{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T19:02:44Z","timestamp":1773342164583,"version":"3.50.1"},"reference-count":35,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T00:00:00Z","timestamp":1773273600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Denial-of-Service (DoS) attacks remain one of the most dangerous threats in modern Internet environments. They aim to overwhelm networks, servers, or online services with massive volumes of traffic, and maintaining service availability is a core pillar of cybersecurity. More importantly, DoS attack techniques continue to evolve. However, traditional intrusion detection systems (IDS) trained on fixed attack categories struggle to identify previously unknown DoS attack types and cannot dynamically incorporate newly emerging classes. To address this challenge, this study proposes a stage-wise network intrusion detection framework that integrates unknown attack detection, attack discovery, and class-incremental learning into a unified pipeline. The framework consists of three stages. First, an autoencoder-based anomaly detection approach is used to separate potential unknown DoS attack samples from known classes. Second, a clustering-and-merging strategy is applied to the detected unknown DoS samples to discover emerging attack clusters with similar structural characteristics. Third, the classifier architecture is expanded for each newly discovered cluster through a class-incremental learning mechanism, enabling the continual incorporation of new attack classes while maintaining stable detection performance on previously learned classes. Experimental results on the DoS category of the NSL-KDD dataset demonstrate that the proposed stage-wise framework can effectively isolate samples of unknown DoS attacks, accurately aggregate emerging attack clusters, and incrementally integrate newly discovered attack classes without significantly degrading recognition performance on previously learned classes. These results confirm the capability of the proposed framework to handle progressively emerging unknown DoS attacks.<\/jats:p>","DOI":"10.3390\/fi18030145","type":"journal-article","created":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T09:23:03Z","timestamp":1773307383000},"page":"145","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["A Stage-Wise Framework Using Class-Incremental Learning for Unknown DoS Attack Detection"],"prefix":"10.3390","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-4331-5726","authenticated-orcid":false,"given":"Juncheng","family":"Ge","sequence":"first","affiliation":[{"name":"Graduate School of Information Science and Electrical Engineering, Kyushu University, Fukuoka 819-0395, Japan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6074-2514","authenticated-orcid":false,"given":"Yaokai","family":"Feng","sequence":"additional","affiliation":[{"name":"Faculty of Information Science and Electrical Engineering, Kyushu University, Fukuoka 819-0395, Japan"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4621-1674","authenticated-orcid":false,"given":"Kouichi","family":"Sakurai","sequence":"additional","affiliation":[{"name":"Faculty of Information Science and Electrical Engineering, Kyushu University, Fukuoka 819-0395, Japan"}]}],"member":"1968","published-online":{"date-parts":[[2026,3,12]]},"reference":[{"key":"ref_1","first-page":"655","article-title":"DoS and DDoS attack detection using deep learning and IDS","volume":"17","author":"Shurman","year":"2020","journal-title":"Int. Arab J. Inf. Technol."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1186\/s42400-019-0038-7","article-title":"Survey of intrusion detection systems: Techniques, datasets and challenges","volume":"2","author":"Khraisat","year":"2019","journal-title":"Cybersecurity"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"205","DOI":"10.1016\/j.procs.2022.03.029","article-title":"Intrusion detection systems using supervised machine learning techniques: A survey","volume":"201","author":"Abdallah","year":"2022","journal-title":"Procedia Comput. Sci."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"314","DOI":"10.1007\/s44163-025-00578-1","article-title":"A comprehensive survey on intrusion detection systems with advances in machine learning, deep learning and emerging cybersecurity challenges","volume":"5","author":"Hozouri","year":"2025","journal-title":"Discov. Artif. Intell."