pith. sign in

arxiv: 2606.28439 · v1 · pith:FC7L2W4Knew · submitted 2026-06-26 · 💻 cs.CR · cs.AI

PLAA: Packet-level Adversarial Attacks in Network Traffic Detection

Jinhao You , Zan Zhou , Shujie Yang , Yi Sun , Lei Zhang , Changqiao Xu This is my paper

Pith reviewed 2026-06-30 01:36 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords adversarial attacksnetwork intrusion detectionpacket-level featuresevasion success ratesemantic consistencyNIDSDNN vulnerabilityintrusion detection systems
0
0 comments X

The pith

A packet-by-packet method generates adversarial network traffic that evades detection systems at 92.78 percent while keeping attack semantics.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Existing adversarial attacks on network intrusion detection systems often produce traffic that is either invalid or no longer carries the original attack intent because they adapt techniques from image classification. The paper proposes generating the adversarial traffic incrementally at the packet level and checking semantic integrity after each step. This yields an average evasion success rate of 92.78 percent across three standard datasets while the traffic remains consistent with the original malicious behavior. Readers would care because it provides a more practical way to expose weaknesses in systems that classify real network flows.

Core claim

Instead of generating flow-level features directly, the approach incrementally generates packet-level features to construct adversarial traffic. The semantic integrity of the traffic is monitored at each stage, which avoids invalid traffic and semantic loss. Evaluation on the CIC-UNSW-NB15, CIC-DDoS2019, and CIC-IDS-2017 datasets shows an average evasion success rate of 92.78 percent with maintained semantic consistency.

What carries the argument

Incremental packet-level feature generation combined with stage-wise semantic integrity monitoring that builds valid adversarial examples without losing attack semantics.

If this is right

  • The attack succeeds against current DNN-based NIDS models on multiple datasets.
  • Generated traffic stays semantically consistent with the original malicious traffic.
  • Flow-level adaptation from computer vision leads to invalid or semantically altered traffic.
  • Packet-level construction with monitoring addresses both invalidity and semantic loss.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Defenses might incorporate packet-level semantic checks to detect such incremental attacks.
  • Testing NIDS robustness should include packet-sequence constraints in addition to flow statistics.
  • Similar incremental methods could apply to other sequential data domains like audio or time-series security signals.

Load-bearing premise

That monitoring semantic integrity at each packet generation stage will consistently prevent the creation of invalid traffic or the loss of original attack semantics.

What would settle it

Run the generated adversarial traffic through an independent validator that confirms whether the traffic still executes the intended attack action, such as a DDoS flood or port scan, while the NIDS fails to flag it.

Figures

Figures reproduced from arXiv: 2606.28439 by Changqiao Xu, Jinhao You, Lei Zhang, Shujie Yang, Yi Sun, Zan Zhou.

Figure 1
Figure 1. Figure 1: Differences in adversarial attacks between CV and NIDS. [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Differences in adversarial attacks between CV and NIDS. [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Adversarial attacks at the packet-level based on the actor-critic framework. [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Comparison of convergence of different attacks under different NIDS. [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
read the original abstract

Deep neural networks (DNNs) are widely applied in Network-based Intrusion Detection System (NIDS) due to their high accuracy. However, DNNs are highly susceptible to adversarial attacks, which generate malicious traffic to evade NIDS detection. Existing approaches often adapt adversarial attacks from computer vision (CV) tasks to the NIDS domain, overlooking the fundamental differences between CV and NIDS. This results in two major issues: 1) The generated network traffic may become invalid, 2) The generated traffic may lose its original attack semantics. To address these issues, this paper proposes an adversarial attack specifically designed for NIDS. Instead of directly generating flow-level features, our approach incrementally generates packet-level features to construct adversarial traffic. During the generation process, the semantic integrity of the traffic is monitored at each stage, effectively avoiding the issues of invalid traffic and semantic loss observed in existing methods. We evaluate our attack algorithm against current NIDS models using the CIC-UNSW-NB15, CIC-DDoS2019, and CIC-IDS-2017 datasets. The proposed method achieves an average evasion success rate of 92.78%, while ensuring that the generated adversarial traffic remains semantically consistent with the original malicious traffic.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes PLAA, a packet-level adversarial attack for DNN-based NIDS. Instead of adapting CV-style flow-level perturbations, it incrementally constructs adversarial traffic by generating packet-level features while monitoring semantic integrity at each stage to avoid invalid packets or loss of attack semantics. Evaluation on CIC-UNSW-NB15, CIC-DDoS2019, and CIC-IDS-2017 reports an average evasion success rate of 92.78% with claimed semantic consistency.

