NIDS-DA: Detecting functionally preserved adversarial examples for network intrusion detection system using deep autoencoders

作     者：Kumar, Vivek Kumar, Kamal Singh, Maheep Kumar, Neeraj 

作者机构：Natl Inst Technol Pauri Garhwal Dept Comp Sci & Engn Srinagar 246174 Uttarakhand India IGDTUW Dept Informat Technol Delhi 110006 India Doon Univ Dept Comp Sci Dehra Dun 248001 Uttarakhand India Thapar Inst Engn & Technol Patiala Punjab India 

出 版 物：《EXPERT SYSTEMS WITH APPLICATIONS》 (Expert Sys Appl)

年 卷 期：2025年第270卷

核心收录：

学科分类：1201[管理学-管理科学与工程(可授管理学、工学学位)] 0808[工学-电气工程] 08[工学] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

主　　题：Adversarial example Functional/non-functional features DL Machine learning Deep autoencoder 

摘      要：DL has revolutionized Network Intrusion Detection Systems (NIDS) in recent years. However, these models suffer from Adversarial Examples (AEs), which are maliciously crafted to cause misclassification by a target NIDS. Unlike image recognition, AEs in a network intrusion domain are crafted for evasion and to launch attacks once they have successfully evaded detection. In recent years, several adversarial attack techniques have been developed to generate adversarial examples that retain their maliciousness even after perturbations. This is achieved by only modifying the non-functional features of a malicious data sample. In this paper, we propose a deep autoencoder (DAE) mechanism that can detect adversarial examples that are crafted by only modifying non-functional attributes. The method trains a DAE to establish a latent space relationship between non-functional attributes of feature space data samples. It then uses the inconsistency in the classification result of an AE and latent space relationship between non-functional features for adversarial detection. The paper shows that a DAE trained on only non-functional features produces fewer false positives than a DAE trained on both functional and non-functional features. We evaluate our proposed method on three data sets (CICIDS2017, NSL-KDD, and UNSW-NB15) and against five state-of-the-art AE attacks. Experimentally, our method was able to detect up to 99% AEs with very few false positives.