International Journal of Information Security (2024) 23:2353–2376

https://doi.org/10.1007/s10207-024-00844-w

REGULAR CONTRIBUTION

Adversarial attack detection framework based on optimized weighted

conditional stepwise adversarial network
Kousik Barik1 · Sanjay Misra2,3 · Luis Fernandez-Sanz1

Accepted: 20 March 2024 / Published online: 12 April 2024

© The Author(s) 2024

Abstract
Artificial Intelligence (AI)-based IDS systems are susceptible to adversarial attacks and face challenges such as complex
evaluation methods, elevated false positive rates, absence of effective validation, and time-intensive processes. This study
proposes a WCSAN-PSO framework to detect adversarial attacks in IDS based on a weighted conditional stepwise adversarial
network (WCSAN) with a particle swarm optimization (PSO) algorithm and SVC (support vector classifier) for classification.
The Principal component analysis (PCA) and the least absolute shrinkage and selection operator (LASSO) are used for feature
selection and extraction. The PSO algorithm optimizes the parameters of the generator and discriminator in WCSAN to
improve the adversarial training of IDS. The study presented three distinct scenarios with quantitative evaluation, and the
proposed framework is evaluated with adversarial training in balanced and imbalanced data. Compared with existing studies,
the proposed framework accomplished an accuracy of 99.36% in normal and 98.55% in malicious traffic in adversarial
attacks. This study presents a comprehensive overview for researchers interested in adversarial attacks and their significance
in computer security.

Keywords Intrusion detection systems · Adversarial attack · Security · Weighted conditional stepwise adversarial network
(WCSAN) · Particle swarm optimization (PSO)

1 Introduction destructive operations, costing businesses and customers

financially. The primary objective of intrusion detection is
With the continuous evolution of the internet and widespread to differentiate between normal and abnormal information
usage, the number of network users has increased exponen- breaches [1]. Network security aims to protect systems, net-
tially. The quantity of internet-connected devices in finance works, programs, data, and user accounts from unauthorized
and e-commerce is growing, and they are evolving targets of access, modification, or disruption [2]. A single intrusion can
attacks, posing significant risk and driving significant dam- instantly render the system unavailable and impact the orga-
age. Hackers are individuals who pose a threat to information nization. IDS can be categorized into host-based (HIDS) and
systems. Hackers use network and device flaws to conduct network-based (NIDS) approaches. HIDS can observe and
evaluate the network traffic passing through its interfaces [3].
B Sanjay Misra NIDS analyzes the network traffic across the total network
[email protected] to detect known attacks [4]. DDoS attacks on a large scale,
Kousik Barik spoofing, Man-in-the-middle attacks, etc., can be used to
[email protected] conduct these malicious actions [5]. Practical procedures for
Luis Fernandez-Sanz detecting and defending against attacks and continuous mon-
[email protected] itoring are needed. Detecting different types of new attacks
is challenging [6].
1 Department of Computer Science, University of Alcala,
Detecting intrusions is a critical task in cyber security.
Madrid, Spain
Machine learning and deep learning techniques detect abnor-
2 Department of Applied Data Science, Institute for Energy
mal behavior in IDS [7]. Both linear and nonlinear ML/DL
Technology, Halden, Norway
classifiers are exposed to adversarial attacks designed to
3 Department of Computer Science and Communication,
mislead the classification model. IDSs are vulnerable to
Østfold University College, Halden, Norway

123
2354 K. Barik et al.

