{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T20:56:21Z","timestamp":1780520181045,"version":"3.54.1"},"reference-count":50,"publisher":"Oxford University Press (OUP)","issue":"2","license":[{"start":{"date-parts":[[2023,3,10]],"date-time":"2023-03-10T00:00:00Z","timestamp":1678406400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/journals\/pages\/open_access\/funder_policies\/chorus\/standard_publication_model"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024,2,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>This paper studies adversarial attacks on network intrusion detection systems (IDSs) based on deep or machine learning algorithms. Adversarial attacks on network IDSs must maintain the functional logic of the attack flow. To prevent the produced adversarial examples from violating the attack behavior, most solutions define some limited modification actions. The result limits the production of adversarial examples, and the produced adversarial examples are not guaranteed to find the attack packets. This paper proposes the concept of flow containers to model packets in a flow. Then, we propose a generative adversarial network framework with dual adversarial training to train the generator to produce adversarial flow containers. Flow containers can correlate attack packets and feature vectors of attack flows. We test the evasion rate of the produced adversarial examples using 12 deep and machine learning algorithms. For experiments on the CTU42 data set, the proposed adversarial examples have the highest evasion rates among all 12 classifiers, with the highest evasion rate as high as 1.00. For experiments on the CIC-IDS2017 data set, the proposed adversarial examples have the highest evasion rate among the five classifiers, and the highest evasion rate is also up to 1.00.<\/jats:p>","DOI":"10.1093\/comjnl\/bxad014","type":"journal-article","created":{"date-parts":[[2023,3,13]],"date-time":"2023-03-13T15:47:56Z","timestamp":1678722476000},"page":"728-745","source":"Crossref","is-referenced-by-count":3,"title":["Adversarial Attacks on Network Intrusion Detection Systems Using Flow Containers"],"prefix":"10.1093","volume":"67","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6787-4330","authenticated-orcid":false,"given":"Tzong-Jye","family":"Liu","sequence":"first","affiliation":[{"name":"Department of Information Engineering and Computer Science, Feng Chia University , Taichung 407102, Taiwan, R.O.C"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"286","published-online":{"date-parts":[[2023,3,10]]},"reference":[{"issue":"5","key":"2024021913320569200_ref1","doi-asserted-by":"crossref","first-page":"9042","DOI":"10.1109\/JIOT.2019.2926365","article-title":"A supervised intrusion detection system for smart home IoT devices","volume":"6","author":"Anthi","year":"2019","journal-title":"IEEE Internet Things J."},{"issue":"6","key":"2024021913320569200_ref2","doi-asserted-by":"crossref","first-page":"4944","DOI":"10.1109\/JIOT.2020.3034156","article-title":"Hybrid deep learning for botnet attack detection in the internet-of-things networks","volume":"8","author":"Popoola","year":"2020","journal-title":"IEEE Internet Things J."},{"key":"2024021913320569200_ref3","doi-asserted-by":"crossref","first-page":"29","DOI":"10.1109\/SPW.2018.00013","volume-title":"2018 IEEE Security and Privacy Workshops (SPW)","author":"Doshi","year":"2018"},{"issue":"3","key":"2024021913320569200_ref4","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1109\/MPRV.2018.03367731","article-title":"N-BaIoT\u2014network-based detection of IoT botnet attacks using deep autoencoders","volume":"17","author":"Meidan","year":"2018","journal-title":"IEEE Pervasive Comput."},{"key":"2024021913320569200_ref5","doi-asserted-by":"crossref","first-page":"107450","DOI":"10.1016\/j.measurement.2019.107450","article-title":"Robust detection for network intrusion of industrial IoT based on multi-CNN fusion","volume":"154","author":"Li","year":"2020","journal-title":"Measurement"},{"key":"2024021913320569200_ref6","article-title":"Intriguing properties of neural networks","author":"Szegedy","year":"2014"},{"key":"2024021913320569200_ref7","first-page":"837","volume-title":"Proceedings of the 12th Asian Conference on Machine Learning","author":"Wu","year":"2020"},{"key":"2024021913320569200_ref8","volume-title":"Adversarial deep learning against intrusion detection classifiers","author":"Rigaki","year":"2017"},{"key":"2024021913320569200_ref9","doi-asserted-by":"crossref","first-page":"38367","DOI":"10.1109\/ACCESS.2018.2854599","article-title":"Deep learning-based intrusion detection with adversaries","volume":"6","author":"Wang","year":"2018","journal-title":"IEEE