# **Scenario Definitions (UNSW-NB15)**
In this project, we adopt a Class Incremental Learning (CIL) setting to model the continuous evolution of cyber threats. Instead of training the Intrusion Detection System (IDS) on all attack types at once, the model is exposed to the data in a sequence of tasks, where each task corresponds to the set of attack classes that are visible at a given time.

A task is therefore defined as the subset of attack classes available during a specific training phase. In all tasks, benign traffic (Normal) is always present, as it represents background network activity that exists continuously in real world environments.

The UNSW-NB15 dataset contains 9 attack categories in addition to normal traffic. These attack classes are introduced progressively across tasks according to different task scenarios, which simulate different rates and patterns of threat evolution. The purpose of defining multiple scenarios is to analyze how the size and frequency of incremental updates affect the model’s performance and its susceptibility to catastrophic forgetting.

Attack Classes

The following attack categories from the UNSW-NB15 dataset are considered:

Generic

Exploits

Fuzzers

DoS

Reconnaissance

Analysis

Backdoor

Shellcode

Worms

Benign traffic is represented by the Normal class and is included in every task

Scenario 1: Many Small Updates (1 + 1 + 1 + …)

In this scenario, new attack classes are introduced one at a time. This setting simulates a slow and gradual evolution of threats, where the IDS is frequently updated with a small number of new classes. While each update is relatively simple, the large number of tasks increases the risk of long term catastrophic forgetting.

At each task, the model is trained on the Normal class together with all previously seen attack classes and one newly introduced attack class.

Scenario 2: Few Large Updates (5 + 4)

In this scenario, multiple new attack classes are introduced simultaneously. This setting represents a sudden shift in the threat landscape, where several new attack types emerge at once. The model must rapidly adapt to a large number of new classes, which can significantly impact its ability to retain previously learned knowledge.

The first task introduces Normal traffic together with a group of five attack classes. The second task introduces the remaining four attack classes, while Normal traffic remains present.

Scenario 3: Mixed Updates (2 + 3 + 4)

This scenario represents a compromise between gradual and abrupt evolution. Attack classes are introduced in groups of increasing size across tasks. This setting aims to capture a more realistic evolution of cyber threats, where periods of stability are interspersed with bursts of new attack types.

As in the previous scenarios, Normal traffic is included in every task, and the model must incrementally learn new attack classes while preserving knowledge of previously learned ones.

Purpose of Scenario Comparison

By evaluating the IDS under these three scenarios, we can systematically study how the size of incremental tasks influences:

overall classification accuracy,

average incremental accuracy across tasks,

and the degree of catastrophic forgetting on previously learned attack classes.

This comparison allows us to assess the robustness of different continual learning strategies, such as Experience Replay (ER), under varying threat evolution dynamics.