Significance. If the incremental generation plus per-stage semantic monitoring can be shown to preserve functional attack semantics (e.g., via replay validation or feature-preservation metrics), the work would provide a domain-appropriate adversarial framework that directly addresses the invalid-traffic and semantic-drift problems of CV-adapted attacks. This could strengthen robustness testing of NIDS and inform future defense design.

major comments (2)
  1. [Abstract, §3] Abstract and §3 (method description): the central claim of 92.78% evasion while 'ensuring semantic consistency' rests on the per-stage semantic-integrity monitor, yet no quantitative validation procedure, preservation metrics (payload signatures, timing, port sequences), or replay experiments are reported to confirm that adversarial flows remain malicious when replayed. Evasion rate alone does not establish this.
  2. [§4] §4 (evaluation): the reported average evasion success rate lacks error bars, per-dataset breakdowns with statistical tests, or explicit exclusion criteria for flows that the monitor rejected; without these, it is impossible to assess whether the 92.78% figure reflects reliable semantic preservation or selective reporting.
minor comments (2)
  1. [§3] Notation for packet-level feature vectors and the exact formulation of the semantic-integrity check should be made explicit (currently described only at a high level).
  2. [§4] The manuscript should include a clear comparison table against prior NIDS-specific attacks (e.g., flow-level methods) on the same datasets and models.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments, which highlight important aspects of validation and reporting. We address each major comment below and indicate planned revisions to the manuscript.

read point-by-point responses

  1. Referee: [Abstract, §3] Abstract and §3 (method description): the central claim of 92.78% evasion while 'ensuring semantic consistency' rests on the per-stage semantic-integrity monitor, yet no quantitative validation procedure, preservation metrics (payload signatures, timing, port sequences), or replay experiments are reported to confirm that adversarial flows remain malicious when replayed. Evasion rate alone does not establish this.

    Authors: The semantic-integrity monitor in §3 performs incremental checks on packet-level features to enforce validity and consistency with the original attack semantics at each generation step. This design directly targets the semantic-drift issue noted in the introduction. We agree, however, that the current manuscript does not report additional quantitative preservation metrics or replay-based validation experiments. In the revision we will add a dedicated subsection presenting feature-preservation statistics (e.g., timing, port-sequence, and payload-signature fidelity) together with a small-scale replay study on a subset of flows. revision: yes

  2. Referee: [§4] §4 (evaluation): the reported average evasion success rate lacks error bars, per-dataset breakdowns with statistical tests, or explicit exclusion criteria for flows that the monitor rejected; without these, it is impossible to assess whether the 92.78% figure reflects reliable semantic preservation or selective reporting.

    Authors: The reported 92.78% is the mean evasion rate computed across the three datasets. The revised §4 will include (i) per-dataset success rates with standard deviations, (ii) the number and criteria for any flows rejected by the monitor, and (iii) appropriate statistical comparisons. These additions will allow readers to evaluate both the reliability of the aggregate figure and the effectiveness of the semantic monitor. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical evaluation of proposed algorithm with no self-referential derivations

full rationale

The paper proposes an incremental packet-level adversarial attack method with per-stage semantic integrity monitoring, evaluated empirically on CIC-UNSW-NB15, CIC-DDoS2019, and CIC-IDS-2017 datasets to report a 92.78% average evasion rate. No equations, fitted parameters, or first-principles derivations are described that reduce to self-defined inputs by construction. The central performance claim is an observed experimental outcome rather than a prediction forced by the method's own definitions or prior self-citations. The approach addresses limitations of prior work through design choices, but these do not create a circular reduction in the provided text.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Only the abstract is available; no free parameters, axioms, or invented entities can be extracted or audited.

pith-pipeline@v0.9.1-grok · 5756 in / 1029 out tokens · 31740 ms · 2026-06-30T01:36:48.481420+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

31 extracted references · 4 canonical work pages · 2 internal anchors

  1. [1]

    Towards ddos attack detection using deep learning approach,

    S. Aktar and A. Y . Nur, “Towards ddos attack detection using deep learning approach,”Computers & Security, vol. 129, p. 103251, 2023

    2023

  2. [2]

    Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues,

    I. Corona, G. Giacinto, and F. Roli, “Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues,”Information sciences, vol. 239, pp. 201–225, 2013

    2013

  3. [3]

    Endogenous security defense against deductive attack: When artificial intelligence meets active defense for online service,

    Z. Zhou, X. Kuang, L. Sun, L. Zhong, and C. Xu, “Endogenous security defense against deductive attack: When artificial intelligence meets active defense for online service,”IEEE Communications Magazine, vol. 58, no. 6, pp. 58–64, 2020

