A No-Defense Defense Against Gradient-Based Adversarial Attacks on ML-NIDS: Is Less More?
For ML-based NIDS practitioners, this work provides a simple, no-defense recipe for adversarial robustness, though the findings are incremental as they confirm known principles in a specific domain.
This paper shows that careful architectural choices (shallower networks, reduced features, ReLU activation) can make DNN-based NIDS inherently robust to gradient-based adversarial attacks, outperforming deeper adversarially trained models while maintaining near-perfect clean detection and lower training times.
Gradient-based adversarial attacks subtly manipulate inputs of Machine Learning (ML) models to induce incorrect predictions. This paper investigates whether careful architectural choices alone can yield an inherently robust Deep Neural Network (DNN)-based Network Intrusion Detection Systems (NIDS), without any additional explicit defenses. Through thousands of experiments, around 2200, varying network depth, feature dimensionality, activation functions, and dropout across FGSM, PGD, and BIM attacks, we show that shallower networks, reduced feature sets, and ReLU activation consistently and jointly reduce adversarial vulnerability. Moreover, a simple model following this recipe outperforms deeper, fully-featured adversarially trained models, while maintaining near-perfect clean-traffic detection and lower training times. Nevertheless, while less is more, the selection of the right less is what truly matters.