attacks, though they have been widely used commercially 2. To analyze the framework by incorporating feature
[8]. Conventional machine learning methods and strategies extraction (principal component analysis) and feature
are commonly employed for their high precision in detect- extraction (least absolute shrinkage and selection opera-
ing attacks and low rate of false alarms. However, they have tor)
been criticized for their failure to identify emerging threats. 3. To employ labeling attacks to identify known attacks
Conventional machine learning methods need to improve using a signature. The prediction can be made at the ini-
in detecting complex and novel attacks. Typical machine tial level, reducing bandwidth, computing resources, and
learning models cannot detect slight modifications because attack detection efficiency in IDS.
they cannot generalize information and identify new attacks 4. To generate adversarial samples based on the IDS traf-
[9]. Adversarial attacks are a significant threat to modern fic characteristics. The IDS are trained with training
AI applications, especially with the increasing use of data- datasets, including real and attack network traffic sam-
oriented techniques and internet-based applications in critical ples obtained from WCSAN.
areas such as biometric authentication and cybersecurity 5. To develop and evaluate the framework using an opti-
[10]. Adversarial attacks pose a risk when utilized to alter the mized PSO algorithm and SVC classifier with the
categorization [11]. A minor disturbance can enable malware CIC-IDS2017 dataset, which contains different types of
to bypass detection. An effective adversarial attack on an contemporary attacks in IDS.
IDS can bypass detection, posing a direct threat to machine-
learning-based intrusion detection systems [12]. The remaining paper is formulated as follows. The theo-
An adversarial example is input to IDS that an attacker retical background, related works, and problem statements
has deliberately designed to cause the model to make mis- are discussed in Sect. 2. Section 3 illustrates the proposed
classifications. Different adversarial attacks on IDS, such as framework. Section 4 describes the performance analysis and
poisoning, model extraction, evasion, and inference attacks, comparative study. The discussion is presented in Sect. 5. The
have been observed [13]. During poisoning strikes, the study limitations and future work are demonstrated in Sect. 6.
attacker introduces false data points entering the practice Finally, the paper is concluded in Sect. 7.
facility to manipulate the trained classifier into making pre-
dictions favoring the adversary. In adversarial attacks, the
attacker injects specially prepared data points into the testing
set. In model extraction attacks, the attacker pilfers trained 2 Literature review
IDS; in inference attacks, the attacker infers sensitive data
from the training set [14]. Figure 1 illustrates the different This section outlines the background of the study, includ-
adversarial attacks on IDS. The attacker injects malicious ing the theoretical concepts of IDS and adversarial attacks.
code into the training data and attempts to gain sensitive The existing studies on IDS and adversarial attack detection
information from the training data. The attacker attempts to are highlighted with challenges. The problem statement is
steal the information from the trained IDS. The IDS predicts presented.
inaccurate classification.
From the attacker’s perspective, adversarial attacks can 2.1 Theoretical background
possess changes to input data to enhance misclassification,
thereby bypassing the IDS [15]. Consequently, malicious net- Researchers have aimed to design more sophisticated algo-
work packets are frequently incorrectly labeled benign due rithms since introducing artificial intelligence. Artificial
to the intrusion classifier’s decision limits requiring clarifica- intelligence has extended, and deep learning has emerged as
tion. Therefore, these disruptions restrict the performance of a high-performing new approach [20]. This development was
detectors based on ML and DL [16]. Defending IDS against significant in machine learning due to the significantly supe-
adversarial attacks should be further assessed. Many inves- rior performance results compared to those achieved using
tigations have been carried out to detect adversarial attacks, conventional methods [21]. DL has profited from utilizing
but the detection of adversarial attacks against IDS has yet to large datasets during training in recent years and has seen
be explored more [17–19]. The motivation of this study is to hardware enhancements, particularly in GPUs [22]. Deep
design an adversarial attack mitigation strategy and analysis learning has simplified problem-solving by automating the
of IDS. The major contributions of the proposed work are as fundamental stage of machine learning known as feature
follows. extraction. Convolution is the process of integrating two sig-
nals to create a new signal. The first signal is the data, while
the subsequent is the filter [23]. DL’s flexibility is another
1. To propose a WCSAN-PSO framework for intrusion notable aspect. Deep learning requires extensive training
detection in adversarial attacks. with a larger number of samples. Due to advancements in

123
Adversarial attack detection framework based on optimized … 2355

Fig. 1 Adversarial attacks in IDS

multicore PCs and GPUs, deep learning has accelerated sig- a natural sample and the victim instance. Generative adver-
nificantly by dramatically reducing training time with large sarial networks (GANs) are a potent category of generative
datasets [24]. models that employ two networks trained concurrently in a
Security measures like authentication and access con- zero-sum game, with one network dedicated to data genera-
trol have been created to accomplish the goal of computer tion and the other to discrimination [32]. A GAN consists of
security, which is to prevent unauthorized individuals from two elements: a generator and a discriminator. The generator
accessing and altering information. These prevention mech- simulates the data distribution to create adversarial examples
anisms function as the primary line of defense [25]. The and deceive the discriminator, which attempts to differenti-
Internet’s benefits, such as easy access to vast information, ate between fake and real examples [33]. Adversarial attacks
also present the greatest risk to information security. An intru- pose evolving difficulties, requiring ML models to enhance
sion detection system (IDS) is a secondary defense measure their protection and resilience. Many studies in cybersecurity
[26]. An IDS is a combination of two phrases: intrusion and and IDS have explored the risk of adversarial examples and
detection systems. Intrusion is the unauthorized access to proposed potential strategies to counter them [34].
computer or network information intending to compromise
its CIA triad, i.e., integrity, confidentiality, or availability. A
detection system is a security measure designed to identify 2.2 Related works
illegal action. IDS is a security tool that monitors the CIA
triad [27]. Machine learning is a subset of artificial intelligence focusing
From the perspective of deployment-based IDS, it can be on algorithms and scientific models computer systems uti-
further categorized as Host-based IDS (HIDS) or Network- lize. ML involves constructing a mathematical model using
based IDS (NIDS) [28]. HIDS is installed on a single training data to make predictions or decisions [35]. ML tech-
information host. The task is to monitor all activities on a niques are commonly utilized in IDS research because they
single host, scanning for security policy violations and suspi- classify new data based on patterns from historical data. With
cious activities [29]. The primary disadvantage is the need to the advancement of deep learning methods, they began to be
deploy it on all hosts that need intrusion protection, leading extensively utilized in intrusion detection system research
to additional processing overhead for each node and ulti- [36]. Ferdowsi et al. [37] proposed a study on distributed
mately reducing the performance of the IDS. On the contrary, adversarial networks on IDS systems, and 2365 samples were
NIDS is installed on the network to safeguard all devices and considered. The authors reached both higher 20% accuracy
the entire network from intrusions. The NIDS continually and 25% precision than standalone IDS. Caminero et al.
observes network traffic to detect security breaches and viola- [38] conducted a study introducing adversarial reinforcement
tions [30]. IDS can be grouped into two categories depending learning for IDS and developed a new technique that inte-
on the model used: signature-based IDS and anomaly-based grates the environment’s behavior into the learning process.
IDS. Signature-based IDS stores pre-defined attack signa- The Random Forest, Random Tree, MLP, J48, and Naive
tures in a database and monitors the network for any matches Bayes classifiers are evaluated for performance analysis. The
against these signatures. Anomaly-based IDS monitors net- Radom Tree classifier achieved an accuracy of 96.23%, pre-
work traffic and compares it to the standard usage patterns of cision of 95.90%, f1-score of 94.80%, and recall of 95.80%.
the network [31]. Adversarial attacks create samples using Qiu et al. [39] presented a study using adversarial attacks on
network intrusion detection systems. The authors employed
two methods, i.e., reproduction of the black box model with

