pith. sign in

arxiv: 2605.25822 · v1 · pith:QHS325IMnew · submitted 2026-05-25 · 💻 cs.CR

"What is the Problem Space?" Defining Host-space Adversarial Perturbations against Network Intrusion Detection Systems

Miel Verkerken , Laurens D'hooge , Bruno Volckaert , Filip De Turck , Giovanni Apruzzese This is my paper

Pith reviewed 2026-06-29 21:40 UTC · model grok-4.3

classification 💻 cs.CR
keywords host-space perturbationsadversarial machine learningnetwork intrusion detectionML-NIDSSSH brute-forceproblem spacefeature spaceadversarial robustness
0
0 comments X

The pith

Real attackers limited to host control can evade ML-NIDS by changing one character in an SSH brute-force command string.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper claims that most prior adversarial attacks on machine-learning network intrusion detection systems manipulated data points after capture by routers or analysis points, operations that may not be available to attackers who control only unprivileged hosts. Instead, the authors define host-space perturbations as changes an attacker can actually make at the source, such as altering a single character in a command used for SSH brute-forcing. Experiments show that detectors trained on the original command string miss every variant produced by this tiny host-level edit. The work therefore calls for re-assessing ML-NIDS robustness under constraints that match realistic attacker reach. A systematic review of 316 papers supports the observation that feature-space manipulations have dominated the literature.

Core claim

Prior work on adversarial perturbations against ML-NIDS has applied changes to pre-collected datapoints such as captured packets or analyzed flows. Real-world adversaries, however, can apply perturbations only by operating on the hosts they control. This host-space definition leads to the concrete result that an ML-NIDS able to detect SSH-bruteforcing attempts launched via a given command string cannot detect any attempt launched by changing a single character of that string. The minuscule problem-space change produces large effects in the feature space.

What carries the argument

Host-space perturbations: adversarial modifications performed by operating directly on controlled hosts rather than on pre-collected datapoints.

If this is right

  • Detectors that rely on exact or near-exact matches to known malicious command strings will miss variants created by single-character host edits.
  • Security evaluations of ML-NIDS must restrict perturbations to actions feasible from unprivileged host access.
  • Feature-space distance metrics do not automatically translate into feasible problem-space actions.
  • Practical assessment of host-space perturbations requires new experimental setups that start from host-level actions rather than post-capture edits.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Detection systems may need to model families of related commands rather than individual strings to cover host-space variants.
  • The same host-space constraint could apply to other ML security settings where the attacker cannot edit network traffic mid-path.
  • Datasets for training ML-NIDS could be augmented with explicit host-action traces to better reflect realistic attack surfaces.

Load-bearing premise

That an attacker who controls only unprivileged hosts cannot reach or alter network data after it leaves those hosts.

What would settle it

A controlled test in which an attacker on a compromised host issues an SSH brute-force command differing by one character and the ML-NIDS still raises an alert on the resulting traffic.

Figures

Figures reproduced from arXiv: 2605.25822 by Bruno Volckaert, Filip De Turck, Giovanni Apruzzese, Laurens D'hooge, Miel Verkerken.

Figure 1
Figure 1. Figure 1: Typical NIDS scenario. N.b.: the attacker cannot control the router or the NIDS (otherwise, it wouldn’t be surprising if the NIDS is bypassed. previously collected datasets. By “network-related data”, we intend data pertaining to the communications occurring within a given network—such as, e.g., network traffic included in a packet-capture (PCAP) trace [55], or network flows (NetFlows) providing high-level… view at source ↗
Figure 2
Figure 2. Figure 2: From attackers’ actions to ML inputs. [Left] The attacker launches nmap on their controlled host. [Middle] This leads to the creation of multiple network packets that are captured by some dedicated network appliance (e.g., a router). [Right] Then, NetFlows are extracted from the PCAP trace, which are sent to (and analysed by) the ML-NIDS. A realistic attacker has no access to the “traffic space” (i.e., mid… view at source ↗
Figure 3
Figure 3. Figure 3: Low-level effects of a host-space perturbation. [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: OOD verification. We use a tSNE plot to visualize the distribution of NetFlows generated by patator (as well as benign ones). B.1 Real-world Smart-home network capture The network environment contains 40–50 physical devices. These include smartphones, laptops/desktops, gaming consoles, and var￾ious IoT devices (e.g., smart speakers and lightbulbs). All devices connect to a router via a WiFi 5 or 2.4 interf… view at source ↗
read the original abstract

