Drift-Adaptive BERT

The Problem

Static machine learning models for network intrusion detection degrade over time as attack patterns evolve — a phenomenon called concept drift. A model trained on last year's threats misses this year's novel attack vectors. Retraining from scratch is expensive and creates a vulnerability window during the retraining period.

The Solution

I engineered a BERT-based IDS with adaptive feedback loops that continuously adjusts to evolving threats without full retraining.

• BERT encoder fine-tuned on network traffic features for binary classification (benign vs. malicious).
• Adaptive feedback loop — Misclassified samples flagged by analysts are fed back into a lightweight fine-tuning cycle that updates only the classification head, preserving the encoder's learned representations.
• Real-time inference — FastAPI serving layer with batched inference for throughput, achieving 5.54ms average latency per classification.
• Containerized microservices — Docker-based deployment with separate containers for inference, feedback collection, and model update orchestration.

What Went Wrong

The initial feedback loop retrained too aggressively. A small batch of misclassified samples would shift the decision boundary and cause regressions on previously correct classifications — the model would "forget" older attack patterns while learning new ones.

The fix: I implemented an experience replay buffer that mixes new feedback samples with a random subset of historical training data during each fine-tuning cycle. This preserves the model's knowledge of older threats while incorporating new patterns. I also added a validation gate — the updated model must pass a held-out test set before being promoted to production.

Results

• 99.97% accuracy, 99.90% recall on evolving threat datasets
• 5.54ms average latency — viable for real-time traffic inspection
• Outperforms static models on novel attack detection after drift