123
2356 K. Barik et al.

training data and feature extraction of packets. The FGSM true correspondence between MAC and IP addresses during
technique was used for iteration and achieved a 94.31% attack an attack.
success rate. Alhajjar et al. [40] presented a study using par- Pawlicki et al. [50] proposed an artificial neural network
ticle swarm optimization, genetic algorithm, and generative using an IDS to identify adversarial attacks. The false positive
adversarial networks to detect attacks in NIDS. The pro- rate of adversarial evasion attack prediction based on ANN is
posed method is applied to two datasets, i.e., NSL-KDD and higher. Taheri et al. [51] presented a study on malware detec-
UNSW-NB15, and achieves an accuracy of 98.06% using tion on adversarial mobile networks. They used a two-stage,
the PSO algorithm. The study [41] explored targeting super- real-time adversarial deep learning approach. The authors
vised techniques by creating adversarial instances utilizing presented an accuracy of 96.03% using the C4N technique in
the Jacobian-based Saliency Map attack and analyzing clas- normal conditions, but with adversarial attacks, the accuracy
sification behaviors in IDS. The authors used two methods, was reduced to 40%. Yang et al. [52] presented network-
i.e., RF and J48, and achieved a precision of 94%, recall of based intrusion detection with adversarial autoencoders with
94%, and f1-score of 94% using RF. DNN (SAVAER-DNN). The NSL-KDD and UNSW-NB15
Chatzoglou et al. [42] presented a study on attack detec- are used to evaluate the model. The proposed model yielded
tion in the IEEE 802.11 network using the AWID3 dataset. It an accuracy of 93.01% and an f-score of 93.54%. Quresh
significantly enhances and expands examining evidence of an et al. [53] proposed a study on adversarial attack detection
extensive array of attacks launched within the IEEE 802.1 X on IDS using the Jacobian Saliency Map Attacks technique.
extensible authentication protocol frameworks. Smiliotopou- They proposed an RNN-ADV model based on a radon neu-
los et al. [43] presented a comprehensive approach to iden- ral network and used the NSL-KDD dataset for training. The
tifying lateral movement, which is the tactic of an advanced proposed model achieved an accuracy of 95.6% in a normal
persistent threat group using supervised machine learning scenario, but in the adversarial scenario, the accuracy falls
methods. The authors achieved an f-score of 99.41% and by 47.58%.
an AUC of 0.998 while considering an unbalanced dataset. Debicha et al. [54] presented a study using multi-
Yu et al. [44] proposed an intrusion detection system based adversarial networks against NIDS. The authors developed
on multi-scale convolutional neural networks for network and executed transfer learning-based adversarial detectors,
security communication. The proposed deep learning based individually obtaining a subset of the data handed via the IDS.
on the MSCNN model is tested on five different types of The proposed model is evaluated using the CIS-IDS2017
attacks and achieves an enhanced accuracy of 4.27% reached and NSL-KDD datasets. The proposed DNN-IDS model
to others. Chatzoglou et al. [45] studied machine learning- yielded an attack detection rate of 71.69% and 74.05% using
driven IDS to identify Wi-Fi threats behind schedule. The the NSL-KDD and CIS-IDS2017 datasets in the adversarial
authors used the 802.11 security-based AWID dataset. The scenarios. Roshan et al. [55] presented a study generating
study achieved an f1-score of 99.55% and 97.55% using adversarial methods using the Fast Gradient Sign Method,
shallow and deep learning techniques repetitively without Jacobian Saliency Map Attack, Carlini & Wagner, and Pro-
optimization. Khan et al. [46] explored an in-depth study jected Gradient Descent in NIDS. The CIS-IDS2017 dataset
of IDS based on deep learning methods with various IDS. was used. The authors demonstrated an accuracy of 98.7%
The public IDS datasets are comprehensively analyzed and using the FSGM method in adversarial conditions. Alotaibi
discussed in the research. The study demonstrated various et al. [56] presented a study on the sustainability of deep
performance criteria used objectively to assess deep learning learning-based techniques on IDS using adversarial attacks.
approaches for IDS. The authors further highlighted the chal- The study proposed a CNN-based IDS model, and the CIS-
lenges and solutions while implementing IDS. Chatzoglou IDS2017 dataset has been used. Different techniques are used
et al. [47] studied detecting application layer attacks on Wi-Fi to generate adversarial attacks. The proposed model yielded
networks and used the AWID3 dataset. The study considered an accuracy of 89.40% in adversarial attack detection. Paya
802.11 and non-802.11 network protocol features. The dif- et al. [57] proposed a method of detecting adversarial attacks
ferent classifiers are DT, LightGBM, and Bagging. MLP and against machine learning in IDS. The proposed model uses
AE were used to evaluate the performance and presented an various classifiers to determine intrusions and utilizes Multi-
attack detection performance of 96.7%. Usmani et al. [48] Armed Bandits with Thompson sampling to choose the
examined distributed DOS and detected DOS. It’s difficult optimal classifier for each input dynamically. The authors
to stop these attacks early. The authors used deep learning demonstrated an accuracy of 93.04%. The existing IDS attack
based on the long short-term memory technique and deci- detection studies are summarized in Table 1.
sion tree to classify ARP Spoofing attacks. They presented an Based on the review of existing studies, some research
accuracy of 99% and 100% utilizing LSTM and DT, respec- specifically concentrates on identifying DDoS attacks. Other
tively. Ramachandran et al. [49] designed an active method
for detecting ARP spoofing. It can accurately identify the