Network Intrusion Detection Systems (NIDS) are now increasingly leveraging Machine Learning (ML) techniques to detect malicious network activities. Numerous papers have scrutinized the security of ML-based NIDS (ML-NIDS) by testing them against various attacks involving adversarial perturbations. The findings were oftentimes worrying: by making imperceptible changes to a given input, powerful ML models would be bypassed. In this context, we took a step back and wondered: where (i.e., in what "space") have these perturbations been applied? We argue that real-world adversaries can apply adversarial perturbations only by operating on the hosts they can control -- a concept which we define as _host-space perturbations_. To some, such an observation may seem trivial. And yet, through a systematic literature review (n=316), we found that prior work applied perturbations by manipulating pre-collected datapoints (e.g., a packet _captured by the router_, or a network flow _analysed by the ML-NIDS_). Such operations, while not impossible, may be outside the reach of an attacker who can only control some (unprivileged) hosts in a network. Hence, to demonstrate how to craft host-space perturbations and study some of their effects, we experimented on well-known benchmarks and a real-world network. We show that ML-NIDS that can detect the SSH-bruteforcing attempts launched via a given command string cannot detect any attempt launched by changing _a single character_ of such a string. We then examined how such a minuscule change in the "problem space" (i.e., the attacker's host) can lead to devastating effects on the "feature space". We derive lessons learned on how to practically assess host-space perturbations. Our stance is that the security of ML-NIDS should be re-assessed.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper claims that real-world adversaries against ML-based Network Intrusion Detection Systems (ML-NIDS) can only apply adversarial perturbations in 'host-space' (by operating on hosts they control), as opposed to manipulating pre-collected datapoints such as captured packets or analyzed flows. A systematic literature review of 316 papers finds that prior adversarial work predominantly uses the latter, unrealistic approach. The authors demonstrate host-space perturbations via an experiment on SSH brute-forcing, where ML-NIDS that detect attempts using a given command string fail to detect variants differing by a single character, and discuss how such changes affect the feature space, deriving lessons for practical assessment.

Significance. The conceptual framing of host-space perturbations highlights a gap between typical adversarial ML evaluations and realistic attacker capabilities in network security, supported by a large-scale literature review. If the experimental observations hold under detailed scrutiny, the work could encourage more constrained threat models in ML-NIDS robustness studies. Strengths include the systematic review providing quantitative backing; however, the impact is limited by insufficient methodological transparency in the empirical component.

major comments (2)
  1. [experimental evaluation section] Experimental evaluation (as summarized in the abstract and described in the full experimental section): the manuscript provides no details on the ML-NIDS model architecture, the specific features extracted (e.g., payload contents, flow statistics, or command-string representations), the packet parser, or the training procedure for the SSH brute-force detector. Without these, it is impossible to determine whether the reported evasion from a single-character command change arises from the host-space restriction or from the model relying on brittle, literal-matching features that an attacker could alter regardless of host control.
  2. [introduction and conceptual sections] Definition of host-space perturbations (introduction and conceptual sections): while the distinction from manipulations of pre-collected datapoints is argued via the literature review, the paper does not provide a formal characterization (e.g., a precise attacker capability model or mapping to standard adversarial ML threat models) that would allow readers to classify new attacks unambiguously as host-space or not.
minor comments (1)
  1. [abstract] The abstract and title use 'problem space' without an explicit early definition or reference to its usage in prior adversarial ML literature on constrained input domains.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed review. The comments identify clear opportunities to strengthen the manuscript's transparency and conceptual precision. We address each major comment below and will revise the manuscript accordingly.

read point-by-point responses

  1. Referee: [experimental evaluation section] Experimental evaluation (as summarized in the abstract and described in the full experimental section): the manuscript provides no details on the ML-NIDS model architecture, the specific features extracted (e.g., payload contents, flow statistics, or command-string representations), the packet parser, or the training procedure for the SSH brute-force detector. Without these, it is impossible to determine whether the reported evasion from a single-character command change arises from the host-space restriction or from the model relying on brittle, literal-matching features that an attacker could alter regardless of host control.

