Saved in:
Bibliographic Details
Main Authors: Ennaji, Sabrine, Benkhelifa, Elhadj, Mancini, Luigi Vincenzo
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2512.13501
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912765393764352
author Ennaji, Sabrine
Benkhelifa, Elhadj
Mancini, Luigi Vincenzo
author_facet Ennaji, Sabrine
Benkhelifa, Elhadj
Mancini, Luigi Vincenzo
contents Machine learning based intrusion detection systems are increasingly targeted by black box adversarial attacks, where attackers craft evasive inputs using indirect feedback such as binary outputs or behavioral signals like response time and resource usage. While several defenses have been proposed, including input transformation, adversarial training, and surrogate detection, they often fall short in practice. Most are tailored to specific attack types, require internal model access, or rely on static mechanisms that fail to generalize across evolving attack strategies. Furthermore, defenses such as input transformation can degrade intrusion detection system performance, making them unsuitable for real time deployment. To address these limitations, we propose Adaptive Feature Poisoning, a lightweight and proactive defense mechanism designed specifically for realistic black box scenarios. Adaptive Feature Poisoning assumes that probing can occur silently and continuously, and introduces dynamic and context aware perturbations to selected traffic features, corrupting the attacker feedback loop without impacting detection capabilities. The method leverages traffic profiling, change point detection, and adaptive scaling to selectively perturb features that an attacker is likely exploiting, based on observed deviations. We evaluate Adaptive Feature Poisoning against multiple realistic adversarial attack strategies, including silent probing, transferability based attacks, and decision boundary based attacks. The results demonstrate its ability to confuse attackers, degrade attack effectiveness, and preserve detection performance. By offering a generalizable, attack agnostic, and undetectable defense, Adaptive Feature Poisoning represents a significant step toward practical and robust adversarial resilience in machine learning based intrusion detection systems.
format Preprint
id arxiv_https___arxiv_org_abs_2512_13501
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Behavior-Aware and Generalizable Defense Against Black-Box Adversarial Attacks for ML-Based IDS
Ennaji, Sabrine
Benkhelifa, Elhadj
Mancini, Luigi Vincenzo
Cryptography and Security
Artificial Intelligence
Machine learning based intrusion detection systems are increasingly targeted by black box adversarial attacks, where attackers craft evasive inputs using indirect feedback such as binary outputs or behavioral signals like response time and resource usage. While several defenses have been proposed, including input transformation, adversarial training, and surrogate detection, they often fall short in practice. Most are tailored to specific attack types, require internal model access, or rely on static mechanisms that fail to generalize across evolving attack strategies. Furthermore, defenses such as input transformation can degrade intrusion detection system performance, making them unsuitable for real time deployment. To address these limitations, we propose Adaptive Feature Poisoning, a lightweight and proactive defense mechanism designed specifically for realistic black box scenarios. Adaptive Feature Poisoning assumes that probing can occur silently and continuously, and introduces dynamic and context aware perturbations to selected traffic features, corrupting the attacker feedback loop without impacting detection capabilities. The method leverages traffic profiling, change point detection, and adaptive scaling to selectively perturb features that an attacker is likely exploiting, based on observed deviations. We evaluate Adaptive Feature Poisoning against multiple realistic adversarial attack strategies, including silent probing, transferability based attacks, and decision boundary based attacks. The results demonstrate its ability to confuse attackers, degrade attack effectiveness, and preserve detection performance. By offering a generalizable, attack agnostic, and undetectable defense, Adaptive Feature Poisoning represents a significant step toward practical and robust adversarial resilience in machine learning based intrusion detection systems.
title Behavior-Aware and Generalizable Defense Against Black-Box Adversarial Attacks for ML-Based IDS
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2512.13501