123
Adversarial attack detection framework based on optimized … 2357

Table 1 Summary of existing IDS attack detection studies

References no Method Dataset Outcome Gaps

Ferdowsi et al. [37] GAN-based IDS, ANN IoTD Accuracy 89%, Focused ANN to identify
attacks and
time-consuming
process
Caminero et al. [38] RF, RT, MLP, J48, and NB NSL-KDD Accuracy 80%, F1 score Focused on detecting
79% IDS attacks but not
considered
optimization
techniques
Qiu et al. [39] DNN, FGSM Mirai Attack success rate Focused attack detection
94.31% is DL-based NIDS but
has not been
considered an
optimization method
Alhajjar et al. [40] DT, PSO, GA, LDA, KNN NSL-KDD, Accuracy 98.06% Parameter optimization
UNSW-NB15 is not considered
Anthi et al. [41] J48, RF, JSMA Power plant F-score 80% in Feature selection and
adversarial conditions optimization are not
considered
Pawlicki et al. [50] ANN, RF, AdaBoost, SVM CIS-IDS2017, Precision 11%, recall Not focused on feature
99%, f1-score 20% extraction and
optimization
Taheri et al. [51] Robust-NN, C4N Drebin, Contagio, F1-score 69.29%, Recall Not focused on data
Genome 69.73%, Precision preprocessing and
68.86% feature selection
Yang et al. [52] SAVAER-DNN NSL-KDD, Accuracy 93.01%, Two datasets are
UNSW-NB15 F-score 93.54% combined, but
preprocessing, feature
extraction and
optimization are not
considered
Qureshi et al. [53] RNN-ADV, JSMA,MLP NSL-KDD Accuracy in normal Not focused on the
conditions of 63.41%. implementation model
Accuracy 71.38%,
Precision 47.23% in
adversarial attack using
RNN-ADV IDS model
Debicha et al. [54] DNN-IDS, NSL-KDD, Accuracy 74.05% using The study did not focus
FSGM,PGD,CQ,DF, CIC-IDS2017 the DNN-IDS model in on preprocessing,
adversarial conditions feature extraction, and
optimization
techniques
Roshan et al. [55] FGSM, JSMA, PGD, CIC-IDS2017 Accuracy 98.7% in The study did not focus
C&W, adversarial attack on feature extraction or
scenario using FGSM explore the impact of
method balanced and
unbalanced data in
adversarial scenarios
Alotaibi et al. [56] CNN, FGSM,BIM,PGD, CIC-IDS2017 Accuracy 89.40% using Not focused on
Auto-PGD the CNN-IDS model in processing, bias in the
adversarial conditions dataset
Paya et al. [57] Apollon-IDS, MLP, CIC-IDS2017, Accuracy 93.04%, The model takes more
RF,LR,NB CSE-CIC-IDS-2018, F1-score 88.35%, using training time and
CIC-DDoS-2019 Apollon-IDS computation resources

123
2358 K. Barik et al.

Table 1 (continued)

References no Method Dataset Outcome Gaps

Proposed WCSAN-PSO PCA, LASCO,WCSAN, CIC-IDS2017 Improved accuracy, The study uses the PCA,
framework PSO, SVC precision, and AUC LASCO, WCSAN,
value in adversarial PSO, and SVC
attack detection techniques to design
the WCSAN-PSO
framework