    Authors: We agree that the experimental section lacks the necessary methodological details. The current manuscript does not describe the ML-NIDS architecture, feature extraction process, packet parser, or training procedure. This limits readers' ability to evaluate whether the observed evasion is attributable to the host-space constraint. In the revised version we will expand the experimental evaluation section with a full description of the model architecture, the command-string features used, the parsing logic, and the training dataset and procedure. These additions will allow assessment of whether the single-character host-space change produces evasion beyond what brittle literal features alone would permit. revision: yes

  2. Referee: [introduction and conceptual sections] Definition of host-space perturbations (introduction and conceptual sections): while the distinction from manipulations of pre-collected datapoints is argued via the literature review, the paper does not provide a formal characterization (e.g., a precise attacker capability model or mapping to standard adversarial ML threat models) that would allow readers to classify new attacks unambiguously as host-space or not.

    Authors: The referee correctly observes that the manuscript relies on the literature review (n=316) to establish the distinction but does not supply an explicit attacker capability model or mapping to standard adversarial ML threat models. While the review provides quantitative evidence that prior perturbations operate on pre-collected datapoints outside realistic host control, a formal characterization would improve precision. We will revise the introduction and conceptual sections to include a concise attacker capability model that specifies the adversary's ability to modify inputs at controlled hosts while being unable to alter captured network data, together with a mapping to existing threat models. This will support unambiguous classification of future attacks. revision: yes

Circularity Check

0 steps flagged

No significant circularity; claims grounded in external review and experiments

full rationale

The paper's central distinction between host-space and feature-space perturbations is introduced via definition and supported by a systematic review of 316 external papers plus new experiments on SSH brute-force detection in benchmarks and a real-world network. No equations, parameter fits, or self-citations are used to derive the key results; the argument does not reduce to tautology or prior author work by construction and remains self-contained against the reviewed literature and empirical observations.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on a domain assumption about attacker capabilities and introduces one new conceptual entity; no free parameters or machine-checked results are involved.

axioms (1)
  • domain assumption Real adversaries controlling only unprivileged hosts cannot manipulate pre-collected network datapoints at routers or NIDS analyzers.
    This premise directly separates host-space from the perturbations used in the 316 reviewed papers.
invented entities (1)
  • host-space perturbations no independent evidence
    purpose: To categorize adversarial changes feasible for host-controlling attackers.
    New term coined to distinguish realistic attacker actions from post-capture manipulations described in prior work.

pith-pipeline@v0.9.1-grok · 5882 in / 1231 out tokens · 35918 ms · 2026-06-29T21:40:52.850944+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

136 extracted references · 1 canonical work pages

  1. [1]

    2014. Wfuzz. https://github.com/xmendez/wfuzz

    2014

  2. [2]

    DDoS Slowloris

    2015. DDoS Slowloris. https://github.com/gkbrk/slowloris

    2015

  3. [3]

    2015. Medusa. https://github.com/jmk-foofus/medusa

    2015

  4. [4]

    2016. Hydra. https://github.com/vanhauser-thc/thc-hydra

    2016

  5. [5]

    2016. patator. https://github.com/lanjelot/patator

    2016

  6. [6]

    Our Repo

    2026. Our Repo. https://github.com/idlab-discover/HsP

    2026

  7. [7]

    Maged Abdelaty, Sandra Scott-Hayward, Roberto Doriguzzi-Corin, and Domenico Siracusa. 2021. Gadot: Gan-based adversarial training for robust ddos attack detection. InIEEE CNS

    2021

  8. [8]

    James Aiken and Sandra Scott-Hayward. 2019. Investigating adversarial attacks against network intrusion detection systems in sdns. InIEEE NFV-SDN

    2019

  9. [9]

    Sharmin Aktar and Abdullah Yasin Nur. 2023. Towards DDoS attack detection using deep learning approach.Computers & Security129 (2023), 103251

    2023

  10. [10]

