Hey @catanit, welcome!
Yes that could be a problem on any model that is continuously learning. All unfamiliar sequences are first seen as anomalous, and then become known patterns once they repeat enough times given their length & complexity. So there will be some spikes in raw anomaly score as this anomaly is ingrained into a pattern. Depending on the noise level in the data these spike may or may not be enough to spike the anomaly likelihood value.
One potential way around this is to turn learning off during deployment. So have a learning/training period before deployment, which should contain all kinds of normal (non-hacking) behavior. The idea is that any behavior anomalous to this well trained model is worth suspicion. This of course relies on the idea that new normal patterns wouldn’t emerge during deployment, which would create false alarms.