵，並同時記得過去所學過之流量，有效對抗災難性遺忘的發生。

In this study, we analyze four network intrusion detection datasets, namely KDD Cup 99, NSL-KDD, UNSW-NB15, and CIC-IDS2017, and finally choose to use the CIC-IDS2017 dataset. We cut the CIC-IDS2017 dataset into 8 subsets, each of which is also called a task. We also analyze and discuss incremental learning methods and three machine life-long learning frameworks based on memory replay, parameter isolation, and regularization-based. Finally, we chose the elastic weight consolidation (EWC) which is regularization-based as the method of training models in the experiment.
This study shows that the model trained by EWC can avoid catastrophic forgetting. The 32 timesteps LSTM model retrained by EWC, Backward Transfer, and average accuracy rate is -5.976% and 92.884%, FPR and FNR are 6.156% and 40.168%. The results and training time show that this model is better than other EWC training models in this study, and it is better than the multi-task training model, and it saves training time.
The network intrusion detection system (NIDS) needs to be updated regularly to prevent the model from becoming outdated and reducing its defense capabilities. This study proves that the machine lifelong learning allows NIDS to learn new traffic characteristics in a short time, and at the same time remember the network traffic learned in the past, and to effectively avoid catastrophic forgetting.

[1] IThome. 【臺灣資安大會直擊】調查局完整揭露中油、台塑遭勒索軟體攻擊事件調 查結果，駭客集團入侵途徑大公開 [Online]. Available: https://www.ithome.com.tw/news/139331 (last accessed Jun. 21, 2021).
[2] IThome. 【遠銀遭駭追追追】更多入侵細節大公開！18億元遠銀遭駭盜轉事件追追追 [Online]. Available: https://www.ithome.com.tw/news/117397 (last accessed Jun. 21, 2021).
[3] 趨勢科技. 瞬息萬變的常態 - 趨勢科技 2020 年度網路資安報告 [Online]. Available: https://www.trendmicro.com/zh_tw/security-intelligence/threat-report.html?modal=685acc (last accessed Jun. 21, 2021).
[4] Z. Muda, W. Yassin, M. N. Sulaiman, and N. I. Udzir, "Intrusion detection based on K-Means clustering and Naïve Bayes classification," 2011 7th International Conference on Information Technology in Asia, 2011, pp. 1-6.
[5] S. S. Sivatha Sindhu, S. Geetha, and A. Kannan, "Decision tree based light weight intrusion detection using a wrapper approach," Expert Systems with Applications, vol. 39, no. 1, pp. 129-141, 2012.
[6] L. Kunlun and T. Guifa, "Unsupervised SVM based on p-kernels for anomaly detection," First International Conference on Innovative Computing, Information and Control - Volume I (ICICIC'06), 2006, vol. 2, pp. 59-62.
[7] Y. LeCun, Y. Bengio, and G. Hinton, "Deep learning," Nature, vol. 521, no. 7553, pp. 436-444, 2015.
[8] C. Constantinides, S. Shiaeles, B. Ghita, and N. Kolokotronis, "A novel online incremental learning intrusion prevention system," 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pp. 1-6, 2019.
[9] B. Xu, S. Chen, H. Zhang, and T. Wu, "Incremental k-NN SVM method in intrusion detection," 2017 8th IEEE International Conference on Software Engineering and Service Science (ICSESS), pp. 712-717, 2017.
[10] B. Molina-Coronado, U. Mori, A. Mendiburu, and J. Miguel-Alonso, "Survey of network intrusion detection methods from the perspective of the knowledge discovery in databases process," IEEE Transactions on Network and Service Management, vol. 17, no. 4, pp. 2451-2479, 2020.
[11] R. C. Staudemeyer, "Applying long short-term memory recurrent neural networks to intrusion detection," South African Computer Journal, vol. 56, 2015, pp. 136-154.
[12] A. Javaid, Q. Niyaz, W. Sun, and M. Alam, "A deep learning approach for network intrusion detection system," Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), pp. 21-26, 2016.
[13] R. Vinayakumar, K. P. Soman, and P. Poornachandran, "Applying convolutional neural network for network intrusion detection," 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), 2017, pp. 1222-1228.