    Hisham Alasmary, Aminollah Khormali, Afsah Anwar, Jeman Park, Jinchun Choi, Ahmed Abusnaina, Amro Awad, Daehun Nyang, and Aziz Mohaisen. 2019. Analyzing and detecting emerging Internet of Things malware: A graph-based approach.IEEE Internet of Things Journal6, 5 (2019), 8977–8988

    2019

  11. [11]

    AM Aleesa, BB Zaidan, AA Zaidan, and Nan M Sahar. 2020. Review of intru- sion detection systems based on deep learning techniques: coherent taxonomy, challenges, motivations, recommendations, substantial analysis and future di- rections.Neural Computing and Applications32, 14 (2020), 9827–9858

    2020

  12. [12]

    Ahod Alghuried, Ali Alkinoon, Abdulaziz Alghamdi, Soohyeon Choi, Manar Mohaisen, and David Mohaisen. 2025. Evaluating the Vulnerability of ML-Based Ethereum Phishing Detectors to Single-Feature Adversarial Perturbations.ACM Distributed Ledger Technologies: Research and Practice(2025)

    2025

  13. [13]

    Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, Gregory Walkup, Z Berkay Celik, Xiangyu Zhang, and Dongyan Xu. 2021. ATLAS A sequence-based learning approach for attack investigation. InUSENIX SEC

    2021

  14. [14]

    Real Attackers Don’t Compute Gradients

    Giovanni Apruzzese, Hyrum S Anderson, Savino Dambra, David Freeman, Fabio Pierazzi, and Kevin Roundy. 2023. “Real Attackers Don’t Compute Gradients”: Bridging the Gap Between Adversarial ML Research and Practice. InSaTML

    2023

  15. [15]

    Giovanni Apruzzese, Mauro Andreolini, Luca Ferretti, Mirco Marchetti, and Michele Colajanni. 2021. Modeling realistic adversarial attacks against network intrusion detection systems.ACM Digital Threats: Research and Practice(2021)

    2021

  16. [16]

    Giovanni Apruzzese and Michele Colajanni. 2018. Evading botnet detectors based on flows and random forest with adversarial samples. InIEEE NCA

    2018

  17. [17]

    Giovanni Apruzzese, Mauro Conti, and Ying Yuan. 2022. SpacePhish: The Evasion-Space of Adversarial Attacks against Phishing Website Detectors Using Machine Learning. InProc. ACSAC

    2022

  18. [18]

    Giovanni Apruzzese, Aurore Fass, and Fabio Pierazzi. 2024. When adversar- ial perturbations meet concept drift: an exploratory analysis on ml-nids. In Proceedings of the 2024 Workshop on Artificial Intelligence and Security. 149–160

    2024

  19. [19]

    Giovanni Apruzzese, Pavel Laskov, and Johannes Schneider. 2023. SoK: Prag- matic assessment of machine learning for network intrusion detection. InIEEE European Symposium on Security and Privacy (EuroS&P)

    2023

  20. [20]

    Giovanni Apruzzese, Pavel Laskov, and Aliya Tastemirova. 2022. SoK: The impact of unlabelled data in cyberthreat detection. InEuroS&P

    2022

  21. [21]

    Daniel Arp, Erwin Quiring, Feargus Pendlebury, Alexander Warnecke, Fabio Pierazzi, Christian Wressnegger, Lorenzo Cavallaro, and Konrad Rieck. 2022. Dos and don’ts of machine learning in computer security. InUSENIX Security

    2022

  22. [22]

    Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and CERT Siemens. 2014. Drebin: Effective and explainable detection of android malware in your pocket.. InNDSS

    2014

  23. [23]

    Tim Bai, Haibo Bian, Abbas Abou Daya, Mohammad A Salahuddin, Noura Limam, and Raouf Boutaba. 2019. A machine learning approach for RDP-based lateral movement detection. InIEEE LCN

    2019

  24. [24]

    Osama Bajaber, Bo Ji, and Peng Gao. 2024. P4control: Line-rate cross-host attack prevention via in-network information flow control enabled by programmable switches and ebpf. InIEEE S&P

    2024

  25. [25]