    2020

  4. [4]

    Drl-based adaptive sharding for blockchain-based federated learning,

    Y . Lin, Z. Gao, H. Du, J. Kang, D. Niyato, Q. Wang, J. Ruan, and S. Wan, “Drl-based adaptive sharding for blockchain-based federated learning,”IEEE Transactions on Communications, vol. 71, no. 10, pp. 5992–6004, 2023

    2023

  5. [5]

    Intriguing properties of neural networks

    C. Szegedy, “Intriguing properties of neural networks,”arXiv preprint arXiv:1312.6199, 2013

    work page internal anchor Pith review Pith/arXiv arXiv 2013

  6. [6]

    A multi- shuffler framework to establish mutual confidence for secure federated learning,

    Z. Zhou, C. Xu, M. Wang, X. Kuang, Y . Zhuang, and S. Yu, “A multi- shuffler framework to establish mutual confidence for secure federated learning,”IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 5, pp. 4230–4244, 2022

    2022

  7. [7]

    Adversarial machine learning for network intrusion detection systems: A comprehensive survey,

    K. He, D. D. Kim, and M. R. Asghar, “Adversarial machine learning for network intrusion detection systems: A comprehensive survey,”IEEE Communications Surveys & Tutorials, vol. 25, no. 1, pp. 538–566, 2023

    2023

  8. [8]

    Idsgan: Generative adversarial networks for attack generation against intrusion detection,

    Z. Lin, Y . Shi, and Z. Xue, “Idsgan: Generative adversarial networks for attack generation against intrusion detection,” inPacific-asia conference on knowledge discovery and data mining. Springer, 2022, pp. 79–91

    2022

  9. [9]

    Tantra: Timing-based adversarial network traffic reshaping attack,

    Y . Sharon, D. Berend, Y . Liu, A. Shabtai, and Y . Elovici, “Tantra: Timing-based adversarial network traffic reshaping attack,”IEEE Trans- actions on Information Forensics and Security, vol. 17, pp. 3225–3237, 2022

    2022

  10. [10]

    Adv-bot: Realistic adversarial botnet attacks against network intrusion detection systems,

    I. Debicha, B. Cochez, T. Kenaza, T. Debatty, J.-M. Dricot, and W. Mees, “Adv-bot: Realistic adversarial botnet attacks against network intrusion detection systems,”Computers & Security, vol. 129, p. 103176, 2023

    2023

  11. [11]

    Generating practical adversarial network traffic flows using nidsgan,

    B.-E. Zolbayar, R. Sheatsley, P. McDaniel, M. J. Weisman, S. Zhu, S. Zhu, and S. Krishnamurthy, “Generating practical adversarial network traffic flows using nidsgan,”arXiv preprint arXiv:2203.06694, 2022

    work page arXiv 2022

  12. [12]

    Automatic evasion of machine learning-based network intrusion detection systems,

    H. Yan, X. Li, W. Zhang, R. Wang, H. Li, X. Zhao, F. Li, and X. Lin, “Automatic evasion of machine learning-based network intrusion detection systems,”IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 1, pp. 153–167, 2023

    2023

  13. [13]

    Network intrusion detection algorithm based on deep neural network,

    Y . Jia, M. Wang, and Y . Wang, “Network intrusion detection algorithm based on deep neural network,”IET Information Security, vol. 13, no. 1, pp. 48–53, 2019

    2019

  14. [14]

    Dl-ids: a deep learning–based intru- sion detection framework for securing iot,

    Y . Otoum, D. Liu, and A. Nayak, “Dl-ids: a deep learning–based intru- sion detection framework for securing iot,”Transactions on Emerging Telecommunications Technologies, vol. 33, no. 3, p. e3803, 2022

    2022

  15. [15]

    Secfft: Safeguarding federated fine-tuning for large vision language models against covert backdoor attacks in iort networks,

    Z. Zhou, C. Xu, B. Wang, T. Li, S. Huang, S. Yang, and S. Yao, “Secfft: Safeguarding federated fine-tuning for large vision language models against covert backdoor attacks in iort networks,”IEEE Internet of Things Journal, 2024

    2024

  16. [16]

    Incentive and dynamic client selection for federated unlearning,

    Y . Lin, Z. Gao, H. Du, D. Niyato, J. Kang, and X. Liu, “Incentive and dynamic client selection for federated unlearning,” inProceedings of the ACM Web Conference 2024, 2024, pp. 2936–2944

    2024

  17. [17]

    Deep learning models for cyber security in iot networks,

    M. Roopak, G. Y . Tian, and J. Chambers, “Deep learning models for cyber security in iot networks,” in2019 IEEE 9th annual computing and communication workshop and conference (CCWC). IEEE, 2019, pp. 0452–0457

