ADVERSARIAL ATTACKS ON DEEP LEARNING-BASED INTRUSION DETECTION SYSTEMS

Y.A. Kulmatov, Y.S. Zholobenko, M.E. Kozharov
Department of Information Security,
Daukeyev Almaty University of Power Engineering and Telecommunications

Abstract
The integration of deep learning (DL) models into intrusion detection systems (IDS) has enabled high detection accuracy for sophisticated and previously unseen network traffic anomalies. However, such models exhibit an inherent vulnerability to adversarial attacks—intentionally crafted input perturbations that cause incorrect predictions while remaining imperceptible to traditional validation mechanisms. This paper presents a comprehensive experimental analysis of adversarial machine learning threats targeting deep learning-based IDS. We formalize a threat model covering white-box and gray-box scenarios and evaluate FGSM and PGD attacks against 1D-CNN and CatBoost models. A hybrid robustification method integrating controlled input sanitization, Jacobian Feature-based Regularization (JFR), and cyclic adversarial fine-tuning is proposed. Experiments on CIC-IDS-2017 and ToN_IoT datasets demonstrate that the proposed approach significantly improves robustness under strong iterative attacks while preserving high accuracy on clean traffic.
Keywords
information security; intrusion detection systems; deep learning; adversarial attacks; machine learning robustness; adversarial training; Jacobian regularization; hybrid defense; IDS

1. Introduction Recent advances in deep learning have fundamentally transformed the field of cybersecurity. Intrusion detection systems employing convolutional and recurrent neural networks demonstrate state-of-the-art effectiveness in identifying complex and previously unknown cyberattacks. Nevertheless, the statistical nature of deep learning makes such systems vulnerable to adversarial manipulations. Adversarial attacks exploit model sensitivity to small, carefully engineered perturbations in input data, allowing malicious traffic to be misclassified as benign. This limitation undermines the reliability of autonomous next-generation IDS and motivates the need for systematic robustness evaluation.
2. Threat Model and Adversarial Attacks We consider an intrusion detection system implementing a classifier fθ: X → Y, where X is the network flow feature space and Y is a binary class label. The adversary aims to generate a bounded perturbation that causes misclassification while preserving semantic validity of the traffic. Both Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) attacks are applied under white-box and gray-box assumptions.
3. Hybrid Robustification Method The proposed Hybrid Robustification Method (HRM) consists of three complementary components: (1) controlled input sanitization through Gaussian noise injection and adaptive feature squeezing; (2) Jacobian Feature-based Regularization incorporated into the loss function to reduce gradient sensitivity; and (3) cyclic adversarial fine-tuning that continuously adapts the model to evolving attack strategies.
4. Experimental Evaluation Experiments were conducted on CIC-IDS-2017 and ToN_IoT datasets comprising approximately 2.5 million samples after preprocessing. Evaluation metrics include accuracy, precision, recall, and F1-score. Results demonstrate that PGD attacks significantly degrade baseline CNN performance, whereas the proposed HRM maintains high robustness, outperforming classical adversarial training while incurring minimal loss on clean data.
5. Conclusion This study confirms the critical vulnerability of deep learning-based intrusion detection systems to adversarial attacks, even in realistic gray-box scenarios. The proposed hybrid defense effectively balances robustness and performance, making it suitable for deployment in practical IDS environments. Future research will focus on black-box attack resistance, federated adversarial training, and extending the approach to sequential and graph-based intrusion detection models. References
6. Vinayakumar R. et al. Deep Learning Approach for Intelligent Intrusion Detection System. IEEE Access, 2019.
7. Szegedy C. et al. Intriguing Properties of Neural Networks. ICLR, 2014.
8. Apruzzese G. et al. The Role of Machine Learning in Cybersecurity. ACM Computing Surveys, 2022.