    Diogo Barradas, Nuno Santos, Luís Rodrigues, Salvatore Signorello, Fer- nando MV Ramos, and André Madeira. 2021. FlowLens: Enabling Efficient Flow Classification for ML-based Network Security Applications.. InNDSS

    2021

  26. [26]

    Dipkamal Bhusal, Md Tanvirul Alam, Monish K Veerabhadran, Michael Clifford, Sara Rampazzi, and Nidhi Rastogi. 2024. PASA: Attack Agnostic Unsupervised Adversarial Detection using Prediction & Attribution Sensitivity Analysis. In IEEE European Symposium on Security and Privacy

    2024

  27. [27]

    Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Šrndić, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. 2013. Evasion attacks against machine learning at test time. InECML PKDD

    2013

  28. [28]

    Battista Biggio and Fabio Roli. 2018. Wild patterns: Ten years after the rise of adversarial machine learning.Pattern Recognition(2018)

    2018

  29. [29]

    Philippe Biondi. 2025. Scapy. https://scapy.readthedocs.io/en/latest/

    2025

  30. [30]

    Dominik Brockmann, Eric Lanfer, Nikolas Wintering, and Nils Aschenbruck

  31. [31]

    In2025 IEEE 50th Conference on Local Computer Networks (LCN)

    Now You See Me/Now You Don’t: Constrained Adversarial Attacks in Network Intrusion Detection Across Datasets and Machine Learning Models. In2025 IEEE 50th Conference on Local Computer Networks (LCN). IEEE, 1–9

  32. [32]

    Thomas E Carroll, David Manz, Thomas Edgar, and Frank L Greitzer. 2012. Realizing scientific methods for cyber security. InLASER Workshop

    2012

  33. [33]

    Marta Catillo, Antonio Pecchia, Antonio Repola, and Umberto Villano. 2024. Towards realistic problem-space adversarial attacks against machine learning in network intrusion detection. InARES

    2024

  34. [34]

    Paolo Cerracchio, Stefano Longari, Michele Carminati, Stefano Zanero, et al

  35. [35]

    InSymposium on Vehicles Security and Privacy (VehicleSec)

    Investigating the impact of evasion attacks against automotive intrusion detection systems. InSymposium on Vehicles Security and Privacy (VehicleSec)

  36. [36]

    Zijun Cheng, Qiujian Lv, Jinyuan Liang, Yan Wang, Degang Sun, Thomas Pasquier, and Xueyuan Han. 2024. Kairos:: Practical Intrusion Detection and Investigation using Whole-system Provenance. InIEEE S&P

    2024

  37. [37]

    Antonio Emanuele Cinà, Kathrin Grosse, Ambra Demontis, Battista Biggio, Fabio Roli, and Marcello Pelillo. 2024. Machine learning security against data poisoning: Are we there yet?Computer(2024)

    2024

  38. [38]

    CloudFlare. 2020. One more (Zero Trust) thing: Cloudflare Intrusion Detection System. https://blog.cloudflare.com/one-more-zero-trust-thing-cloudflare- intrusion-detection/

    2020

  39. [39]

    2024.DDoS threat report for 2023 Q4

    CloudFlare. 2024.DDoS threat report for 2023 Q4. Technical Report. CloudFlare. https://blog.cloudflare.com/ddos-threat-report-2023-q4/

    2024

  40. [40]

    2025.SANS 2025 SOC Survey

    Christopher Crowley. 2025.SANS 2025 SOC Survey. Technical Report. SANS Research Program. https://www.sans.org/white-papers/sans-2025-soc-survey

    2025

  41. [41]

    Cybersecurity Insiders. 2025. Pulse of the AI SOC Report 2025. https://ww w.cybersecurity-insiders.com/pulse-of-the-ai-soc-report-2025-from-alert- fatigue-to-actionable-intelligence-how-ai-is-reshaping-detection-response- and-analyst-confidence/

    2025

  42. [42]

    Darktrace. 2018. How Darktrace Finds ’Low and Slow’ Cyber Threats. https: //www.darktrace.com/blog/flying-under-the-radar-how-darktrace-detects- low-and-slow-cyber-attacks

    2018

  43. [43]

