Detection of Adversarial Examples by Adversarial Training: A Study on the Suitability of FGSM for Hardening NIDS Against Problem-Space Attacks

Network intrusion detection systems (NIDS) can leverage machine and deep learning techniques to monitor network traffic and recognize potential intrusions. Although valuable, deep learning-based NIDS are vulnerable to adversarial attacks. Adversarial training, which consists in integrating adversarial examples into the training process, is a means to improve the robustness of NIDS. The literature has largely demonstrated that adversarial examples can be successfully crafted in the feature space through the perturbation of the network traffic features used by NIDS. This paper puts forward the intuition that the use of feature-space perturbations for improving the robustness of NIDS by adversarial training is questionable. This aspect is exacerbated when the network traffic is perturbed prior to the feature extraction step, in the problem space. The experiment reported in the paper is based on the application of both a feature-space and a problem-space adversarial attack to normal and Denial of Service network traffic collected in a controlled testbed. The results obtained aim to promote a critical reflection on the use of feature-space perturbations in the context of network intrusions and suggest the need for more foundational research on protecting NIDS from problem-space adversarial attacks.