[14] G. Loganathan, J. Samarabandu, and X. Wang, "Sequence to Sequence pattern learning algorithm for Real-Time anomaly detection in network traffic," 2018 IEEE Canadian Conference on Electrical & Computer Engineering (CCECE), 2018, pp. 1-4.
[15] 羅政翔, 利用從序列到序列模型改善入侵偵測系統之惡意入侵偵測能力, 碩士論文, 電腦與通信工程研究所, 國立成功大學, 台南市, 2019.
[16] R. Vinayakumar, M. Alazab, K. P. Soman, P. Poornachandran, A. Al-Nemrat, and S. Venkatraman, "Deep learning approach for intelligent intrusion detection system," IEEE Access, vol. 7, pp. 41525-41550, 2019.
[17] 莊易叡, 使用seq2seq、R-Transformer和TCN-BiLSTM方法的入侵檢測系統, 碩士論文, 工程科學系碩士在職專班, 國立成功大學, 台南市, 2021.
[18] M. I. O. T. LINCOLN LABORATORY. (1998). 1998 DARPA intrusion detection evaluation dataset [Online]. Available: https://www.ll.mit.edu/r-d/datasets/1998-darpa-intrusion-detection-evaluation-dataset. (last access Jun. 21, 2021)
[19] T. U. K. Archive. (1999). KDD Cup 1999 Data [Online]. Available: https://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. (last access Jun. 21, 2021)
[20] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, "A detailed analysis of the KDD CUP 99 data set," 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, 2009, pp. 1-6.
[21] N. Moustafa and J. Slay, "UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)," 2015 Military Communications and Information Systems Conference (MilCIS), 2015, pp. 1-6.
[22] I. Sharafaldin, A. Gharib, A. H. Lashkari, and A. A. Ghorbani, "Towards a reliable intrusion detection benchmark dataset," Software Networking, vol. 2018, no. 1, pp. 177-200, 2018.
[23] Z. Ahmad, A. Shahid Khan, C. Wai Shiang, J. Abdullah, and F. Ahmad, "Network intrusion detection system: A systematic study of machine learning and deep learning approaches," Transactions on Emerging Telecommunications Technologies, vol. 32, no. 1, p. e4150, 2021.
[24] 維基百科. Recurrent neural network [Online]. Available: https://en.wikipedia.org/wiki/Recurrent_neural_network (last access Jun. 21, 2021).
[25] H.-y. Lee. (2015). Training recurrent neural network [Online]. Available: http://speech.ee.ntu.edu.tw/~tlkagk/courses_MLSD15_2.html. (last access Jun. 21, 2021)
[26] R. Jozefowicz, W. Zaremba, and I. Sutskever, "An empirical exploration of recurrent network architectures," Proceedings of the 32nd International Conference on International Conference on Machine Learning - Volume 37, Lille, France, 2015: JMLR.org, pp. 2342–2350.
[27] S. Hochreiter and J. Schmidhuber, "Long Short-Term Memory," Neural Computation, vol. 9, no. 8, pp. 1735-1780, 1997.
[28] C. Olah. Understanding LSTM Networks [Online]. Available: http://colah.github.io/posts/2015-08-Understanding-LSTMs/ (last access Jun. 21, 2021).
[29] K. Cho et al., "Learning phrase representations using RNN Encoder-Decoder for Statistical Machine Translation," arXiv:1406.1078, June 2014.
[30] I. Sutskever, O. Vinyals, and Q. V. Le, "Sequence to Sequence learning with neural networks," arXiv:1409.3215, September 2014.
[31] J. Zhao, S. Shetty, and J. W. Pan, "Feature-based transfer learning for network security," MILCOM 2017-2017 IEEE Military Communications Conference (MILCOM), pp. 17-22, 2017.
[32] J. Zhao, S. Shetty, J. W. Pan, C. Kamhoua, and K. Kwiat, "Transfer learning for detecting unknown network attacks," EURASIP Journal on Information Security, vol. 2019, no. 1, pp. 1-13, 2019.
[33] F. Zhuang et al., "A comprehensive survey on transfer learning," Proceedings of the IEEE, vol. 109, no. 1, pp. 43-76, 2020.
