Deep learning-based intrusion detection systems (IDS) can degrade sharply under adversarial manipulation. We present HAD-IDS (Hybrid Adversarial Defense for IDS), a unified defense that couples input purification, robust training, and runtime risk monitoring. HAD-IDS consists of: (i) a denoising autoencoder (AE) that purifies traffic prior to classification; (ii) an adversarially trained classifier with TRADES regularization to balance clean and robust accuracy; (iii) a latent-space detector using Mahalanobis distance; and (iv) explanation-driven metrics—ASD (Attribution Shift Distance) and VBAR (the fraction of adversarial samples with \(\textrm{ASD}\le \gamma \) )—to expose attribution drift caused by attacks. Under a white-box threat model with PGD (20 steps at evaluation), we test on three benchmarks—NSL-KDD, UNSW-NB15, and CIC-IDS2017. Relative to an undefended model, HAD-IDS improves robust accuracy by +28.86, +38.11, and +34.37 percentage points (pp), with clean-accuracy trade-offs of \(-1.75\) , \(-3.57\) , and \(-2.22\)  pp, respectively; averaged across datasets this yields +33.78 pp robust gain for \(-2.51\)  pp clean. Compared to strong baselines, HAD-IDS is on par with or slightly better than adversarial training alone on average, while outperforming TRADES-only (+9.06 pp) and purification-only (+14.49 pp) in robustness. Ablations show adversarial training is the primary source of robustness (removal: \(-7.25\)  pp on average), while the AE provides a small but consistent boost and enables the ASD/VBAR pathway; TRADES mainly improves clean accuracy with dataset-dependent effects on robustness. Across all datasets, the ASD distribution for adversarial samples shifts markedly to the right of clean, leading to low VBAR and supporting explanation drift as a complementary detection signal alongside Mahalanobis.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

HAD-IDS: A Hybrid Adversarial Defense Framework for Intrusion Detection Systems

  • Ha Thanh Dung,
  • Nguyen Hong Son

摘要

Deep learning-based intrusion detection systems (IDS) can degrade sharply under adversarial manipulation. We present HAD-IDS (Hybrid Adversarial Defense for IDS), a unified defense that couples input purification, robust training, and runtime risk monitoring. HAD-IDS consists of: (i) a denoising autoencoder (AE) that purifies traffic prior to classification; (ii) an adversarially trained classifier with TRADES regularization to balance clean and robust accuracy; (iii) a latent-space detector using Mahalanobis distance; and (iv) explanation-driven metrics—ASD (Attribution Shift Distance) and VBAR (the fraction of adversarial samples with \(\textrm{ASD}\le \gamma \) )—to expose attribution drift caused by attacks. Under a white-box threat model with PGD (20 steps at evaluation), we test on three benchmarks—NSL-KDD, UNSW-NB15, and CIC-IDS2017. Relative to an undefended model, HAD-IDS improves robust accuracy by +28.86, +38.11, and +34.37 percentage points (pp), with clean-accuracy trade-offs of \(-1.75\) , \(-3.57\) , and \(-2.22\)  pp, respectively; averaged across datasets this yields +33.78 pp robust gain for \(-2.51\)  pp clean. Compared to strong baselines, HAD-IDS is on par with or slightly better than adversarial training alone on average, while outperforming TRADES-only (+9.06 pp) and purification-only (+14.49 pp) in robustness. Ablations show adversarial training is the primary source of robustness (removal: \(-7.25\)  pp on average), while the AE provides a small but consistent boost and enables the ASD/VBAR pathway; TRADES mainly improves clean accuracy with dataset-dependent effects on robustness. Across all datasets, the ASD distribution for adversarial samples shifts markedly to the right of clean, leading to low VBAR and supporting explanation drift as a complementary detection signal alongside Mahalanobis.