Intrusion detection is a traditional practice of security experts, however, there are several issues which still need to be tackled. Therefore, in this paper, after highlighting these issues, we present an architecture for a hybrid Intrusion Detection System (IDS) for an adaptive and incremental detection of both known and unknown attacks. The IDS is composed of supervised and unsupervised modules, namely, a Deep Neural Network (DNN) and the K-Nearest Neighbors (KNN) algorithm, respectively. The proposed system is near-autonomous since the intervention of the expert is minimized through the active learning (AL) approach. A query strategy for the labeling process is presented, it aims at teaching the supervised module to detect unknown attacks and improve the detection of the already-known attacks. This teaching is achieved through sliding windows (SW) in an incremental fashion where the DNN is retrained when the data is available over time, thus rendering the IDS adaptive to cope with the evolutionary aspect of the network traffic. A set of experiments was conducted on the CICIDS2017 dataset in order to evaluate the performance of the IDS, promising results were obtained.

翻译：入侵检测是安全专家长期采用的实践方法，然而仍存在若干亟待解决的问题。为此，本文在阐述问题后，提出了一种混合入侵检测系统架构，用于自适应、增量地检测已知与未知攻击。该系统由有监督模块（深度神经网络）与无监督模块（K近邻算法）组成。通过主动学习策略最小化专家干预，实现了近自主化运行。本文提出了一种标注过程的查询策略，旨在训练有监督模块检测未知攻击并提升已知攻击的检测能力。该训练过程通过滑动窗口以增量方式实现——当随时间获取新数据时，深度神经网络会进行再训练，从而使入侵检测系统具备适应网络流量演化特性的能力。基于CICIDS2017数据集开展的系列实验表明，该入侵检测系统取得了具有前景的性能表现。