ACORN-IDS: Adaptive Continual Novelty Detection for Intrusion Detection Systems

Intrusion Detection Systems (IDS) must maintain reliable detection performance under rapidly evolving benign traffic patterns and the continual emergence of cyberattacks, including zero-day threats with no labeled data available. However, most machine learning-based IDS approaches either assume static data distributions or rely on labeled attack samples, substantially limiting their applicability in real-world deployments. This setting naturally motivates continual novelty detection, which enables IDS models to incrementally adapt to non-stationary data streams without labeled attack data. In this work, we introduce ACORN-IDS, an adaptive continual novelty detection framework that learns exclusively from normal data while exploiting the inherent structure of an evolving unlabeled data stream. ACORN-IDS integrates a continual feature extractor, trained using reconstruction and metric learning objectives with clustering-based pseudo-labels, alongside a PCA-based reconstruction module for anomaly scoring. This design allows ACORN-IDS to continuously adapt to distributional shifts in both benign and malicious traffic. We conduct an extensive evaluation of ACORN-IDS on five realistic intrusion datasets under two continual learning scenarios: (i) Evolving Attacks and (ii) Evolving Normal and Attack Distributions. ACORN-IDS achieves, on average, a 62% improvement in F1-score and a 58% improvement in zero-day attack detection over the state-of-the-art unsupervised continual learning baseline. It also outperforms existing state-of-the-art novelty detection approaches while exhibiting near-zero forgetting and imposing minimal inference overhead. These results demonstrate that ACORN-IDS offers a practical, label-efficient solution for building adaptive and robust IDS in dynamic, real-world environments. We plan to release the code upon acceptance.

• Publication year

  2026

• Venue

  Unknown venue

• Publication date

  2026-02-07

• Fields of study

  Computer Science, Engineering

• Identifiers
  arXiv 2602.07291
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• SAFE: Self-Supervised Anomaly Detection Framework for Intrusion Detection

  2025cited by this paper
• CITADEL: Continual Anomaly Detection for Enhanced Learning in IoT Intrusion Detection

  2025cited by this paper
• CND-IDS: Continual Novelty Detection for Intrusion Detection Systems

  2025cited by this paper
• AOC-IDS: Autonomous Online Framework with Contrastive Learning for Intrusion Detection

  2024cited by this paper
• Continual Learning with Strategic Selection and Forgetting for Network Intrusion Detection

  2024cited by this paper
• ROLDEF: RObust Layered DEFense for Intrusion Detection Against Adversarial Attacks

  2024cited by this paper
• Rigorous Evaluation of Machine Learning-Based Intrusion Detection Against Adversarial Attacks

  2024cited by this paper
• A Comprehensive Survey of Continual Learning: Theory, Method and Application

  2023cited by this paper
• Lifelong Continual Learning for Anomaly Detection: New Challenges, Perspectives, and Insights

  2023influential reference
• Augmented Memory Replay-based Continual Learning Approaches for Network Intrusion Detection

  2023cited by this paper
• Continual Learning: Applications and the Road Forward

  2023cited by this paper
• A Multi-Class Intrusion Detection System Based on Continual Learning

  2023cited by this paper
• VLAD: Task-agnostic VAE-based lifelong anomaly detection

  2023influential reference
• Fascinating Supervisory Signals and Where to Find Them: Deep Anomaly Detection with Scale Learning

  2023influential reference
• Open-World Continual Learning: Unifying Novelty Detection and Continual Learning

  2023cited by this paper
• SCALE: Online Self-Supervised Lifelong Learning without Prior Knowledge

  2022cited by this paper
• X-IIoTID: A Connectivity-Agnostic and Device-Agnostic Intrusion Data Set for Industrial Internet of Things

  2022cited by this paper
• Continual Learning for Anomaly based Network Intrusion Detection

  2022cited by this paper
• A survey on deep learning for cybersecurity: Progress, challenges, and opportunities

  2022cited by this paper
• Deep Isolation Forest for Anomaly Detection

  2022cited by this paper
• Anomaly Detection for Tabular Data with Internal Contrastive Learning

  2022cited by this paper
• incDFM: Incremental Deep Feature Modeling for Continual Novelty Detection

  2022cited by this paper
• Analysis of Continual Learning Models for Intrusion Detection System

  2022cited by this paper
• Representational Continuity for Unsupervised Continual Learning

  2021cited by this paper
• Towards Model Generalization for Intrusion Detection: Unsupervised Machine Learning Techniques

  2021cited by this paper
• Learning Without Forgetting: A New Framework for Network Cyber Security Threat Detection

  2021cited by this paper
• Unsupervised Continual Learning in Streaming Environments

  2021cited by this paper
• Continual Learning with Tiny Episodic Memories

  2019cited by this paper
• Balanced Efficient Lifelong Learning (B-ELLA) for Cyber Attack Detection

  2019cited by this paper
• A Continual Learning Survey: Defying Forgetting in Classification Tasks

  2019cited by this paper
• Machine Learning and Deep Learning Methods for Intrusion Detection Systems: A Survey

  2019cited by this paper
• Don't forget, there is more than forgetting: new metrics for Continual Learning

  2018cited by this paper
• Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization

  2018cited by this paper
• Deep Autoencoding Gaussian Mixture Model for Unsupervised Anomaly Detection

  2018cited by this paper
• Learning without Forgetting

  2016cited by this paper
• FaceNet: A unified embedding for face recognition and clustering

  2015cited by this paper
• UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)

  2015cited by this paper
• A Tutorial on Principal Component Analysis

  2014cited by this paper
• ELLA: An Efficient Lifelong Learning Algorithm

  2013cited by this paper
• Intrusion detection system: A comprehensive review

  2013cited by this paper
• Scikit-learn: Machine Learning in Python

  2011influential reference
• A survey of intrusion detection and prevention systems

  2010cited by this paper
• Web-scale k-means clustering

  2010cited by this paper
• Anomaly-based network intrusion detection: Techniques, systems and challenges

  2009cited by this paper
• The relationship between Precision-Recall and ROC curves

  2006cited by this paper
• Data Mining - Concepts and Techniques

  2002cited by this paper

• No citing papers are available for this paper.