{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,9]],"date-time":"2026-07-09T00:20:53Z","timestamp":1783556453681,"version":"3.55.0"},"reference-count":46,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2025,10,29]],"date-time":"2025-10-29T00:00:00Z","timestamp":1761696000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,10,29]],"date-time":"2025-10-29T00:00:00Z","timestamp":1761696000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001809","name":"Natural Science Foundation of China","doi-asserted-by":"crossref","award":["61902082"],"award-info":[{"award-number":["61902082"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Major Key Project of PCL","award":["PCL2024AS102"],"award-info":[{"award-number":["PCL2024AS102"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>In cyberspace, intrusion and detection constitute dynamic and continuous game processes, where data streams are generated incrementally during intrusion. To mitigate intrusions and safeguard assets effectively, it is imperative to take prompt actions based on real-time detection and analysis of the currently available data streams. However, existing approaches that rely on complete and clean data struggle to keep pace with the continuous real-time flow of new network data. To address this issue, we introduce IL-IDS (Incremental Learning for Intrusion Detection Systems), a novel intrusion detection approach that utilizes incremental learning to enable accurate and timely detection of intrusions in real-world scenarios, where the need for real-time processing and learning from newly generated traffic data is paramount. IL-IDS performs in scenarios with limited data availability, where it initially transforms textual data streams into vectorized representations and leverages a variation autoencoder (VAE) to compress these vectors, efficiently extracting their latent features. Then a classifier is trained to distinguish attack and normal behaviors, and a three-way decision method is employed to establish a boundary for ambiguous data that pose challenges in direct classification. Concurrently, threat intelligence is integrated into this process to enhance the accuracy of decision-making. We validate the effectiveness and efficiency of IL-IDS with experiments on real-world deployments during an international activity, highlighting its robustness and reliability in intrusion detection applications, especially under conditions of confined data streams. Notably, IL-IDS has exhibited comparable accuracy and recall results, and attains exceptional 99.93% precision and 96.83% F1-score, which demonstrates a notable improvement of 5.27% and 2.59% respectively in comparison to intrusion detection models trained on complete and readily available data.<\/jats:p>","DOI":"10.1186\/s42400-025-00359-4","type":"journal-article","created":{"date-parts":[[2025,10,29]],"date-time":"2025-10-29T03:02:26Z","timestamp":1761706946000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["IL-IDS: an incremental learning approach with confined data streams for intrusion detection"],"prefix":"10.1186","volume":"8","author":[{"given":"Jianming","family":"Li","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ye","family":"Wang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yan","family":"Jia","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Liyi","family":"Zeng","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Wenying","family":"Feng","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xiao","family":"Jing","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Cui","family":"Luo","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhaoquan","family":"Gu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Binxing","family":"Fang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2025,10,29]]},"reference":[{"key":"359_CR1","doi-asserted-by":"crossref","unstructured":"Bansal A, Mahapatra S (2017) A comparative analysis of machine learning techniques for botnet detection. In: Proceedings of the 10th international conference on security of information and networks, pp 91\u201398","DOI":"10.1145\/3136825.3136874"},{"issue":"4","key":"359_CR2","doi-asserted-by":"publisher","first-page":"2648","DOI":"10.1109\/TIT.2018.2805844","volume":"64","author":"Y Bu","year":"2018","unstructured":"Bu Y, Zou S, Liang Y et al (2018) Estimation of kl divergence: optimal minimax rate. IEEE Trans Inf Theory 64(4):2648\u20132674","journal-title":"IEEE Trans Inf Theory"},{"key":"359_CR3","doi-asserted-by":"crossref","unstructured":"Clegg BA, DiGirolamo GJ, Keele SW (1998) Sequence learning. Trend Cognit Sci 2(8):275\u2013281","DOI":"10.1016\/S1364-6613(98)01202-9"},{"key":"359_CR4","unstructured":"Devecsery D, Chow M, Dou X, et\u00a0al (2014) Eidetic systems. In: 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14), pp 525\u2013540"},{"key":"359_CR5","unstructured":"Doersch C (2016) Tutorial on variational autoencoders. arXiv preprint arXiv:1606.05908"},{"key":"359_CR6","doi-asserted-by":"crossref","unstructured":"Du M, Li F, Zheng G, et\u00a0al (2017) Deeplog: Anomaly detection and diagnosis from system logs through deep learning. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 1285\u20131298","DOI":"10.1145\/3133956.3134015"},{"key":"359_CR7","unstructured":"Duchi J, Mackey L, Wauthier F (2024) Anomaly detection for asynchronous and incomplete data"},{"key":"359_CR8","doi-asserted-by":"crossref","unstructured":"Farrukh YA, Khan I, Wali S et al (2022) Payload-byte: A tool for extracting and labeling packet capture files of modern network intrusion detection datasets. 2022 IEEE\/ACM International Conference on Big Data Computing. IEEE, Applications and Technologies (BDCAT), pp 58\u201367","DOI":"10.1109\/BDCAT56447.2022.00015"},{"key":"359_CR9","doi-asserted-by":"crossref","unstructured":"Geng Y, Li Y, Zhang S (2021) Research on multi-granularity intrusion detection algorithm based onsequential three-way decision. In: Proceedings of the 2021 5th International Conference on Electronic Information Technology and Computer Engineering, pp 1154\u20131160","DOI":"10.1145\/3501409.3501613"},{"key":"359_CR10","doi-asserted-by":"crossref","unstructured":"Han D, Wang Z, Chen W, et\u00a0al (2021) Deepaid: Interpreting and improving deep learning-based anomaly detection in security applications. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp 3197\u20133217","DOI":"10.1145\/3460120.3484589"},{"key":"359_CR11","doi-asserted-by":"crossref","unstructured":"Han D, Wang Z, Chen W, et\u00a0al (2023) Anomaly detection in the open world: Normality shift detection, explanation, and adaptation. In: NDSS","DOI":"10.14722\/ndss.2023.24830"},{"key":"359_CR12","doi-asserted-by":"publisher","first-page":"4015","DOI":"10.1109\/ACCESS.2021.3139835","volume":"10","author":"M Hassan","year":"2021","unstructured":"Hassan M, Haque ME, Tozal ME et al (2021) Intrusion detection using payload embeddings. IEEE Access 10:4015\u20134030","journal-title":"IEEE Access"},{"issue":"3","key":"359_CR13","first-page":"12","volume":"23","author":"JL Hieronymus","year":"1993","unstructured":"Hieronymus JL (1993) Ascii phonetic symbols for the world\u2019s languages: Worldbet. J Int Phonet Assoc 23(3):12\u201354","journal-title":"J Int Phonet Assoc"},{"key":"359_CR14","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102992","volume":"124","author":"Y Huang","year":"2023","unstructured":"Huang Y, Ma M (2023) Ill-ids: an incremental lifetime learning ids for vanets. Comput Secur 124:102992","journal-title":"Comput Secur"},{"key":"359_CR15","unstructured":"Ji Y, Lee S, Fazzini M, et\u00a0al (2018) Enabling refinable $$\\{$$Cross-Host$$\\}$$ attack investigation with efficient data flow tagging and tracking. In: 27th USENIX Security Symposium (USENIX Security 18), pp 1705\u20131722"},{"key":"359_CR16","unstructured":"Ke Z, Liu B (2022) Continual learning of natural language processing tasks: A survey. arXiv preprint arXiv:2211.12701"},{"key":"359_CR17","unstructured":"Khoury J, Upthegrove T, Caro A, et\u00a0al (2020) An event-based data model for granular information flow tracking. In: 12th International Workshop on Theory and Practice of Provenance (TaPP 2020)"},{"key":"359_CR18","doi-asserted-by":"crossref","unstructured":"Kim S, Jung C, Jang R, et\u00a0al (2023) A robust counting sketch for data plane intrusion detection. In: 30th Annual Network and Distributed System Security Symposium, NDSS 2023, The Internet Society","DOI":"10.14722\/ndss.2023.23102"},{"key":"359_CR19","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2023.103784","volume":"221","author":"S Latif","year":"2024","unstructured":"Latif S, Boulila W, Koubaa A et al (2024) Dtl-ids: an optimized intrusion detection framework using deep transfer learning and genetic algorithm. J Network Compute Appl 221:103784","journal-title":"J Network Compute Appl"},{"issue":"4","key":"359_CR20","doi-asserted-by":"publisher","first-page":"579","DOI":"10.1016\/S1389-1286(00)00139-0","volume":"34","author":"R Lippmann","year":"2000","unstructured":"Lippmann