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Jangra, R., and Kajal, A. (2023). A Review of Deep Learning based Intrusion Detection Systems. 2023 International Conference on Computing, Communication, and Intelligent Systems (ICCCIS), IEEE.","DOI":"10.1109\/ICCCIS60361.2023.10425595"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"1153","DOI":"10.1109\/COMST.2015.2494502","article-title":"A survey of data mining and machine learning methods for cyber security intrusion detection","volume":"18","author":"Buczak","year":"2015","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Cruz, S., Coleman, C., Rudd, E.M., and Boult, T.E. (2017). Open set intrusion recognition for fine-grained attack categorization. 2017 IEEE International Symposium on Technologies for Homeland Security (HST), IEEE.","DOI":"10.1109\/THS.2017.7943467"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Laskov, P., Christin, S., and Kotenko, I. (2004). Intrusion detection in unlabeled data with quarter-sphere support vector machines. Detection of Intrusions and Malware & Vulnerability Assessment, GI SIG SIDAR Workshop, DIMVA 2004, Gesellschaft f\u00fcr Informatik eV.","DOI":"10.1515\/PIKO.2004.228"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Mirsky, Y., Doitshman, T., Elovici, Y., and Shabtai, A. (2018). Kitsune: An ensemble of autoencoders for online network intrusion detection. arXiv.","DOI":"10.14722\/ndss.2018.23204"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"137042","DOI":"10.1109\/ACCESS.2021.3115946","article-title":"Learning without forgetting: A new framework for network cyber security threat detection","volume":"9","author":"Karn","year":"2021","journal-title":"IEEE Access"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Oikonomou, C., Iliopoulos, I., Ioannidis, D., and Tzovaras, D. (2023). A multi-class intrusion detection system based on continual learning. 2023 IEEE International Conference on Cyber Security and Resilience (CSR), IEEE.","DOI":"10.1109\/CSR57506.2023.10224974"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"17156","DOI":"10.52202\/075280-0750","article-title":"Augmented memory replay-based continual learning approaches for network intrusion detection","volume":"36","author":"Amalapuram","year":"2023","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Chalapathy, R., and Chawla, S. (2019). Deep learning for anomaly detection: A survey. arXiv.","DOI":"10.1145\/3394486.3406704"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Tavallaee, M., Bagheri, E., Lu, W., and Ghorbani, A.A. (2009). A Detailed Analysis of the KDD CUP 99 Data Set. 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA), IEEE.","DOI":"10.1109\/CISDA.2009.5356528"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Sakurada, M., and Yairi, T. (2014). Anomaly Detection Using Autoencoders with Nonlinear Dimensionality Reduction. Proceedings of the 2nd Workshop on Machine Learning for Sensory Data Analysis (MLSDA), Association for Computing Machinery.","DOI":"10.1145\/2689746.2689747"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Ping, G., and Ye, X. (2022). Open-set intrusion detection with MinMax autoencoder and pseudo extreme value machine. 2022 International Joint Conference on Neural Networks (IJCNN), IEEE.","DOI":"10.1109\/IJCNN55064.2022.9892858"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"3614","DOI":"10.1109\/TPAMI.2020.2981604","article-title":"Recent advances in open set recognition: A survey","volume":"43","author":"Geng","year":"2020","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"17001","DOI":"10.1038\/s41598-025-01084-1","article-title":"Unknown intrusion traffic detection method based on unsupervised learning and open-set recognition","volume":"15","author":"Fang","year":"2025","journal-title":"Sci. Rep."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Qiu, Z., Zhou, D., Zhai, Y., Liu, B., He, L., and Cao, J. (2024). VAEMax: Open-set intrusion detection based on OpenMax and variational autoencoder. 2024 5th Information Communication Technologies Conference (ICTC), IEEE.","DOI":"10.1109\/ICTC61510.2024.10601788"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"2150060","DOI":"10.1142\/S012906572150060X","article-title":"A Continuous Learning Approach for Real-Time Network Intrusion Detection","volume":"31","author":"Martina","year":"2021","journal-title":"Int. J. Neural Syst."