Intrusion Detection Systems (IDS) must maintain reliable detection performance under rapidly evolving benign traffic patterns and the continual emergence of cyberattacks, including zero-day threats with no labeled data available. However, most machine learning-based IDS approaches either assume static data distributions or rely on labeled attack samples, substantially limiting their applicability in real-world deployments. This setting naturally motivates continual novelty detection, which enables IDS models to incrementally adapt to non-stationary data streams without labeled attack data. In this work, we introduce ACORN-IDS, an adaptive continual novelty detection framework that learns exclusively from normal data while exploiting the inherent structure of an evolving unlabeled data stream. ACORN-IDS integrates a continual feature extractor, trained using reconstruction and metric learning objectives with clustering-based pseudo-labels, alongside a PCA-based reconstruction module for anomaly scoring. This design allows ACORN-IDS to continuously adapt to distributional shifts in both benign and malicious traffic. We conduct an extensive evaluation of ACORN-IDS on five realistic intrusion datasets under two continual learning scenarios: (i) Evolving Attacks and (ii) Evolving Normal and Attack Distributions. ACORN-IDS achieves, on average, a 62% improvement in F1-score and a 58% improvement in zero-day attack detection over the state-of-the-art unsupervised continual learning baseline. It also outperforms existing state-of-the-art novelty detection approaches while exhibiting near-zero forgetting and imposing minimal inference overhead. These results demonstrate that ACORN-IDS offers a practical, label-efficient solution for building adaptive and robust IDS in dynamic, real-world environments. We plan to release the code upon acceptance.

翻译：入侵检测系统（IDS）必须在快速演变的良性流量模式以及持续出现的网络攻击（包括无标签数据可用的零日威胁）下保持可靠的检测性能。然而，大多数基于机器学习的IDS方法要么假设静态数据分布，要么依赖于已标记的攻击样本，这极大地限制了它们在实际部署中的适用性。这一场景自然催生了持续新颖性检测，它使得IDS模型能够在没有标记攻击数据的情况下，逐步适应非平稳的数据流。本文中，我们提出了ACORN-IDS，一种自适应持续新颖性检测框架，该框架仅从正常数据中学习，同时利用不断演化的无标签数据流的固有结构。ACORN-IDS集成了一个持续特征提取器（通过基于聚类的伪标签，使用重构和度量学习目标进行训练）以及一个基于PCA的重构模块用于异常评分。这种设计使得ACORN-IDS能够持续适应良性和恶意流量中的分布偏移。我们在两种持续学习场景下，对五个真实的入侵数据集进行了ACORN-IDS的广泛评估：（i）攻击演化；（ii）正常与攻击分布演化。与最先进的无监督持续学习基线相比，ACORN-IDS在F1分数上平均提升了62%，在零日攻击检测上平均提升了58%。它还优于现有的最先进的新颖性检测方法，同时表现出接近零的遗忘性，并施加了最小的推理开销。这些结果表明，ACORN-IDS为在动态的现实环境中构建自适应且鲁棒的IDS提供了一个实用、标签高效的解决方案。我们计划在论文被接受后发布代码。