Software-Defined Networking (SDN) improves network management and flexibility by separating control and data plane functions. However, the centralized architecture of SDN can increase cybersecurity risks, such as an increased vulnerability to Denial of Service (DoS) attacks. While integrating machine learning (ML) models into Intrusion Detection Systems (IDSs) achieves high detection performance, these ML models must demonstrate strong generalization capabilities across new, previously unseen network traffic patterns, which is crucial for networks with dynamic traffic behavior. In our previously published work, Collaborative ML-based IDS (CML-IDS), different ML models are deployed in both the control and data plane to enhance detection performance while reducing network load and detection time. However, CML-IDS operates as an offline model, where ML models are trained once on a specific network traffic pattern, potentially limiting CML-IDS ability to generalize across diverse and new network traffic patterns effectively. To address this issue, we introduce COML-IDS, an online learning framework that automatically updates the ML model in the data plane when the detection performance degrades. Our results demonstrate that COML-IDS achieves an average increase of at least 25% in detection performance when encountering new network traffic patterns while reducing the need to forward the necessary flow feature data to the control plane compared to the CML-IDS.