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Rebuffi, S.A., Kolesnikov, A., Sperl, G., and Lampert, C.H. (2017). iCaRL: Incremental classifier and representation learning. 2017 IEEE Conference on Computer Vision and Pattern Recognition, IEEE.","DOI":"10.1109\/CVPR.2017.587"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"3521","DOI":"10.1073\/pnas.1611835114","article-title":"Overcoming catastrophic forgetting in neural networks","volume":"114","author":"Kirkpatrick","year":"2017","journal-title":"Proc. Natl. Acad. Sci. USA"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"2935","DOI":"10.1109\/TPAMI.2017.2773081","article-title":"Learning without forgetting","volume":"40","author":"Li","year":"2017","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_24","first-page":"3366","article-title":"A Continual Learning Survey: Defying Forgetting in Classification Tasks","volume":"44","author":"Aljundi","year":"2021","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Xu, H., and Wang, Y. (2022). A Continual Few-Shot Learning Method via Meta-Learning for Intrusion Detection. 2022 IEEE 4th International Conference on Civil Aviation Safety and Information Technology (ICCASIT), IEEE.","DOI":"10.1109\/ICCASIT55263.2022.9986665"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"2389","DOI":"10.1109\/TNSM.2023.3332284","article-title":"A Few-Shot Class-Incremental Learning Method for Network Intrusion Detection","volume":"21","author":"Du","year":"2024","journal-title":"IEEE Trans. Netw. Serv. Manag."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Cerasuolo, F., Bovenzi, G., Marescalco, C., Cirillo, F., Ciuonzo, D., and Pescap\u00e9, A. (2023). Adaptive Intrusion Detection Systems: Class Incremental Learning for IoT Emerging Threats. 2023 IEEE International Conference on Big Data (BigData), IEEE.","DOI":"10.1109\/BigData59044.2023.10386129"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"103982","DOI":"10.1016\/j.cose.2024.103982","article-title":"AIS-NIDS: An intelligent and self-sustaining network intrusion detection system","volume":"144","author":"Farrukh","year":"2024","journal-title":"Comput. Secur."},{"key":"ref_29","first-page":"629","article-title":"Hierarchical density estimates for data clustering, visualization, and outlier detection","volume":"27","author":"Campello","year":"2015","journal-title":"IEEE Trans. Knowl. Data Eng."},{"key":"ref_30","first-page":"281","article-title":"Some methods for classification and analysis of multivariate observations","volume":"Volume 1","author":"MacQueen","year":"1967","journal-title":"Proceedings of the Fifth Berkeley Symposium on Mathematical Statistics and Probability"},{"key":"ref_31","first-page":"160","article-title":"Density-Based Clustering Based on Hierarchical Density Estimates","volume":"Volume 7819","author":"Campello","year":"2013","journal-title":"Proceedings of the Pacific-Asia Conference on Knowledge Discovery and Data Mining (PAKDD)"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"205","DOI":"10.21105\/joss.00205","article-title":"hdbscan: Hierarchical Density Based Clustering","volume":"2","author":"McInnes","year":"2017","journal-title":"J. Open Source Softw."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Fern\u00e1ndez, A., Garc\u00eda, S., and Herrera, F. (2023). Density-Based Clustering to Deal with Highly Imbalanced Data in Multi-Class Problems. Mathematics, 11.","DOI":"10.3390\/math11184008"},{"key":"ref_34","unstructured":"Hinton, G., Vinyals, O., and Dean, J. (2015). Distilling the knowledge in a neural network. arXiv."},{"key":"ref_35","unstructured":"Stolfo, S.J., Fan, W., Lee, W., Prodromidis, A., and Chan, P.K. (2026, January 23). KDD Cup 1999 Data. Available online: http:\/\/kdd.ics.uci.edu\/databases\/kddcup99\/kddcup99.html."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/18\/3\/145\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T09:50:02Z","timestamp":1773309002000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/18\/3\/145"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,12]]},"references-count":35,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2026,3]]}},"alternative-id":["fi18030145"],"URL":"https:\/\/doi.org\/10.3390\/fi18030145","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,12]]}}}