    2019

  18. [18]

    Dl-ids: extracting features using cnn-lstm hybrid network for intrusion detection system. secur. commun. netw. 2020,

    P. Sunet al., “Dl-ids: extracting features using cnn-lstm hybrid network for intrusion detection system. secur. commun. netw. 2020,”Article ID, vol. 8890306, no. 11, 2020

    2020

  19. [19]

    Community- oriented duplex privacy amplification and active poisoning resistance for heterogeneous federated learning,

    Z. Zhou, J. Zhao, S. Yang, H. Li, T. Ma, and C. Xu, “Community- oriented duplex privacy amplification and active poisoning resistance for heterogeneous federated learning,”IEEE Transactions on Dependable and Secure Computing, 2025

    2025

  20. [20]

    Scalable federated unlearning via isolated and coded sharding,

    Y . Lin, Z. Gao, H. Du, D. Niyato, G. Gui, S. Cui, and J. Ren, “Scalable federated unlearning via isolated and coded sharding,”arXiv preprint arXiv:2401.15957, 2024

    work page arXiv 2024

  21. [21]

    Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection

    Y . Mirsky, T. Doitshman, Y . Elovici, and A. Shabtai, “Kitsune: an ensemble of autoencoders for online network intrusion detection,”arXiv preprint arXiv:1802.09089, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  22. [22]

    Gee: A gradient-based explainable variational autoencoder for network anomaly detection,

    Q. P. Nguyen, K. W. Lim, D. M. Divakaran, K. H. Low, and M. C. Chan, “Gee: A gradient-based explainable variational autoencoder for network anomaly detection,” in2019 IEEE Conference on Communications and Network Security (CNS). IEEE, 2019, pp. 91–99

    2019

  23. [23]

    Progen: Projection-based adversarial attack generation against network intrusion detection,

    M. Wang, N. Yang, N. J. Forcade-Perkins, and N. Weng, “Progen: Projection-based adversarial attack generation against network intrusion detection,”IEEE Transactions on Information Forensics and Security, 2024

    2024

  24. [24]

    Analyzing adversarial attacks against deep learning for intrusion detection in iot networks,

    O. Ibitoye, O. Shafiq, and A. Matrawy, “Analyzing adversarial attacks against deep learning for intrusion detection in iot networks,” in2019 IEEE global communications conference (GLOBECOM). IEEE, 2019, pp. 1–6

    2019

  25. [25]

    Ad- versarial attacks on sdn-based deep learning ids system,

    C.-H. Huang, T.-H. Lee, L.-h. Chang, J.-R. Lin, and G. Horng, “Ad- versarial attacks on sdn-based deep learning ids system,” inMobile and Wireless Technology 2018: International Conference on Mobile and Wireless Technology (ICMWT 2018). Springer, 2019, pp. 181–191

    2018

  26. [26]

    Deep learning-based intrusion detection with adversaries,

    Z. Wang, “Deep learning-based intrusion detection with adversaries,” IEEE Access, vol. 6, pp. 38 367–38 384, 2018

    2018

  27. [27]

    A detailed analysis of the kdd cup 99 data set,

    M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed analysis of the kdd cup 99 data set,” in2009 IEEE symposium on computational intelligence for security and defense applications. Ieee, 2009, pp. 1–6

    2009

  28. [28]

    Poisoning and evasion: Deep learning-based nids under adversarial attacks,

    H. Mohammadian, A. Habibi Lashkari, and A. A. Ghorbani, “Poisoning and evasion: Deep learning-based nids under adversarial attacks,” in 2024 21st Annual International Conference on Privacy, Security and Trust (PST), 2024, pp. 1–9

    2024

  29. [29]

    Toward generating a new intrusion detection dataset and intrusion traffic characterization

    I. Sharafaldin, A. H. Lashkari, A. A. Ghorbaniet al., “Toward generating a new intrusion detection dataset and intrusion traffic characterization.” ICISSp, vol. 1, pp. 108–116, 2018

    2018

  30. [30]

    De- veloping realistic distributed denial of service (ddos) attack dataset and taxonomy,

    I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, “De- veloping realistic distributed denial of service (ddos) attack dataset and taxonomy,” in2019 international carnahan conference on security technology (ICCST). IEEE, 2019, pp. 1–8

    2019

  31. [31]

    Compressive traffic analysis: A new paradigm for scalable traffic analysis,

    M. Nasr, A. Houmansadr, and A. Mazumdar, “Compressive traffic analysis: A new paradigm for scalable traffic analysis,” inProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 2053–2069

    2017