This work addresses the challenge of detecting novel (including zero-day) attacks in intrusion detection scenarios where attack labels are unavailable and network traffic distributions continuously evolve. The authors propose an adaptive, unsupervised novelty detection framework that relies solely on normal traffic. It uniquely integrates continual learning with unsupervised novelty detection by leveraging clustering-derived pseudo-labels to guide both reconstruction and metric-learning-based feature extraction, complemented by a PCA module for anomaly scoring. This design enables incremental adaptation without requiring any attack-labeled data. Evaluated on five real-world datasets, the method achieves an average F1-score improvement of 62% and a 58% gain in zero-day attack detection performance, while exhibiting near-zero catastrophic forgetting and minimal inference overhead.

Intrusion Detection Systems (IDS) must maintain reliable detection performance under rapidly evolving benign traffic patterns and the continual emergence of cyberattacks, including zero-day threats with no labeled data available. However, most machine learning-based IDS approaches either assume static data distributions or rely on labeled attack samples, substantially limiting their applicability in real-world deployments. This setting naturally motivates continual novelty detection, which enables IDS models to incrementally adapt to non-stationary data streams without labeled attack data. In this work, we introduce ACORN-IDS, an adaptive continual novelty detection framework that learns exclusively from normal data while exploiting the inherent structure of an evolving unlabeled data stream. ACORN-IDS integrates a continual feature extractor, trained using reconstruction and metric learning objectives with clustering-based pseudo-labels, alongside a PCA-based reconstruction module for anomaly scoring. This design allows ACORN-IDS to continuously adapt to distributional shifts in both benign and malicious traffic. We conduct an extensive evaluation of ACORN-IDS on five realistic intrusion datasets under two continual learning scenarios: (i) Evolving Attacks and (ii) Evolving Normal and Attack Distributions. ACORN-IDS achieves, on average, a 62% improvement in F1-score and a 58% improvement in zero-day attack detection over the state-of-the-art unsupervised continual learning baseline. It also outperforms existing state-of-the-art novelty detection approaches while exhibiting near-zero forgetting and imposing minimal inference overhead. These results demonstrate that ACORN-IDS offers a practical, label-efficient solution for building adaptive and robust IDS in dynamic, real-world environments. We plan to release the code upon acceptance.