A Novel and Practical Universal Adversarial Perturbations against Deep Reinforcement Learning based Intrusion Detection Systems
H. Zhang, L. Zhang, G. Epiphaniou, C. Maple
TL;DR
The paper tackles the vulnerability of DRL-based intrusion detection systems to adversarial manipulation by introducing a practical universal adversarial perturbation (UAP) generated under domain-specific constraints. It further proposes a Customized UAP that uses a Pearson Correlation Coefficient (PCC) based loss to amplify the perturbation's impact on predictions. The approach is evaluated on CICIDS2018 with a DRL agent trained via deep Q-learning, and it is compared against four UAP baselines as well as FGSM and BIM, demonstrating competitive or superior evasion performance, especially when domain relationships among features are respected. The work advances the security of DRL-based IDS in real-world settings by highlighting a realistic threat and proposing a stronger, PCC-guided attack, with implications for developing robust defenses.
Abstract
Intrusion Detection Systems (IDS) play a vital role in defending modern cyber physical systems against increasingly sophisticated cyber threats. Deep Reinforcement Learning-based IDS, have shown promise due to their adaptive and generalization capabilities. However, recent studies reveal their vulnerability to adversarial attacks, including Universal Adversarial Perturbations (UAPs), which can deceive models with a single, input-agnostic perturbation. In this work, we propose a novel UAP attack against Deep Reinforcement Learning (DRL)-based IDS under the domain-specific constraints derived from network data rules and feature relationships. To the best of our knowledge, there is no existing study that has explored UAP generation for the DRL-based IDS. In addition, this is the first work that focuses on developing a UAP against a DRL-based IDS under realistic domain constraints based on not only the basic domain rules but also mathematical relations between the features. Furthermore, we enhance the evasion performance of the proposed UAP, by introducing a customized loss function based on the Pearson Correlation Coefficient, and we denote it as Customized UAP. To the best of our knowledge, this is also the first work using the PCC value in the UAP generation, even in the broader context. Four additional established UAP baselines are implemented for a comprehensive comparison. Experimental results demonstrate that our proposed Customized UAP outperforms two input-dependent attacks including Fast Gradient Sign Method (FGSM), Basic Iterative Method (BIM), and four UAP baselines, highlighting its effectiveness for real-world adversarial scenarios.