significant attacks are not considered. Likewise, a straight- by IDS. The processing of the IDS model is defined by 0
forward ANN was deployed in one case, processing with- g : i → o. These algorithms are vulnerable to malicious
out feature selection, and no optimization techniques were attacks, in which a malicious attacker known as an adver-
applied. Similarly, a fundamental artificial neural network sary deliberately alters the input data to mislead the learning
was used in one case, operating without feature selection algorithm into misclassification. The adversarial sample is
and without applying any optimization techniques. Also, in defined using Eq. 1.
a few studies, the proposed IDS model with machine and
deep learning performed well in normal scenarios. However, i∗  i + δ (1)
the accuracy and other evaluation parameters are decreased
in an adversarial attack scenario. Most existing approaches where i ∗ means the adversarial example generated from i
demonstrated in this study for detecting machine and deep and δ means the magnitude of the adversarial perturbation.
learning are the main targets of adversarial attacks. Still, they Adversarial sample generation and training of IDS for classi-
are complex evaluation processes with high false positive fying training samples into true and adversarial instances are
rates, no effective validations, time-consuming processes, required. The loss associated with adversarial sample gener-
require higher bandwidth and high computing resources for ation can be minimized using Eq. 2.
processing, challenge in maintenance, and larger memory
consumption. Further, ML and DL-based IDS are vulnerable argminδ, i ∗  i (2)
to adversarial attacks. Unknown adversarial attacks can still
bypass machine and deep learning-based IDS because they The probability (Padv ) of training data belonging to a spe-
are trained on known adversarial attacks, which is a shortfall cific class m (m  true or adversarial) misclassified by the
in the adversarial training process. discriminator module is determined using Eq. 3.
To overcome the existing research gap, the proposed
framework is designed with a unique attack leveling pat- Nmisclassi f ied
Padv  (3)
tern while maintaining and updating the signature database Ttrain
so that in case any known attack is detected. The prediction
can be made at the initial level, reducing bandwidth, com- Nmisclassi f ied indicates the number of training instances
puting resources, and attack detection efficiency in IDS. The misclassified by the discriminator. Ttrain indicates the total
proposed framework utilizes a WCSAN to construct a cor- training instances.
rected training data set with correct labels. PCA has adopted The objective function for optimizing the adversarial train-
feature extraction and LASSO for feature selection. The PSO ing dataset for IDS is defined by Eq. 4.
algorithm optimizes the parameters of the generator and dis-
criminator in WCSAN to enhance the adversarial training of G adv  w1 .δ + w2 .Padv (4)
IDS.
Objective function minimization is the optimization prob-
lem for developing a corrected adversarial training dataset for
2.3 Problem statement IDS. Table 2 depicts the notations of the problem definition.

IDS is used to automate a variety of cybersecurity responsi-

bilities. Most of these techniques employ supervised learning 3 Methodology
algorithms, which rely on data from the specific field to train
the method to classify arriving information into clusters. Let This section describes the proposed WCSAN-PSO-based
i denote the clean malicious traffic data from a given dataset, framework. The proposed framework is illustrated in Fig. 2.
and o denote the predicted class of network traffic sample First, the publicly available CIC-IDS2017 dataset [58]

123
Adversarial attack detection framework based on optimized … 2359

Table 2 Notations of problem definition or patterns connected to particular sorts of attacks. The sys-
tem can effectively identify well-known attack patterns by
Symbols Description Problem definition
employing and updating signatures based on the known
i* Adversarial sample for Injection of i* into input attacks. High bandwidth utilization and computing pro-
data ‘i’ data forces IDS to cesses for device connection could be drawbacks of existing
larger approaches. This system alleviates the problem by effectively
misclassifications managing signatures and minimizes the data that must be
δ The magnitude of the The magnitude of sent over the network. The IDS is trained on a corrected
adversarial adversarial
perturbation perturbation influences
adversarial training dataset to classify true and adversar-
adversarial training ial samples. Finally, IDS is trained on true network traffic
against unknown data to classify the true samples into benign and malicious
adversarial attacks instances. The efficiency of the IDS is validated with the pro-
Padv Probability of Padv affects the posed WCSAN-PSO-based adversary training by comparing
misclassifications by adversarial training of
without adversary training and classification with the SVC
the discriminator IDS
classifier.
Gadv The objective function Gadv must be minimized
for optimizing the for efficient
adversarial training adversarial training of
dataset for IDS IDS

(https://www.unb.ca/cic/datasets/ids-2017.html) is collected
and normalized using preprocessing. Network traffic PCA 3.1 Data collection
extracts features and selects the feature using LASSO. These
methods are further complemented by the subsequent steps This study uses the publicly available Canadian Institute for
involving labeling attacks and managing signature lists, Cybersecurity CIS-IDS2017 dataset ( https://www.unb.ca/
resulting in reduced system bandwidth usage and stream- cic/datasets/ids-2017.html). The dataset is available in both
lined computing processes. Then, WCSAN is employed to CSV and PCAPs format. It includes most updated attacks like
create a corrected training dataset with correct labels of Bot, PortScan, Infiltration, Web Attack Brute Force, Web
true and adversarial network traffic instances for IDS adver- Attack Sql Injection, Heartbleed, SSH-Patator, DoS Hulk,
sarial training. PSO optimizes the parameters of WCSAN FTP-Patator, DoSGoldenEye, Web Attack XSS and DoSs-
to enhance the adversarial training process. The primary lowloris, and normal records. The CIC Flow Meter analyzes
focus of the proposed framework is leveraging signatures the network traffic features of this dataset. Table 3 shows the
to identify destructive patterns. Signatures are distinct traits description of the dataset.

Fig. 2 The proposed framework

123
2360 K. Barik et al.

