Diffusion-based Adversarial Purification for Intrusion Detection

TL;DR

This work addresses adversarial vulnerability in ML-based intrusion detection by applying diffusion-based adversarial purification upstream of the IDS. The authors analyze how diffusion parameters—especially the optimal diffusion step $t^*$, the variance schedule $\beta$, and the number of diffusion steps $T$—interact with adversarial perturbations (magnitude $\epsilon$) across five attack methods on two datasets, UNSW-NB15 and NSL-KDD. They demonstrate that diffusion purification can restore high adversarial accuracy (up to ~80%) while preserving most of the clean data performance, with findings that the optimal noise level aligns with the perturbation magnitude and that larger $T$ improves robustness at the cost of latency. The paper provides practical guidance on parameter choices and highlights the need for combining diffusion-based purification with other defenses for robust, real-world IDS deployment. $t^*$, $\beta$, and $\sigma^2$ emerge as key quantities governing purification effectiveness, offering a pathway to principled defense design against evolving adversarial threats in network security.

Abstract

The escalating sophistication of cyberattacks has encouraged the integration of machine learning techniques in intrusion detection systems, but the rise of adversarial examples presents a significant challenge. These crafted perturbations mislead ML models, enabling attackers to evade detection or trigger false alerts. As a reaction, adversarial purification has emerged as a compelling solution, particularly with diffusion models showing promising results. However, their purification potential remains unexplored in the context of intrusion detection. This paper demonstrates the effectiveness of diffusion models in purifying adversarial examples in network intrusion detection. Through a comprehensive analysis of the diffusion parameters, we identify optimal configurations maximizing adversarial robustness with minimal impact on normal performance. Importantly, this study reveals insights into the relationship between diffusion noise and diffusion steps, representing a novel contribution to the field. Our experiments are carried out on two datasets and against 5 adversarial attacks. The implementation code is publicly available.

Figures (11)

• Figure 1: Methodology scheme: dataset instances $x_0$ undergo adversarial perturbation, the diffusion model's purification, and then the intrusion detection classification.
• Figure 2: Reconstruction loss over training epochs for different neural network sizes
• Figure 3: Reconstruction loss over the diffusion steps $t$
• Figure 4: Intrusion detection accuracy over the diffusion steps $t$
• Figure 5: Intrusion detection accuracy over diffusion step $t$ for different $\beta_{1}$. Continuous lines for $\beta_{T}=10^{-2}$ and dotted lines for $\beta_{T}=10^{-4}$. The marker indicates the maximum accuracy reached at the optimal diffusion step $t^{*}$.