Access"},{"key":"2024021913320569200_ref10","doi-asserted-by":"crossref","first-page":"256","DOI":"10.1007\/978-3-030-30244-3_22","volume-title":"Progress in Artificial Intelligence: 19th EPIA Conference on Artificial Intelligence, EPIA 2019, Vila Real, Portugal","author":"Martins","year":"2019"},{"key":"2024021913320569200_ref11","first-page":"1","volume-title":"2020 54th Annual Conference on Information Sciences and Systems (CISS)","author":"Ayub","year":"2020"},{"key":"2024021913320569200_ref12","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1109\/BigDataSecurity-HPSC-IDS49724.2020.00020","volume-title":"2020 IEEE 6th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS)","author":"Piplai","year":"2020"},{"key":"2024021913320569200_ref13","doi-asserted-by":"crossref","first-page":"109073","DOI":"10.1016\/j.comnet.2022.109073","article-title":"Adversarial machine learning for network intrusion detection: a comparative study","volume":"214","author":"Jmila","year":"2022","journal-title":"Comput. Netw."},{"key":"2024021913320569200_ref14","first-page":"1","volume-title":"2019 11th International Conference on Cyber Conflict (CyCon)","author":"Apruzzese","year":"2019"},{"key":"2024021913320569200_ref15","first-page":"1","volume-title":"2019 IEEE 18th International Symposium on Network Computing and Applications (NCA)","author":"Apruzzese","year":"2019"},{"key":"2024021913320569200_ref16","doi-asserted-by":"crossref","first-page":"78","DOI":"10.1109\/IWCMC.2019.8766353","volume-title":"2019 15th International Wireless Communications & Mobile Computing Conference (IWCMC)","author":"Usama","year":"2019"},{"issue":"12","key":"2024021913320569200_ref17","doi-asserted-by":"crossref","first-page":"3387","DOI":"10.1007\/s13042-019-00925-6","article-title":"Automatically synthesizing DoS attack traces using generative adversarial networks","volume":"10","author":"Yan","year":"2019","journal-title":"Int. J. Mach. Learn. Cybern."},{"issue":"4","key":"2024021913320569200_ref18","doi-asserted-by":"crossref","first-page":"427","DOI":"10.1109\/TETCI.2019.2961157","article-title":"Hardening random forest cyber detectors against adversarial attacks","volume":"4","author":"Apruzzese","year":"2020","journal-title":"IEEE Trans. Emerg. Top. Comput. Intell."},{"issue":"4","key":"2024021913320569200_ref19","doi-asserted-by":"crossref","first-page":"653","DOI":"10.3390\/sym12040653","article-title":"AppCon: mitigating evasion attacks to ML cyber detectors","volume":"12","author":"Apruzzese","year":"2020","journal-title":"Symmetry"},{"key":"2024021913320569200_ref20","doi-asserted-by":"crossref","first-page":"102352","DOI":"10.1016\/j.cose.2021.102352","article-title":"Hardening machine learning denial of service (DoS) defences against adversarial attacks in IoT smart home networks","volume":"108","author":"Anthi","year":"2021","journal-title":"Comput. Secur."},{"key":"2024021913320569200_ref21","doi-asserted-by":"crossref","first-page":"128","DOI":"10.1016\/j.procs.2021.04.118","article-title":"attackGAN: adversarial attack against black-box IDS using generative adversarial networks","volume":"187","author":"Zhao","year":"2021","journal-title":"Procedia Comput. Sci."},{"key":"2024021913320569200_ref22","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1007\/978-3-031-05981-0_7","volume-title":"Advances in Knowledge Discovery and Data Mining: 26th Pacific-Asia Conference, PAKDD 2022, Chengdu, China, 2022","author":"Lin","year":"2022"},{"key":"2024021913320569200_ref23","article-title":"Data","author":"KDD Cup","year":"1999"},{"key":"2024021913320569200_ref24","author":"NSL-KDD dataset"},{"key":"2024021913320569200_ref25","article-title":"The CTU-13 dataset. A labeled dataset with botnet, normal and background traffic","author":"Garc\u00eda"},{"key":"2024021913320569200_ref26","author":"Intrusion detection evaluation dataset (CIC-IDS2017)"},{"key":"2024021913320569200_ref27","first-page":"1","volume-title":"ICC 2019\u20132019 IEEE International Conference on Communications (ICC)","author":"Wu","year":"2019"},{"issue":"4","key":"2024021913320569200_ref28","doi-asserted-by":"crossref","first-page":"1975","DOI":"10.1109\/TNSM.2020.3031843","article-title":"Deep reinforcement adversarial learning against botnet evasion attacks","volume":"17","author":"Apruzzese","year":"2020","journal-title":"IEEE Trans. Netw. Service Manag."},{"issue":"8","key":"2024021913320569200_ref29","doi-asserted-by":"crossref","first-page":"2632","DOI":"10.1109\/JSAC.2021.3087242","article-title":"Evaluating and improving adversarial robustness of machine learning-based network intrusion detectors","volume":"39","author":"Han","year":"2021","journal-title":"IEEE J. Sel. Areas Commun."