Table 3 Description of the dataset where j shows the decision made in the example n  1, and…,
j
Dataset Normal Attack Total
Step 2: Employing the sample mean, the covariance matrix
Training 49105 – 49,104 for the test set is computed using Eq. 7.
Testing 59,415 1966 12,277
1
j
Total 108,520 1966 61,381 P (h a − ∝)(h a − ∝)o (7)
j
a1

3.2 Data preprocessing using normalization where P is the sample set’s correlation matrix.
Step 3: The feature values and vectors of the samples’
Each network traffic feature sample is preprocessed to covariance matrix may be identified using Eqs. 8, 9, and 10.
remove the irrelevant network traffic features. Noisy data can
insignificantly influence the forecast of any influential data. P  K ..K T (8)
The missing values and noises are moved from the dataset in  
data cleaning [59]. The labels in the dataset have string values   diag λ1 , λ2, ..., λs λ1 ≥ λ2 ≥ . . . ≥ λs ≥ 0 (9)
encoded into numerical values corresponding to each label.
Before feeding the dataset to IDS, the features are correctly  
K  k1 , k2, ..., ks (10)
scaled to 0 and 1 to avoid some features overlooking others
[60]. The maximum normalization approach is employed. P is the quality values of m covariance matrices that have
Assume the variables as a x  a yx , . . . . . . .., amx , where x ∈ been organized diagonally and are down-ordered; attribute
n, y ∈ m. The number of variables is defined by ‘n,’ and the values of covariance matrices λj are shown below, together
number of data corresponding to each variable is defined by with the property vector. kj Of feature value λj is used to
’m’. The normalization for each network traffic variable is create a quality matrix. K, i  1…, s.
performed using Eq. 5. Step 4: For the first l-row main items, use Eq. 11 to cal-
culate the cumulative deviations pension contribution using
a yx − min(a x ) feature vectors and feature ratings produced from the first
G xy  (5) l-row primary components.
max(a x ) − min(a x )
l 
θ j1 λ j
n
where G xy
defines the standardized value of a specific vari- i1 λ j
(11)
able, and a yx denotes the actual value of a specific variable.
Min (a x ) and max (a x ) refer to the minimum and maximum where θ shows the cumulative variations contribution level
value of a variable a x correspondingly. of the past l-row fundamental modules and is typically equal
to or more than 0.9, the component should, in theory, be
3.3 Principle component analysis using feature as high. The component θ of has to be properly chosen for a
extraction problem to be resolved from a realistic viewpoint. Particulars
of an originally restated selection: If the value is properly
Using PCA, essential features that contribute to the PCA selected, the main components for k-row collection may be
intrusion detection process are extracted from the prepro- determined.
cessed feature set. PCA has been widely used because of its Step 5: Utilize and reduce the collected vector size with
simplicity, ease of understanding, and lack of constraining q-row features using Eqs. 12 and 13.
parameters. Employing PCA, m-dimensional network traffic
variables can be l-dimensional reduction network traffic fea- A  Kl (12)
tures [61]. To fulfill its dimension reduction objectives, the
PCA eliminates data duplication, compromising the smallest X  A.Y (13)
quantity of information. These steps of PCA are as follows.
Step 1: The stages are grouped into PCA using Eq. 6 The relevance of quality for the first k-row (l ≤ n), P is
among the following groups: h  h 1 , h 2 , . . . .., h J . a matching quality vector, was used to create the character-
istic matrix. A feature’s first k rows matrix Q l , should be
filled. Unbent information may then be converted from m-
1
j
∝ ha (6) dimensional (Y) into linear (X), the dimensions needed for
j linearization.
n1

123
Adversarial attack detection framework based on optimized … 2361

3.4 LASSO-based feature selection and labeling Table 4 Log entry of labeled data
attack detection
Classification Log Label Predicted
label
A safe and effective method for selecting a small number
of significant network traffic characteristics from the above- 0 BENIGN Non-attack Non-attack
obtained feature set is feature selection. These methods 1 Bot Attack Attack
usually remove superfluous or inconsequential functionali- PortScan Attack Attack
ties or characteristics deeply correlated in the information Infiltration Attack Attack
without causing significant data loss [62]. It is a popular
Web Attack Attack Attack
model for simplifying translation and ramping up supposi- Brute Force
tion by lowering variance. The estimated LASSO function Web Attack Sql Attack Attack
can be calculated using Eqs. 14, 15, and 16. Injection
⎧ ⎫ Heartbleed Attack Attack
⎛ ⎞2
⎪
⎨1  ⎪
M t t  ⎬ SSH-Patator Attack Attack
β lasso  arg β min ⎝ j y − β0 − ix y βy ⎠ + λ β y 
⎪
⎩ 2 x1 y1 ⎪
⎭
DDoS Attack Attack
y1
DoS Hulk Attack Attack
(14)
FTP-Patator Attack Attack
⎛ ⎞2

