MULTI-LF: A Continuous Learning Framework for Real-Time Malicious Traffic Detection in Multi-Environment Networks
Furqan Rustam, Islam Obaidat, Anca Delia Jurcut
TL;DR
The paper tackles real-time malicious traffic detection in heterogeneous multi-environment networks by building a realistic M-En dataset from a Docker-NS3 testbed and public PCAPs, and by introducing Multi-LF, a continuous-learning framework that couples a lightweight M1 with a deeper M2 and occasional expert input. Features are extracted at 1-second intervals, enabling fine-grained temporal patterns, while a confidence-based coordination and weight-interpolation scheme mitigates forgetting during online updates. Real-time deployment in DDoShield-IoT achieves 0.999 accuracy with only 0.0026% human intervention and maintains high throughput on the lightweight model, demonstrating practicality for live, diverse network environments. The work provides reproducible resources (code and data on GitHub) and shows strong environmental efficiency metrics, suggesting significant practical impact for adaptive, low-overhead cyber defense in multi-domain networks.
Abstract
Multi-environment (M-En) networks integrate diverse traffic sources, including Internet of Things (IoT) and traditional computing systems, creating complex and evolving conditions for malicious traffic detection. Existing machine learning (ML)-based approaches, typically trained on static single-domain datasets, often fail to generalize across heterogeneous network environments. To address this gap, we develop a realistic Docker-NS3-based testbed that emulates both IoT and traditional traffic conditions, enabling the generation and capture of live, labeled network flows. The resulting M-En Dataset combines this traffic with curated public PCAP traces to provide comprehensive coverage of benign and malicious behaviors. Building on this foundation, we propose Multi-LF, a real-time continuous learning framework that combines a lightweight model (M1) for rapid detection with a deeper model (M2) for high-confidence refinement and adaptation. A confidence-based coordination mechanism enhances efficiency without compromising accuracy, while weight interpolation mitigates catastrophic forgetting during continuous updates. Features extracted at 1-second intervals capture fine-grained temporal patterns, enabling early recognition of evolving attack behaviors. Implemented and evaluated within the Docker-NS3 testbed on live traffic, Multi-LF achieves an accuracy of 0.999 while requiring human intervention for only 0.0026 percent of packets, demonstrating its effectiveness and practicality for real-time malicious traffic detection in heterogeneous network environments.