    Hervé Debar, Marc Dacier, and Andreas Wespi. 1999. Towards a taxonomy of intrusion-detection systems.Computer networks31, 8 (1999), 805–822

    1999

  44. [44]

    Hervé Debar, Marc Dacier, and Andreas Wespi. 2000. A revised taxonomy for intrusion-detection systems. InAnnales des Télécommunications

    2000

  45. [45]

    Dorothy E Denning. 1987. An intrusion-detection model.IEEE TSE(1987)

    1987

  46. [46]

    Alec F Diallo and Paul Patras. 2024. Sabre: Cutting through Adversarial Noise with Adaptive Spectral Filtering and Input Reconstruction. InIEEE S&P

    2024

  47. [47]

    Rohan Doshi, Noah Apthorpe, and Nick Feamster. 2018. Machine learning DDoS detection for consumer internet of things devices. InIEEE S&PW

    2018

  48. [48]

    Laurens D’hooge, Miel Verkerken, Bruno Volckaert, Tim Wauters, and Filip De Turck. 2022. Establishing the contaminating effect of metadata feature inclusion in machine-learned network intrusion detection models. InDIMV A

    2022

  49. [49]

    Mohamed ElShehaby and Ashraf Matrawy. 2026. A novel perturb-ability score to mitigate evasion adversarial attacks on flow-based ML-NIDS.JISA(2026)

    2026

  50. [50]

    Gints Engelen, Vera Rimmer, and Wouter Joosen. 2021. Troubleshooting an intrusion detection dataset: the CICIDS2017 case study. InIEEE SPW

    2021

  51. [51]

    2023.Enisa Threat Landscape

    ENISA. 2023.Enisa Threat Landscape. Technical Report. ENISA. https: //www.enisa.europa.eu/topics/cyber-threats/threats-and-trends

    2023

  52. [52]

    Alessandro Erba, Andres F Murillo, Riccardo Taormina, Stefano Galelli, and Nils Ole Tippenhauer. 2023. On Practical Realization of Evasion Attacks for Industrial Control Systems. InRICSS Workshop

    2023

  53. [53]

    Alessandro Erba, Riccardo Taormina, Stefano Galelli, Marcello Pogliani, Michele Carminati, Stefano Zanero, and Nils Ole Tippenhauer. 2020. Constrained con- cealment attacks against reconstruction-based anomaly detectors in industrial control systems. InAnnual Computer Security Applications Conference (ACSAC)

    2020

  54. [54]

    Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, and Dawn Song. 2018. Robust physical- world attacks on deep learning visual classification. InIEEE CVPR

    2018

  55. [55]

    Robert Flood, Gints Engelen, David Aspinall, and Lieven Desmet. 2024. Bad Design Smells in Benchmark NIDS Datasets. InIEEE EuroS&P

    2024

  56. [56]

    Chuanpu Fu, Qi Li, Meng Shen, and Ke Xu. 2021. Realtime robust malicious traffic detection via frequency domain analysis. InACM CCS

    2021

  57. [57]

    Francesco Fusco, Xenofontas Dimitropoulos, Michail Vlachos, and Luca Deri

  58. [58]

    ACM SIGCOMM Computer Communication Review42, 1 (2012), 47–53

    pcapIndex: an index for network packet traces with legacy compatibility. ACM SIGCOMM Computer Communication Review42, 1 (2012), 47–53

    2012

  59. [59]

    Sebastián García, Alejandro Zunino, and Marcelo Campo. 2014. Survey on network-based botnet detection methods.Secur. and Commun. Netw.(2014)

    2014

  60. [60]

    Mengmeng Ge, Xiping Fu, Naeem Syed, Zubair Baig, Gideon Teo, and Antonio Robles-Kelly. 2019. Deep learning-based intrusion detection for IoT networks. InIEEE PRDC

    2019

  61. [61]

    Dongqi Han, Zhiliang Wang, Wenqi Chen, Ying Zhong, Su Wang, Han Zhang, Jiahai Yang, Xingang Shi, and Xia Yin. 2021. Deepaid: Interpreting and improving deep learning-based anomaly detection in security applications. InACM CCS

    2021

  62. [62]

