# FortiNIDS: Defending Smart City IoT Infrastructures Against Transferable Adversarial Poisoning in Machine Learning-Based Intrusion Detection Systems

**Authors:** Abdulaziz Alajaji

PMC · DOI: 10.3390/s25196056 · 2025-10-02

## TL;DR

This paper introduces FortiNIDS, a framework to defend AI-based intrusion detection systems in smart cities against adversarial attacks that poison training data.

## Contribution

The novel FortiNIDS framework uses a surrogate neural network to generate transferable adversarial examples and evaluates targeted defenses like RONI.

## Key findings

- Adversarial training and RONI improve detection accuracy under poisoning attacks.
- Transferable adversarial examples significantly degrade model performance if left unaddressed.
- FortiNIDS enhances system resilience in smart city IoT environments.

## Abstract

In today’s digital era, cyberattacks are rapidly evolving, rendering traditional security mechanisms increasingly inadequate. The adoption of AI-based Network Intrusion Detection Systems (NIDS) has emerged as a promising solution, due to their ability to detect and respond to malicious activity using machine learning techniques. However, these systems remain vulnerable to adversarial threats, particularly data poisoning attacks, in which attackers manipulate training data to degrade model performance. In this work, we examine tree classifiers, Random Forest and Gradient Boosting, to model black box poisoning attacks. We introduce FortiNIDS, a robust framework that employs a surrogate neural network to generate adversarial perturbations that can transfer between models, leveraging the transferability of adversarial examples. In addition, we investigate defense strategies designed to improve the resilience of NIDS in smart city Internet of Things (IoT) settings. Specifically, we evaluate adversarial training and the Reject on Negative Impact (RONI) technique using the widely adopted CICDDoS2019 dataset. Our findings highlight the effectiveness of targeted defenses in improving detection accuracy and maintaining system reliability under adversarial conditions, thereby contributing to the security and privacy of smart city networks.

## Full-text entities

- **Diseases:** black box poisoning (MESH:D007898), Poisoning (MESH:D011041)

## Figures

18 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12526544/full.md

---
Source: https://tomesphere.com/paper/PMC12526544