{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,11]],"date-time":"2026-07-11T16:30:28Z","timestamp":1783787428355,"version":"3.55.0"},"reference-count":51,"publisher":"SAGE Publications","issue":"5","license":[{"start":{"date-parts":[[2022,1,31]],"date-time":"2022-01-31T00:00:00Z","timestamp":1643587200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2022,10,5]]},"abstract":"<jats:p>Machine learning-based network intrusion detection systems have demonstrated state-of-the-art accuracy in flagging malicious traffic. However, machine learning has been shown to be vulnerable to adversarial examples, particularly in domains such as image recognition. In many threat models, the adversary exploits the unconstrained nature of images\u2013the adversary is free to select some arbitrary amount of pixels to perturb. However, it is not clear how these attacks translate to domains such as network intrusion detection as they contain domain constraints, which limit which and how features can be modified by the adversary. In this paper, we explore whether the constrained nature of networks offers additional robustness against adversarial examples versus the unconstrained nature of images. We do this by creating two algorithms: (1)\u00a0the Adapative-JSMA, an augmented version of the popular JSMA which obeys domain constraints, and (2)\u00a0the Histogram Sketch Generation which generates adversarial sketches: targeted universal perturbation vectors that encode feature saliency within the envelope of domain constraints. To assess how these algorithms perform, we evaluate them in a constrained network intrusion detection setting and an unconstrained image recognition setting. The results show that our approaches generate misclassification rates in network intrusion detection applications that were comparable to those of image recognition applications (greater than 95%). Our investigation shows that the constrained attack surface exposed by network intrusion detection systems is still sufficiently large to craft successful adversarial examples \u2013 and thus, network constraints do not appear to add robustness against adversarial examples. Indeed, even if a defender constrains an adversary to as little as five random features, generating adversarial examples is still possible.<\/jats:p>","DOI":"10.3233\/jcs-210094","type":"journal-article","created":{"date-parts":[[2022,2,1]],"date-time":"2022-02-01T13:53:45Z","timestamp":1643723625000},"page":"727-752","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":39,"title":["Adversarial examples for network intrusion detection systems"],"prefix":"10.1177","volume":"30","author":[{"given":"Ryan","family":"Sheatsley","sequence":"first","affiliation":[{"name":"Department of Computer Science and Engineering, The Pennsylvania State University, PA, United\u00a0States. E-mails:\u00a0,\u00a0"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Nicolas","family":"Papernot","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Toronto, Ontario, Canada. E-mail:\u00a0"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Michael J.","family":"Weisman","sequence":"additional","affiliation":[{"name":"United States Army Research Laboratory, MD, United States. E-mails:\u00a0,\u00a0"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Gunjan","family":"Verma","sequence":"additional","affiliation":[{"name":"United States Army Research Laboratory, MD, United States. E-mails:\u00a0,\u00a0"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Patrick","family":"McDaniel","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, The Pennsylvania State University, PA, United\u00a0States. E-mails:\u00a0,\u00a0"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"179","published-online":{"date-parts":[[2022,1,31]]},"reference":[{"key":"ref001","doi-asserted-by":"publisher","DOI":"10.3390\/fi13050111"},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"J.\u00a0Beale, Snort 2.1 Intrusion Detection, 2nd edn. Syngress Publishing, 2004.","DOI":"10.1016\/B978-193183604-3\/50006-0"},{"key":"ref003","doi-asserted-by":"crossref","unstructured":"B.\u00a0Biggio, I.\u00a0Corona, D.\u00a0Maiorca, B.\u00a0Nelson, N.\u00a0\u0160rndi\u0107, P.\u00a0Laskov, G.\u00a0Giacinto and F.\u00a0Roli, Evasion attacks against machine learning at test time, in: Joint European Conference on Machine Learning and Knowledge Discovery in Databases, Springer, 2013, pp.\u00a0387\u2013402.","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"ref004","unstructured":"T.B.\u00a0Brown, D.\u00a0Man\u00e9, A.\u00a0Roy, M.\u00a0Abadi and J.\u00a0Gilmer, Adversarial patch.