Behavior-Aware and Generalizable Defense Against Black-Box Adversarial Attacks for ML-Based IDS

TL;DR

This paper introduces Adaptive Feature Poisoning, a proactive defense mechanism that dynamically perturbs traffic features to defend ML-based intrusion detection systems against various black-box adversarial attacks without degrading detection performance.

Contribution

It proposes a novel, generalizable defense method that adaptively corrupts attacker feedback in real-time, overcoming limitations of existing static and attack-specific defenses.

Findings

Confuses attackers effectively across multiple attack strategies.

Degrades attack success rates while maintaining detection accuracy.

Operates without requiring internal model access or static defenses.

Abstract

Machine learning based intrusion detection systems are increasingly targeted by black box adversarial attacks, where attackers craft evasive inputs using indirect feedback such as binary outputs or behavioral signals like response time and resource usage. While several defenses have been proposed, including input transformation, adversarial training, and surrogate detection, they often fall short in practice. Most are tailored to specific attack types, require internal model access, or rely on static mechanisms that fail to generalize across evolving attack strategies. Furthermore, defenses such as input transformation can degrade intrusion detection system performance, making them unsuitable for real time deployment. To address these limitations, we propose Adaptive Feature Poisoning, a lightweight and proactive defense mechanism designed specifically for realistic black box scenarios. Adaptive Feature Poisoning assumes that probing can occur silently and continuously, and introduces dynamic and context aware perturbations to selected traffic features, corrupting the attacker feedback loop without impacting detection capabilities. The method leverages traffic profiling, change point detection, and adaptive scaling to selectively perturb features that an attacker is likely exploiting, based on observed deviations. We evaluate Adaptive Feature Poisoning against multiple realistic adversarial attack strategies, including silent probing, transferability based attacks, and decision boundary based attacks. The results demonstrate its ability to confuse attackers, degrade attack effectiveness, and preserve detection performance. By offering a generalizable, attack agnostic, and undetectable defense, Adaptive Feature Poisoning represents a significant step toward practical and robust adversarial resilience in machine learning based intrusion detection systems.