CITADEL: Continual Anomaly Detection for Enhanced Learning in IoT Intrusion Detection

TL;DR

CITADEL introduces a self-supervised continual learning framework for IoT intrusion detection that adapts to new threats while retaining knowledge of past attacks, significantly improving detection performance in dynamic environments.

Contribution

The paper presents a novel self-supervised continual learning approach with memory consolidation for IoT intrusion detection, addressing adaptability and catastrophic forgetting issues.

Findings

Achieves up to 72.9% improvement over previous methods.

Effectively detects emerging and known threats in IoT datasets.

Enhances long-term knowledge retention in anomaly detection.

Abstract

The Internet of Things (IoT), with its high degree of interconnectivity and limited computational resources, is particularly vulnerable to a wide range of cyber threats. Intrusion detection systems (IDS) have been extensively studied to enhance IoT security, and machine learning-based IDS (ML-IDS) show considerable promise for detecting malicious activity. However, their effectiveness is often constrained by poor adaptability to emerging threats and the issue of catastrophic forgetting during continuous learning. To address these challenges, we propose CITADEL, a self-supervised continual learning framework designed to extract robust representations from benign data while preserving long-term knowledge through optimized memory consolidation mechanisms. CITADEL integrates a tabular-to-image transformation module, a memory-aware masked autoencoder for self-supervised representation learning, and a novelty detection component capable of identifying anomalies without dependence on labeled attack data. Our design enables the system to incrementally adapt to emerging behaviors while retaining its ability to detect previously observed threats. Experiments on multiple intrusion datasets demonstrate that CITADEL achieves up to a 72.9% improvement over the VAE-based lifelong anomaly detector (VLAD) in key detection and retention metrics, highlighting its effectiveness in dynamic IoT environments.