Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SoK: Realistic Adversarial Attacks and Defenses for Intelligent Network Intrusion Detection

João Vitorino, Isabel Praça, Eva Maia

TL;DR

This SoK addresses the realism gap in adversarial ML for network intrusion detection by systematically aggregating works since 2017 that generate realistic perturbations of real traffic. It classifies perturbations into patch-like and mask-like forms while enforcing domain constraints through two core realism properties: validity and coherence, and it reviews attack settings (black/gray/white-box) alongside defense strategies (reactive and proactive) with practical guidelines. The study highlights that many proposed perturbations are impractical for real networks and emphasizes security-by-design, combining defenses and realistic evaluations to improve robustness without compromising generalization. Overall, the work provides a realism-focused blueprint for researchers and practitioners to assess and develop resilient ML-based NID solutions for real-world deployment.

Abstract

Machine Learning (ML) can be incredibly valuable to automate anomaly detection and cyber-attack classification, improving the way that Network Intrusion Detection (NID) is performed. However, despite the benefits of ML models, they are highly susceptible to adversarial cyber-attack examples specifically crafted to exploit them. A wide range of adversarial attacks have been created and researchers have worked on various defense strategies to safeguard ML models, but most were not intended for the specific constraints of a communication network and its communication protocols, so they may lead to unrealistic examples in the NID domain. This Systematization of Knowledge (SoK) consolidates and summarizes the state-of-the-art adversarial learning approaches that can generate realistic examples and could be used in real ML development and deployment scenarios with real network traffic flows. This SoK also describes the open challenges regarding the use of adversarial ML in the NID domain, defines the fundamental properties that are required for an adversarial example to be realistic, and provides guidelines for researchers to ensure that their future experiments are adequate for a real communication network.

SoK: Realistic Adversarial Attacks and Defenses for Intelligent Network Intrusion Detection

TL;DR

This SoK addresses the realism gap in adversarial ML for network intrusion detection by systematically aggregating works since 2017 that generate realistic perturbations of real traffic. It classifies perturbations into patch-like and mask-like forms while enforcing domain constraints through two core realism properties: validity and coherence, and it reviews attack settings (black/gray/white-box) alongside defense strategies (reactive and proactive) with practical guidelines. The study highlights that many proposed perturbations are impractical for real networks and emphasizes security-by-design, combining defenses and realistic evaluations to improve robustness without compromising generalization. Overall, the work provides a realism-focused blueprint for researchers and practitioners to assess and develop resilient ML-based NID solutions for real-world deployment.

Abstract

Machine Learning (ML) can be incredibly valuable to automate anomaly detection and cyber-attack classification, improving the way that Network Intrusion Detection (NID) is performed. However, despite the benefits of ML models, they are highly susceptible to adversarial cyber-attack examples specifically crafted to exploit them. A wide range of adversarial attacks have been created and researchers have worked on various defense strategies to safeguard ML models, but most were not intended for the specific constraints of a communication network and its communication protocols, so they may lead to unrealistic examples in the NID domain. This Systematization of Knowledge (SoK) consolidates and summarizes the state-of-the-art adversarial learning approaches that can generate realistic examples and could be used in real ML development and deployment scenarios with real network traffic flows. This SoK also describes the open challenges regarding the use of adversarial ML in the NID domain, defines the fundamental properties that are required for an adversarial example to be realistic, and provides guidelines for researchers to ensure that their future experiments are adequate for a real communication network.
Paper Structure (10 sections, 6 figures, 3 tables)

This paper contains 10 sections, 6 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Research Methodology
  3. Data Perturbations
  4. Attack Methods
  5. Defense Strategies
  6. Future Directions
  7. Conclusion
  8. Author Contributions
  9. Funding
  10. Conflicts of Interest

Figures (6)

  • Figure 1: PRISMA search process.
  • Figure 2: Adversarial perturbation via a patch, based on Eykholt2018.
  • Figure 3: Adversarial perturbation via a mask, based on Edwards2020.
  • Figure 4: Adversarial perturbation on tabular data, based on Merzouk2022.
  • Figure 5: Adversarial perturbation on a network traffic flow, based on Vitorino2023.
  • ...and 1 more figures