\n                      CoRR\n                      abs\/1712.09665, 2017. arXiv:1712.09665."},{"key":"ref005","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"ref006","doi-asserted-by":"crossref","unstructured":"N.\u00a0Carlini and D.A.\u00a0Wagner, Audio adversarial examples: Targeted attacks on speech-to-text.\n                      CoRR\n                      abs\/1801.01944, 2018. arXiv:1801.01944.","DOI":"10.1109\/SPW.2018.00009"},{"key":"ref007","doi-asserted-by":"crossref","unstructured":"G.\u00a0Cormode, Sketch techniques for approximate query processing, in: Synposes for Approximate Query Processing: Samples, Histograms, Wavelets and Sketches, Foundations and Trends in Databases, NOW Publishers, 2011.","DOI":"10.1561\/1900000004"},{"issue":"6","key":"ref008","first-page":"446","volume":"4","author":"Dhanabal L.","year":"2015","journal-title":"International Journal of Advanced Research and Communication Engineering (IJARCCE)"},{"key":"ref009","doi-asserted-by":"crossref","unstructured":"J.\u00a0Ebrahimi, A.\u00a0Rao, D.\u00a0Lowd and D.\u00a0Dou, HotFlip: White-box adversarial examples for text classification, in: Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics (Volume 2: Short Papers) (Melbourne, Australia), Association for Computational Linguistics, 2018, pp.\u00a031\u201336. http:\/\/aclweb.org\/anthology\/P18-2006.","DOI":"10.18653\/v1\/P18-2006"},{"key":"ref010","doi-asserted-by":"publisher","DOI":"10.1016\/0022-0000(85)90041-8"},{"key":"ref011","unstructured":"I.\u00a0Goodfellow, N.\u00a0Papernot, S.\u00a0Huang, P.\u00a0Duan, P.\u00a0Abbeel and J.\u00a0Clark, Attacking machine learning with adversarial examples, 2017, https:\/\/blog.openai.com\/adversarial-example-research\/."},{"key":"ref012","unstructured":"I.J.\u00a0Goodfellow, J.\u00a0Shlens and C.\u00a0Szegedy, Explaining and harnessing adversarial examples,\n                      stat\n                      1050\n                      (2015), 20."},{"key":"ref013","doi-asserted-by":"crossref","unstructured":"K.\u00a0Grosse, N.\u00a0Papernot, P.\u00a0Manoharan, M.\u00a0Backes and P.\u00a0McDaniel, Adversarial examples for malware detection, in: European Symposium on Research in Computer Security, Springer, 2017, pp.\u00a062\u201379.","DOI":"10.1007\/978-3-319-66399-9_4"},{"key":"ref014","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2017.03.018"},{"key":"ref015","doi-asserted-by":"publisher","DOI":"10.1145\/1656274.1656278"},{"key":"ref016","unstructured":"J.\u00a0Hayes and G.\u00a0Danezis, Machine learning as an adversarial service: Learning black-box adversarial examples.\n                      CoRR\n                      abs\/1708.05207, 2017. arXiv:1708.05207."},{"key":"ref017","doi-asserted-by":"publisher","DOI":"10.1109\/72.655045"},{"issue":"1","key":"ref018","first-page":"107","volume":"8","author":"Ibrahim L.M.","year":"2013","journal-title":"Journal of Engineering Science and Technology"},{"key":"ref019","doi-asserted-by":"publisher","DOI":"10.1109\/SPACES.2015.7058223"},{"key":"ref020","doi-asserted-by":"crossref","unstructured":"R.\u00a0Jia and P.\u00a0Liang, Adversarial examples for evaluating reading comprehension systems, in: Proceedings of the 2017 Conference on Empirical Methods in Natural Language Processing (Copenhagen, Denmark), Association for Computational Linguistics, 2017, pp.\u00a02021\u20132031. http:\/\/aclweb.org\/anthology\/D17-1215.","DOI":"10.18653\/v1\/D17-1215"},{"key":"ref021","unstructured":"D.P.\u00a0Kingma and J.\u00a0Ba, Adam: A method for stochastic optimization.\n                      CoRR\n                      abs\/1412.6980, 2014. http:\/\/dblp.uni-trier.de\/db\/journals\/corr\/corr1412.html#KingmaB14."},{"key":"ref022","doi-asserted-by":"publisher","DOI":"10.23919\/EUSIPCO.2018.8553214"},{"key":"ref023","doi-asserted-by":"crossref","unstructured":"A.\u00a0Kurakin, I.J.\u00a0Goodfellow and S.\u00a0Bengio, Adversarial examples in the physical world, in: International Conference on Learning Representations Workshop, 2017. https:\/\/openreview.net\/pdf?id=S1OufnIlx.","DOI":"10.1201\/9781351251389-8"},{"key":"ref024","doi-asserted-by":"publisher","DOI":"10.1109\/5.726791"},{"key":"ref025","doi-asserted-by":"publisher","DOI":"10.1088\/1757-899X\/688\/4\/044034"},{"key":"ref026","doi-asserted-by":"crossref","unstructured":"Z.\u00a0Lin, Y.\u00a0Shi and Z.\u00a0Xue, IDSGAN: Generative adversarial networks for attack generation against intrusion detection, 2021. arXiv:1809.02077 [cs.CR].","DOI":"10.1007\/978-3-031-05981-0_7"},{"key":"ref027","unstructured":"A.\u00a0Madry, A.\u00a0Makelov, L.\u00a0Schmidt, D.\u00a0Tsipras and A.