M 
t DoSGoldenEye Attack Attack
β lasso  arg β min ⎝ j y − β0 − ix y βy ⎠ (15) Web Attack XSS Attack Attack
x1 y1 DoSslowloris Attack Attack

t
 
β y  ≤ p (16)
y1 posed framework quickly recognizes the attack and does not
need further processing if the acquired data sample matches
LASSO replaces each correlation value with a continu- known attack signatures. The IDS decides whether to gener-
ous component that shortens at zero. Anticipating the feature ate alerts, take appropriate action in response, or do additional
selection technique is advantageous. It reduces the unutilized analysis based on the labeled data. This approach reduces the
sum of squares forced to submit to a total of the entire corre- total amount of data sent over the network, which assists in
lation coefficient estimation to less than full conformity. The preserving bandwidth resources while maintaining the accu-
LASSO improves the direct learning model, precision, and racy of threat detection through signatures.
accuracy by combining the benefits of perimeter depressive
episodes and subset shortlisting. 3.5 Handling the class imbalance problem
A data instance’s label indicates whether the instance is
normal or suspicious. The labeled data set for training is The class imbalance is a common problem in IDS. The sub-
obtained. Anomaly behaviors are often dynamic; for exam- stantial difference between the number of typical scenarios
ple, new anomalies can develop without labeled training and the low frequency of attack cases is the root cause of
information. This work used four classification levels, pre- this problem. The synthetic minority oversampling technique
sented in Table 4: 0 for begin network traffic as non-attack, (SMOTE) is used in this study to address the issue. The
1 for attacks. If any attack is an attack, the types of attacks SMOTE technique interpolates between the given data points
are maintained and updated in the dataset so that similar to generate fictional cases for the underrepresented class.
attacks can be predicted earlier while consuming bandwidth The preprocessed data are correctly handled, which includes
and computing resources. The flow diagram for maintain- encoding class variables, deleting unnecessary features, and
ing the attack dataset and attack labeling is demonstrated handling missing values [7]. The datasets are then split into
in Fig. 3. Initially, information about network traffic behav- training and testing datasets associated with characteristics
ior is gathered for system analysis. After data gathering, the (a) and labels (b). The instances are built using the SMOTE
information is labeled to differentiate between known and training set of data using Eq. 17.
unknown behavior. The system uses the suggested frame-
work to identify and categorize unknown or novel assaults asynthetic  aminorit y + randomnumber
when it detects one different from known signatures. The pro-
∗ (n − aminorit y) (17)

123
2362 K. Barik et al.

Fig. 3 Flow diagram of labeling

Fig. 4 Architecture of the WCSAN-based IDS

123
Adversarial attack detection framework based on optimized … 2363

Let’s assume there is a dataset with labels b and work traffic samples. Game training is used to modify model
features a. The K-nearest neighbors of each minority feature weights between the network entities to update the
instance,a_minorit y, from the minority class must be model’s generalization capacity. The output of the discrimi-
located. In (a_minorit y), a synthetic instance a_synthetic nator can be defined using 19.
is created for every neighbor n. The random number that 
controls the interpolation between a_minorit y and n is a 1, I j isadver sarial
random number between 0 and 1. OD  (19)
0, I j istr ue

3.6 Weighted conditional stepwise adversarial where I j means the j th sample of the adversarial train-
network particle swarm optimization ing dataset (I’ ), and O D means the adversarial classification
(WCSAN-PSO) result of the discriminator (D). The adversarial classifica-
tion result of the discriminator is that one of the samples
3.6.1 Weighted conditional stepwise adversarial network is predicted as adversarial and zero if the sample is true.
(WCSAN) The corrected training dataset containing correct labels of
true and fake network traffic records obtained from the dis-
The generator (G) generates adversarial network traffic fea- criminator is provided to the IDS. The proposed architecture
ture values from the network traffic records. The generator is shown in Fig. 4. The discriminator module’s corrected
is based on a convolutional neural network. It includes the training dataset is useful to identify and resist adversarial
input, convolutional, pooling, and output layers [63]. Net- attempts to IDS. First, the IDS is trained to discriminate
work traffic data, which usually includes features, is received between samples that are categorized as adversarial sam-
by the input layer of WCSAN-based IDS. This data forms the ples and samples that are true instances. The IDS acquires
basis for further analysis. G takes true network traffic features the capacity to distinguish between efforts at subversion by
and Gaussian noises δ as input and generates an adversarial adversaries and normal network traffic during the training
network traffic feature vector using Eq. 18. This generated phase. Then, the IDS continues a further training program to
feature vector is labeled as an adversarial traffic sample. distinguish between two types of network data: malicious and
 ∗  ∗ ∗  benign. The IDS can distinguish between malicious activity
I  i 1 , i 2 , . . . . . . , i h∗ , i ∗  i (18) that could be an attack and regular network traffic, which
  does not affect the system’s performance due to its dual clas-
where I ∗ means the adversarial network traffic feature vec-
sification capacity.
tor, i indicates the clean network traffic features, and i ∗ means
The corrected training dataset obtained from the discrim-
the adversarial network traffic features. The adversarial train-
inator module is used to train the IDS on adversarial attacks.
ing dataset combines true (clean) and adversarial network
The IDS is initially trained to classify samples into true and
traffic features. This adversarial training dataset is sent as
adversarial instances. Then, the IDS are trained to categorize
input to the discriminator module of WCSAN. The discrim-
the true network activity samples into benign and malicious
inator module of WCSAN is designed based on a neural
network data. The proposed algorithm for WCSAN-based
network. Discriminators are trained on an adversarial training
adversarial classification is presented in Algorithm 1.
dataset (I’) to distinguish between true and adversarial net-

123
2364 K. Barik et al.

