To address model performance degradation caused by concept drift in network intrusion detection, this paper proposes a dynamic continual learning framework. The method introduces two key innovations: (1) a drift-aware strategic sample selection mechanism that dynamically identifies critical samples based on representativeness and recency; and (2) a trigger-based forgetting mechanism that adaptively prunes the memory buffer in response to concept drift detection signals. By jointly optimizing memory efficiency and model adaptability, the approach significantly enhances the detector’s responsiveness to evolving threat patterns. Extensive experiments on NSL-KDD and UNSW-NB15 demonstrate state-of-the-art performance, achieving an average 4.2% improvement in F1-score over existing methods and markedly accelerating drift response time.

Intrusion Detection Systems (IDS) are crucial for safeguarding digital infrastructure. In dynamic network environments, both threat landscapes and normal operational behaviors are constantly changing, resulting in concept drift. While continuous learning mitigates the adverse effects of concept drift, insufficient attention to drift patterns and excessive preservation of outdated knowledge can still hinder the IDS's adaptability. In this paper, we propose SSF (Strategic Selection and Forgetting), a novel continual learning method for IDS, providing continuous model updates with a constantly refreshed memory buffer. Our approach features a strategic sample selection algorithm to select representative new samples and a strategic forgetting mechanism to drop outdated samples. The proposed strategic sample selection algorithm prioritizes new samples that cause the `drifted' pattern, enabling the model to better understand the evolving landscape. Additionally, we introduce strategic forgetting upon detecting significant drift by discarding outdated samples to free up memory, allowing the incorporation of more recent data. SSF captures evolving patterns effectively and ensures the model is aligned with the change of data patterns, significantly enhancing the IDS's adaptability to concept drift. The state-of-the-art performance of SSF on NSL-KDD and UNSW-NB15 datasets demonstrates its superior adaptability to concept drift for network intrusion detection.