    Dongqi Han, Zhiliang Wang, Ying Zhong, Wenqi Chen, Jiahai Yang, Shuqiang Lu, Xingang Shi, and Xia Yin. 2021. Evaluating and improving adversarial robustness of machine learning-based network intrusion detectors.JSAC(2021)

    2021

  63. [63]

    Qingying Hao, Nirav Diwan, Ying Yuan, Giovanni Apruzzese, Mauro Conti, and Gang Wang. 2024. It Doesn’t Look Like Anything to Me: Using Diffusion Model to Subvert Visual Phishing Detectors. InUSENIX Sec. 13 ASIA CCS ’26, June 1–5, 2026, Bangalore, India Miel Verkerken, Laurens D’hooge, Bruno Volckaert, Filip De Turck, and Giovanni Apruzzese

    2024

  64. [64]

    Ahmad Hariri, Murat Yuksel, and David Mohaisen. 2024. RL-Based Speculative Installation of Unseen Flows in SDNs for Low-Latency Applications. InIEEE ICMLCN

    2024

  65. [65]

    Ling Huang, Anthony D Joseph, Blaine Nelson, Benjamin IP Rubinstein, and J Doug Tygar. 2011. Adversarial machine learning. InAISec Workshop

    2011

  66. [66]

    Steve TK Jan, Qingying Hao, Tianrui Hu, Jiameng Pu, Sonal Oswal, Gang Wang, and Bimal Viswanath. 2020. Throwing darts in the dark? detecting bots with limited data using neural data augmentation. InIEEE S&P

    2020

  67. [67]

    Fujiao Ji, Kiho Lee, Hyungjoon Koo, Wenhao You, Euijin Choo, Hyoungshick Kim, and Doowon Kim. 2025. Evaluating the effectiveness and robustness of visual similarity-based phishing detection models. InUSENIX SEC

    2025

  68. [68]

    Zian Jia, Yun Xiong, Yuhong Nan, Yao Zhang, Jinjing Zhao, and Mi Wen. 2024. MAGIC: Detecting advanced persistent threats via masked graph representation learning. InUSENIX SEC

    2024

  69. [69]

    Ansam Khraisat, Iqbal Gondal, Peter Vamplew, and Joarder Kamruzzaman. 2019. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity(2019)

    2019

  70. [70]

    Platon Kotzias, Kevin Roundy, Michalis Pachilakis, Iskander Sanchez-Rola, and Leyla Bilge. 2023. Scamdog Millionaire: Detecting E-commerce Scams in the Wild. InACSAC

    2023

  71. [71]

    Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2017. Adversarial machine learning at scale.ICLR(2017)

    2017

  72. [72]

    Kuznetsov

    Alexey N. Kuznetsov. 2014. tc(8) — Linux manual page. [Online]. Available: https://man7.org/linux/man-pages/man8/tc.8.html

    2014

  73. [73]

    Wenke Lee and Salvatore J Stolfo. 2000. A framework for constructing features and models for intrusion detection systems.ACM TiSSEC(2000)

    2000

  74. [74]

    Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin, and Kuang-Yuan Tung

  75. [75]

    Intrusion detection system: A comprehensive review.JNCA(2013)

    2013

  76. [76]

    Lisa Liu, Gints Engelen, Timothy Lynar, Daryl Essam, and Wouter Joosen. 2022. Error prevalence in nids datasets: A case study on cic-ids-2017 and cse-cic-ids-

    2022

  77. [77]

    InIEEE Conference on Communications and Network Security. IEEE

  78. [78]

    Ruofan Liu, Yun Lin, Xianglin Yang, Siang Hwee Ng, Dinil Mon Divakaran, and Jin Song Dong. 2022. Inferring phishing intention via webpage appearance and dynamics: A deep vision based approach. InUSENIX Security Symposium

    2022

  79. [79]

    Majed Luay, Siamak Layeghy, Yash Pandey, Gayan Kulatilleke, and Marius Portmann. 2025. Multimodal LLMs for Zero-Shot Intrusion Detection Using NetFlow Visualisations. InIEEE LCN

    2025

  80. [80]

    Keane Lucas, Weiran Lin, Lujo Bauer, Michael K Reiter, and Mahmood Sharif

Showing first 80 references.