R, Haines JW, Fried DJ et al (2000) The 1999 darpa off-line intrusion detection evaluation. Comput Network 34(4):579\u2013595","journal-title":"Comput Network"},{"key":"359_CR21","doi-asserted-by":"crossref","unstructured":"Lippmann RP, Fried DJ, Graf I, et\u00a0al (2000b) Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation. In: Proceedings DARPA Information survivability conference and exposition. DISCEX\u201900, IEEE, pp 12\u201326","DOI":"10.1109\/DISCEX.2000.821506"},{"key":"359_CR22","doi-asserted-by":"crossref","unstructured":"Moustafa N, Slay J (2015) Unsw-nb15: a comprehensive data set for network intrusion detection systems (unsw-nb15 network data set). In: 2015 military communications and information systems conference (MilCIS), IEEE, pp 1\u20136","DOI":"10.1109\/MilCIS.2015.7348942"},{"issue":"1","key":"359_CR23","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1186\/s42400-020-00056-4","volume":"3","author":"S Moustakidis","year":"2020","unstructured":"Moustakidis S, Karlsson P (2020) A novel feature extraction methodology using siamese convolutional neural networks for intrusion detection. Cybersecurity 3(1):16","journal-title":"Cybersecurity"},{"key":"359_CR24","doi-asserted-by":"publisher","first-page":"193","DOI":"10.1016\/j.ins.2016.09.037","volume":"374","author":"M Nauman","year":"2016","unstructured":"Nauman M, Azam N, Yao J (2016) A three-way decision making approach to malware analysis using probabilistic rough sets. Inf Sci 374:193\u2013209","journal-title":"Inf Sci"},{"issue":"13","key":"359_CR25","doi-asserted-by":"publisher","first-page":"3935","DOI":"10.1016\/j.comnet.2007.04.017","volume":"51","author":"A Patcha","year":"2007","unstructured":"Patcha A, Park JM (2007) Network anomaly detection with incomplete audit data. Comput Network 51(13):3935\u20133955","journal-title":"Comput Network"},{"key":"359_CR26","doi-asserted-by":"crossref","unstructured":"Ramezany S, Setthawong R, Tanprasert T (2022) A machine learning-based malicious payload detection and classification framework for new web attacks. 2022 19th International Conference on Electrical Engineering\/Electronics. Computer, Telecommunications and Information Technology (ECTI-CON), IEEE, pp 1\u20134","DOI":"10.1109\/ECTI-CON54298.2022.9795455"},{"key":"359_CR27","doi-asserted-by":"crossref","unstructured":"Rebuffi SA, Kolesnikov A, Sperl G, et\u00a0al (2017) icarl: Incremental classifier and representation learning. In: Proceedings of the IEEE conference on Computer Vision and Pattern Recognition, pp 2001\u20132010","DOI":"10.1109\/CVPR.2017.587"},{"key":"359_CR28","doi-asserted-by":"crossref","unstructured":"Rizvi S, Scanlon M, McGibney J, et\u00a0al (2022) Deep learning based network intrusion detection system for resource-constrained environments. In: International Conference on Digital Forensics and Cyber Crime, Springer, pp 355\u2013367","DOI":"10.1007\/978-3-031-36574-4_21"},{"key":"359_CR29","first-page":"108","volume":"1","author":"I Sharafaldin","year":"2018","unstructured":"Sharafaldin I, Lashkari AH, Ghorbani AA et al (2018) Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp 1:108\u2013116","journal-title":"ICISSp"},{"key":"359_CR30","unstructured":"Sharma N, Arora B (2021) Review of incremental and online learning methods for network anomaly detection. Turkish Online Journal of Qualitative Inquiry 12(7)"},{"key":"359_CR31","first-page":"27075","volume":"35","author":"Q Sun","year":"2022","unstructured":"Sun Q, Lyu F, Shang F et al (2022) Exploring example influence in continual learning. Adv Neural Inf Process Syst 35:27075\u201327086","journal-title":"Adv Neural Inf Process Syst"},{"key":"359_CR32","doi-asserted-by":"crossref","unstructured":"Tavallaee M, Bagheri E, Lu W, et\u00a0al (2009) A detailed analysis of the kdd cup 99 data set. In: 2009 IEEE symposium on computational intelligence for security and defense applications, Ieee, pp 1\u20136","DOI":"10.1109\/CISDA.2009.5356528"},{"issue":"12","key":"359_CR33","doi-asserted-by":"publisher","first-page":"1185","DOI":"10.1038\/s42256-022-00568-3","volume":"4","author":"GM Van de Ven","year":"2022","unstructured":"Van de Ven GM, Tuytelaars T, Tolias AS (2022) Three types of incremental learning. Nature Mach Intell 4(12):1185\u20131197","journal-title":"Nature Mach Intell"},{"key":"359_CR34","unstructured":"Wang L, Zhang X, Su H, et\u00a0al (2023) A comprehensive survey of continual learning: Theory. Method and Application 2302"},{"key":"359_CR35","unstructured":"Wang Z, Li