\u00a0Vladu, Towards deep learning models resistant to adversarial attacks, in: International Conference on Learning Representations, 2018. https:\/\/openreview.net\/forum?id=rJzIBfZAb."},{"key":"ref028","doi-asserted-by":"publisher","DOI":"10.1186\/s40537-020-00379-6"},{"key":"ref029","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"ref030","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"ref031","doi-asserted-by":"crossref","unstructured":"N.\u00a0Moustafa and J.\u00a0Slay, UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set), in: Military Communications and Information Systems Conference (MilCIS), IEEE, 2015, pp.\u00a01\u20136.","DOI":"10.1109\/MilCIS.2015.7348942"},{"key":"ref032","doi-asserted-by":"publisher","DOI":"10.1080\/19393555.2015.1125974"},{"key":"ref033","unstructured":"N.\u00a0Moustafa and J.\u00a0Slay, A hybrid feature selection for network intrusion detection systems: Central points, arXiv preprint, 2017. arXiv:1707.05505."},{"key":"ref034","unstructured":"N.\u00a0Papernot, N.\u00a0Carlini, I.\u00a0Goodfellow, R.\u00a0Feinman, F.\u00a0Faghri, A.\u00a0Matyasko, K.\u00a0Hambardzumyan, Y.L.\u00a0Juang, A.\u00a0Kurakin, R.\u00a0Sheatsley et al., cleverhans v2. 0.0: An adversarial machine learning library, arXiv preprint, 2016. arXiv:1610.00768."},{"key":"ref035","doi-asserted-by":"crossref","unstructured":"N.\u00a0Papernot, P.\u00a0McDaniel, I.\u00a0Goodfellow, S.\u00a0Jha, Z.\u00a0Berkay Celik and A.\u00a0Swami, Practical black-box attacks against machine learning, 2017. arXiv:1602.02697 [cs.CR].","DOI":"10.1145\/3052973.3053009"},{"key":"ref036","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"ref037","unstructured":"N.\u00a0Papernot, P.D.\u00a0McDaniel and I.J.\u00a0Goodfellow, Transferability in machine learning: From phenomena to black-box attacks using adversarial samples.\n                      CoRR\n                      abs\/1605.07277, 2016. arXiv:1605.07277."},{"key":"ref038","unstructured":"M.\u00a0Rigaki and A.\u00a0Elragal, Adversarial deep learning against intrusion detection classifiers, 2017."},{"key":"ref039","unstructured":"S.\u00a0Sabour, N.\u00a0Frosst and G.E.\u00a0Hinton, Dynamic routing between capsules, 2017. arXiv:1710.09829 [cs.CV]."},{"key":"ref040","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978392"},{"key":"ref041","unstructured":"C.\u00a0Sinclair, L.\u00a0Pierce and S.\u00a0Matzner, An application of machine learning to network intrusion detection, in: Computer Security Applications Conference (ACSAC \u201999) Proceedings. 15th Annual, IEEE, 1999, pp.\u00a0371\u2013377."},{"key":"ref042","unstructured":"R.\u00a0Sommer, Bro: An open source network intrusion detection system, in: DFN-Arbeitstagung \u00fcber Kommunikationsnetze, 2003."},{"key":"ref043","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"ref044","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2012.02.016"},{"key":"ref045","doi-asserted-by":"publisher","DOI":"10.1109\/TEVC.2019.2890858"},{"key":"ref046","unstructured":"C.\u00a0Szegedy, W.\u00a0Zaremba, I.\u00a0Sutskever, J.\u00a0Bruna, D.\u00a0Erhan, I.\u00a0Goodfellow and R.\u00a0Fergus, Intriguing properties of neural networks, arXiv preprint, 2013. arXiv:1312.6199."},{"key":"ref047","doi-asserted-by":"crossref","unstructured":"M.\u00a0Tavallaee, E.\u00a0Bagheri, W.\u00a0Lu and A.A.\u00a0Ghorbani, A detailed analysis of the KDD CUP 99 data set, in: Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009. IEEE Symposium on, IEEE, 2009, pp.\u00a01\u20136.","DOI":"10.1109\/CISDA.2009.5356528"},{"key":"ref048","doi-asserted-by":"publisher","DOI":"10.1111\/j.2517-6161.1996.tb02080.x"},{"key":"ref049","unstructured":"F.\u00a0Tram\u00e8r, N.\u00a0Papernot, I.\u00a0Goodfellow, D.\u00a0Boneh and P.\u00a0McDaniel, The space of transferable adversarial examples, arXiv preprint, 2017. arXiv:1704.03453."},{"key":"ref050","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2009.05.029"},{"key":"ref051","doi-asserted-by":"publisher","DOI":"10.1109\/MILCOM.2018.8599759"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-210094","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-210094","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-210094","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:40Z","timestamp":1777495540000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-210094"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,1,31]]},"references-count":51,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2022,10,5]]}},"alternative-id":["10.3233\/JCS-210094"],"URL":"https:\/\/doi.org\/10.3233\/jcs-210094","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,1,31]]}}}