A No-Defense Defense Against Gradient-Based Adversarial Attacks on ML-NIDS: Is Less More?

TL;DR

This study demonstrates that carefully simplified neural network architectures can inherently resist gradient-based adversarial attacks on ML-based NIDS, outperforming more complex, adversarially trained models in robustness and efficiency.

Contribution

It reveals that simpler, shallower networks with specific configurations can inherently improve robustness against gradient-based adversarial attacks without explicit defenses.

Findings

Shallower networks reduce vulnerability to attacks.

Reduced feature sets and ReLU activation improve robustness.

Simpler models outperform complex adversarially trained models.

Abstract

Gradient-based adversarial attacks subtly manipulate inputs of Machine Learning (ML) models to induce incorrect predictions. This paper investigates whether careful architectural choices alone can yield an inherently robust Deep Neural Network (DNN)-based Network Intrusion Detection Systems (NIDS), without any additional explicit defenses. Through thousands of experiments, around 2200, varying network depth, feature dimensionality, activation functions, and dropout across FGSM, PGD, and BIM attacks, we show that shallower networks, reduced feature sets, and ReLU activation consistently and jointly reduce adversarial vulnerability. Moreover, a simple model following this recipe outperforms deeper, fully-featured adversarially trained models, while maintaining near-perfect clean-traffic detection and lower training times. Nevertheless, while less is more, the selection of the right less is what truly matters.