Y, Shen L, et\u00a0al (2024) A unified and general framework for continual learning. arXiv preprint arXiv:2403.13249"},{"issue":"1","key":"359_CR36","doi-asserted-by":"publisher","first-page":"671","DOI":"10.1109\/TNSM.2021.3102388","volume":"19","author":"Z Wu","year":"2021","unstructured":"Wu Z, Gao P, Cui L et al (2021) An incremental learning method based on dynamic ensemble rvm for intrusion detection. IEEE Trans Network Service Managem 19(1):671\u2013685","journal-title":"IEEE Trans Network Service Managem"},{"key":"359_CR37","doi-asserted-by":"publisher","first-page":"3538","DOI":"10.1109\/TIFS.2021.3083422","volume":"16","author":"J Yang","year":"2021","unstructured":"Yang J, Chen X, Chen S et al (2021) Conditional variational auto-encoder and extreme value theory aided two-stage learning approach for intelligent fine-grained known\/unknown intrusion detection. IEEE Trans Inf Foren Secur 16:3538\u20133553","journal-title":"IEEE Trans Inf Foren Secur"},{"issue":"2","key":"359_CR38","doi-asserted-by":"publisher","first-page":"255","DOI":"10.1016\/j.ijar.2007.05.019","volume":"49","author":"Y Yao","year":"2008","unstructured":"Yao Y (2008) Probabilistic rough set approximations. Int J Approx Reason 49(2):255\u2013271","journal-title":"Int J Approx Reason"},{"key":"359_CR39","doi-asserted-by":"crossref","unstructured":"Yao Y (2009) Three-way decision: an interpretation of rules in rough set theory. In: Rough Sets and Knowledge Technology: 4th International Conference, RSKT 2009, Gold Coast, Australia, July 14-16, 2009. Proceedings 4, Springer, pp 642\u2013649","DOI":"10.1007\/978-3-642-02962-2_81"},{"issue":"3","key":"359_CR40","doi-asserted-by":"publisher","first-page":"341","DOI":"10.1016\/j.ins.2009.09.021","volume":"180","author":"Y Yao","year":"2010","unstructured":"Yao Y (2010) Three-way decisions with probabilistic rough sets. Inf Sci 180(3):341\u2013353","journal-title":"Inf Sci"},{"issue":"6","key":"359_CR41","doi-asserted-by":"publisher","first-page":"1080","DOI":"10.1016\/j.ins.2010.11.019","volume":"181","author":"Y Yao","year":"2011","unstructured":"Yao Y (2011) The superiority of three-way decisions in probabilistic rough set models. Inf Sci 181(6):1080\u20131096","journal-title":"Inf Sci"},{"issue":"17","key":"359_CR42","doi-asserted-by":"publisher","first-page":"3356","DOI":"10.1016\/j.ins.2008.05.010","volume":"178","author":"Y Yao","year":"2008","unstructured":"Yao Y, Zhao Y (2008) Attribute reduction in decision-theoretic rough set models. Inf Sci 178(17):3356\u20133373","journal-title":"Inf Sci"},{"key":"359_CR43","unstructured":"Ye M, Barg A (2017) Asymptotically optimal private estimation under mean square loss. arXiv preprint arXiv:1708.00059"},{"key":"359_CR44","doi-asserted-by":"crossref","unstructured":"Ye Q, Wu X, Yan B (2010) An intrusion detection approach based on system call sequences and rules extraction. In: 2010 2nd International Conference on E-business and Information System Security, IEEE, pp 1\u20134","DOI":"10.1109\/EBISS.2010.5473675"},{"key":"359_CR45","doi-asserted-by":"crossref","unstructured":"Zhang S, Li Y, Du X (2020) An intrusion detection approach based on autoencoder and three-way decisions. In: Proceedings of the 2020 4th International Conference on Electronic Information Technology and Computer Engineering, pp 495\u2013500","DOI":"10.1145\/3443467.3443804"},{"issue":"46","key":"359_CR46","first-page":"1577","volume":"8","author":"D Zhou","year":"2023","unstructured":"Zhou D, Wang F, Ye H et al (2023) A review of class incremental learning algorithms based on deep learning. (in chines). J Comput 8(46):1577\u20131605","journal-title":"J Comput"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00359-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-025-00359-4\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00359-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,29]],"date-time":"2025-10-29T03:02:34Z","timestamp":1761706954000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-025-00359-4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,29]]},"references-count":46,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,12]]}},"alternative-id":["359"],"URL":"https:\/\/doi.org\/10.1186\/s42400-025-00359-4","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,29]]},"assertion":[{"value":"9 August 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"6 January 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"29 October 2025","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"80"}}