},{"key":"2024021913320569200_ref30","volume-title":"Proceedings of the 27th International Conference on Neural Information Processing Systems (NIPS\u201914), Montreal, Canada, 2014","author":"Goodfellow","year":"2014"},{"key":"2024021913320569200_ref31","doi-asserted-by":"crossref","first-page":"372","DOI":"10.1109\/EuroSP.2016.36","volume-title":"2016 IEEE European Symposium on Security and Privacy (EuroS&P)","author":"Papernot","year":"2016"},{"key":"2024021913320569200_ref32","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow","year":"2015"},{"key":"2024021913320569200_ref33","first-page":"2574","volume-title":"Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition","author":"Moosavi-Dezfooli","year":"2016"},{"key":"2024021913320569200_ref34","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1109\/SP.2017.49","volume-title":"2017 IEEE Symposium on Security and Privacy (SP)","author":"Carlini","year":"2017"},{"key":"2024021913320569200_ref35","doi-asserted-by":"crossref","first-page":"160","DOI":"10.1007\/978-3-642-37456-2_14","volume-title":"Advances in Knowledge Discovery and Data Mining: 17th Pacific-Asia Conference, PAKDD 2013, Gold Coast, Australia, 2013","author":"Campello","year":"2013"},{"key":"2024021913320569200_ref36","article-title":"A realistic cyber defense dataset (CSE-CIC-IDS2018)"},{"key":"2024021913320569200_ref37","doi-asserted-by":"crossref","first-page":"247","DOI":"10.1109\/CNS.2014.6997492","volume-title":"2014 IEEE Conference on Communications and Network Security","author":"Beigi","year":"2014"},{"key":"2024021913320569200_ref38","article-title":"Wasserstein GAN","author":"Arjovsky","year":"2017"},{"key":"2024021913320569200_ref39","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1016\/j.cose.2013.04.007","article-title":"Botnet detection based on traffic behavior analysis and flow intervals","volume":"39","author":"Zhao","year":"2013","journal-title":"Comput. Secur."},{"key":"2024021913320569200_ref40","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2018.23204","article-title":"Kitsune: an ensemble of autoencoders for online network intrusion detection","author":"Mirsky","year":"2018"},{"key":"2024021913320569200_ref41","article-title":"NIPS 2016 tutorial: generative adversarial networks","author":"Goodfellow","year":"2017"},{"key":"2024021913320569200_ref42","article-title":"Conditional generative adversarial nets","author":"Mirza","year":"2014"},{"key":"2024021913320569200_ref43","doi-asserted-by":"crossref","first-page":"2807","DOI":"10.1109\/ICASSP.2019.8683197","volume-title":"ICASSP 2019\u20132019 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)","author":"Zhang","year":"2019"},{"key":"2024021913320569200_ref44","article-title":"Scikit-learn: machine learning in python"},{"key":"2024021913320569200_ref45","article-title":"Keras","author":"Chollet"},{"key":"2024021913320569200_ref46","article-title":"Adversarial robustness toolbox v1.0.0, 15 Nov. 2019","author":"Nicolae","year":"2019"},{"key":"2024021913320569200_ref47","article-title":"FlowContainer","author":"Liu","year":"2023"},{"key":"2024021913320569200_ref48","doi-asserted-by":"crossref","first-page":"115782","DOI":"10.1016\/j.eswa.2021.115782","article-title":"Adversarial machine learning in network intrusion detection systems","volume":"186","author":"Alhajjar","year":"2021","journal-title":"Expert Syst. Appl."},{"key":"2024021913320569200_ref49","article-title":"GANs trained by a two time-scale update rule converge to a local Nash equilibrium","author":"Heusel","year":"2017","journal-title":"Proceedings of the 27th International Conference on Neural Information Processing Systems (NIPS\u201917)"},{"issue":"11","key":"2024021913320569200_ref50","doi-asserted-by":"crossref","first-page":"2278","DOI":"10.1109\/5.726791","article-title":"Gradient-based learning applied to document recognition","volume":"86","author":"LeCun","year":"1998","journal-title":"Proc. IEEE"}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/67\/2\/728\/56701216\/bxad014.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/67\/2\/728\/56701216\/bxad014.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,2,19]],"date-time":"2024-02-19T13:37:10Z","timestamp":1708349830000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/67\/2\/728\/7075446"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,10]]},"references-count":50,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2023,3,10]]},"published-print":{"date-parts":[[2024,2,17]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxad014","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"value":"0010-4620","type":"print"},{"value":"1460-2067","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2024,2]]},"published":{"date-parts":[[2023,3,10]]}}}