[34] J. Konečný, H. B. McMahan, D. Ramage, and P. Richtárik, "Federated optimization: Distributed machine learning for on-device intelligence," arXiv:1610.02527, 2016.
[35] S. A. Rahman, H. Tout, C. Talhi, and A. Mourad, "Internet of things intrusion detection: Centralized, on-device, or federated learning?," IEEE Network, vol. 34, no. 6, pp. 310-317, 2020.
[36] D. Liu, S. Baldi, W. Yu, and C. P. Chen, "A Hybrid Recursive Implementation of Broad Learning With Incremental Features," IEEE Transactions on Neural Networks and Learning Systems, 2020.
[37] Z. Zhang, Z. Cui, C. Xu, Z. Jie, X. Li, and J. Yang, "Joint task-recursive learning for semantic segmentation and depth estimation," Proceedings of the European Conference on Computer Vision (ECCV), pp. 235-251, 2018.
[38] M. Biesialska, K. Biesialska, and M. R. Costa-jussà, "Continual Lifelong Learning in Natural Language Processing: A Survey," arXiv:2012.09823, 2020.
[39] R. Aljundi, F. Babiloni, M. Elhoseiny, M. Rohrbach, and T. Tuytelaars, "Memory aware synapses: Learning what (not) to forget," Proceedings of the European Conference on Computer Vision (ECCV), pp. 139-154, 2018.
[40] M. Delange et al., "A continual learning survey: Defying forgetting in classification tasks," IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021.
[41] D. Lopez-Paz and M. A. Ranzato, "Gradient episodic memory for continual learning," arXiv:1706.08840, 2017.
[42] A. Chaudhry, M. A. Ranzato, M. Rohrbach, and M. Elhoseiny, "Efficient lifelong learning with a-gem," arXiv:1812.00420, 2018.
[43] J. Xu and Z. Zhu, "Reinforced continual learning," arXiv:1805.12369, 2018.
[44] A. A. Rusu et al., "Progressive neural networks," arXiv:1606.04671, 2016.
[45] J. Yoon, E. Yang, J. Lee, and S. J. Hwang, "Lifelong learning with dynamically expandable networks," arXiv:1708.01547, 2017.
[46] J. Kirkpatrick et al., "Overcoming catastrophic forgetting in neural networks," Proceedings of the national academy of sciences, vol. 114, no. 13, pp. 3521-3526, 2017.
[47] S. Gamage and J. Samarabandu, "Deep learning methods in network intrusion detection: A survey and an objective comparison," Journal of Network and Computer Applications, vol. 169, p. 102767, 2020.
[48] U. o. N. Brunswick. Intrusion Detection Evaluation Dataset (CIC-IDS2017) [Online]. Available: https://www.unb.ca/cic/datasets/ids-2017.html (last access Jun. 21, 2021).
[49] J. Kim, J. Kim, H. L. T. Thu, and H. Kim, "Long short term memory recurrent neural network classifier for intrusion detection," 2016 International Conference on Platform Technology and Service (PlatCon), pp. 1-5, 2016.
[50] H. Gwon, C. Lee, R. Keum, and H. Choi, "Network Intrusion Detection based on LSTM and Feature Embedding," arXiv:1911.11552, 2019.
[51] J. Billa, "Dropout approaches for LSTM based speech recognition systems," 2018 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp. 5879-5883, 2018.
[52] D. Wei, "Prediction of stock price based on LSTM neural network," 2019 International Conference on Artificial Intelligence and Advanced Manufacturing (AIAM), pp. 544-547, 2019.
[53] G. I. Parisi, R. Kemker, J. L. Part, C. Kanan, and S. Wermter, "Continual lifelong learning with neural networks: A review," Neural Networks, vol. 113, pp. 54-71, 2019.
[54] J. L. McClelland, B. L. McNaughton, and R. C. O'Reilly, "Why there are complementary learning systems in the hippocampus and neocortex: insights from the successes and failures of connectionist models of learning and memory," Psychological review, vol. 102, no. 3, p. 419, 1995.
[55] Y. Xiao, C. Xing, T. Zhang, and Z. Zhao, "An intrusion detection model based on feature reduction and convolutional neural networks," IEEE Access, vol. 7, pp. 42210-42219, 2019.