A Novel Perturb-ability Score to Mitigate Evasion Adversarial Attacks on Flow-Based ML-NIDS

As network security threats evolve, safeguarding flow-based Machine Learning (ML)-based Network Intrusion Detection Systems (NIDS) from evasion adversarial attacks is crucial. This paper introduces the notion of feature perturb-ability and presents a novel Perturb-ability Score (PS), which quantifies how susceptible NIDS features are to manipulation in the problem-space by an attacker. PS thereby identifies features structurally resistant to evasion attacks in flow-based ML-NIDS due to the semantics of network traffic fields, as these features are constrained by domain-specific limitations and correlations. Consequently, attempts to manipulate such features would likely either compromise the attack's malicious functionality, render the traffic invalid for processing, or potentially both outcomes simultaneously. We introduce and demonstrate the effectiveness of our PS-enabled defenses, PS-guided feature selection and PS-guided feature masking, in enhancing flow-based NIDS resilience. Experimental results across various ML-based NIDS models and public datasets show that discarding or masking highly manipulatable features (high-PS features) can maintain solid detection performance while significantly reducing vulnerability to evasion adversarial attacks. Our findings confirm that PS effectively identifies flow-based NIDS features susceptible to problem-space perturbations. This novel approach leverages problem-space NIDS domain constraints as lightweight universal defense mechanisms against evasion adversarial attacks targeting flow-based ML-NIDS.