Adaptive Decision-Level Intrusion Detection for Known and Zero-Day Attacks

Network Intrusion Detection Systems (NIDS) face increasing challenges from sophisticated cyber threats, particularly zero-day attacks that evade signature-based methods. While supervised learning is effective for known attack classification, it struggles with novel threats, whereas anomaly-based approaches suffer from high false positive rates and unstable thresholds. To address these limitations, this paper proposes a decision-level adaptive intrusion-detection framework combining hierarchical CNN-based closed-set classification with autoencoder-based zero-day detection in a cascade architecture. The framework enables deployment-time adaptation by dynamically adjusting class-specific confidence thresholds and fusion parameters without model retraining. Experiments on the CSE-CIC-IDS2018 dataset demonstrate strong closed-set performance, achieving 98. 98% accuracy and a macro-F1-score of 0. 9342, with improved recall for minority attack classes under adaptive thresholding. Under a zero-day evaluation protocol in which WebAttacks and Infiltration are excluded from training and validation, the proposed approach achieves an F1-score of 0. 9319 while maintaining a low false positive rate of 0. 0019. The framework is further evaluated on the Simulated University Network Environment (SUNE) dataset representing campus network traffic, achieving 96. 18% closed-set accuracy and 97. 54% accuracy in the integrated cascade setting. These results demonstrate that the proposed framework effectively balances minority attack detection, zero-day identification, and false-alarm control in dynamic and resource-constrained network environments.