Algorithm 1 WCSAN-based adversarial classification

The flow diagram of the WCSAN-based adversarial clas- swarm, and each material can represent an effective solution
sification is presented in Fig. 5. to the issue.

 e∗ Bx + f 1 ∗ Rand() ∗ (tx − I x )
p+1 p p p
Bx
3.6.2 Particle swarm optimization (PSO)
+ f 2∗ Rand() ∗ (tk − I x )
p p
(20)
PSO optimizes the parameters of the generator and discrimi- p+1
Ix
p
 Bx + Bx
p+1
(21)
nator modules of WCSAN to enhance the performance of the
adversarial training of IDS. The PSO algorithm is associated I x  (I x1 , I x2 , .., I x M ) (22)
with the social behavior of birds flocking and fish school-
ing [64]. When an independent fish or bird (quantum-state) Bx  (Bx1 , Bx2 , .., Bx M ) (23)
decides on where to keep moving, three components are rec-
ognized at the same time: (a) its prevailing movable strategy where x represents the number of active nodes, p is the num-
(rate of change) based upon that inertia of the movement, (b) ber of points, and B and I are the granules’ kinetic energy and
it is ideal position so far with, and (c) the most robust option placement matrices. Equations 22 and 23 show that M par-
that its neighbor particles have accomplished thus far using ticle dimensions can represent B and I in an N-dimensional
Eqs. 20 and 21. In the automated system, the particles form a problem (22).

123
Adversarial attack detection framework based on optimized … 2365

Algorithm 2 PSO algorithm

The inertia weight e adjusts the predisposition to enhance

global adventure (smaller e). The natural inclination to 4 Result and analysis
accommodate local adventure (larger e) to fine-tune this same
current search agent (larger e), Rand (), comes back with a This section presents the analysis of IDS with the WCSAN-
spontaneous ranging between [0, 1], and f 1 and f 2 are con- PSO framework in classifying network traffic into benign
stant operating numbers used to control the influence of tx and malicious samples. The evaluations are employed in the
and tk . After each particle’s velocity has been updated, the Python environment. The experimental setup was carried out
locations of the particles are updated using Eq. 23. Equa- on a single PC with 64-bit Windows 11 and an Intel Pentium
tions 24 and 25 construct the particles’ initial position and CPU with 32 GB RAM and 500 GB SSD. The study uses
velocity vectors. an SVC classifier for classification [65]. The performance
indicators for the analysis of the proposed framework are
I x, g  Imin + (Imax − Imin ) × q1 (24) precision, accuracy, F1-score, recall, ROC, and AUC value,
which are explained below.
Accuracy is the proportion of correct classifications of
Bx, g  Bmin + (Bmax − Bmin ) × q2 (25)
network traffic instances out of total samples made by the
The PSO algorithm is presented in Algorithm 2. IDS, using Eq. 26.

l +m
Accuracy  (26)
l +m+n+0

123
2366 K. Barik et al.

The weighted ratio is the F1-score of recall and precision,

using Eq. 29.

2 ∗ pr ecision ∗ r ecall
F1 − scor e  (29)
pr ecision + r ecall

The Detection Rate (DR) can be defined using Eq. 30.

TP
DR  (30)
TP + FN

where TP stands for True Positive and FN for False Negative.

The Area Under the ROC Curve (AUC) is a commonly
utilized performance measure in classification assignments.
The metric quantifies the ability of a classification model
to differentiate between positive and negative instances by
calculating the probability that a randomly selected positive
instance will be ranked higher than a randomly selected neg-
ative instance. The ROC curve illustrates the relationship
between the true positive rate (DR) and the false positive
rate (1-specificity) across different classification points, with
specificity calculated using Eq. 31.

TN
specificity  (31)
TN + FP

Fig. 5 Flow diagram of WCSAN where TN stands for True Negative and FP for False Positive.
The AUC is the area under the curve, ranging from 0 to
1. A value of 1 signifies an ideal classifier, while a 0.5 value
where l (known as true positive) denotes the quantity of true indicates an ineffective classifier. Greater AUC values sig-
malicious network traffic instances correctly classified as nify superior model performance in differentiating between
malicious network traffic instances, m (known as true neg- positive and negative samples.
ative) indicates the amount of true benign network traffic To evaluate the effectiveness of the proposed IDS with
instances accurately categorized as benign network traffic the WCSAN-PSO defense framework in adversarial attacks,
instances, n (false positive) represents the number of true we have chosen the attack leveling, as illustrated in Fig. 3.
benign network traffic instances misclassified as malicious Three scenarios are presented in this section, demonstrated
network traffic instances, and o (false negative) denotes the in Fig. 6. In the first scenario, the IDS is trained with the
number of true malicious network traffic instances misclas- original network traffic dataset and generates network traffic
sified as benign network traffic. samples with no defence mechanism and without an adver-
Precision is determined as the proportion of network traf- sarial attack dataset. In the second scenario, the IDS is trained
fic samples correctly identified as malicious out of samples with the original network traffic dataset and adversarial sam-
identified as malicious instances, using Eq. 27. ples generated from WSCAN with no defence mechanism.
The classification is based on an imbalanced dataset for the
first and second scenarios. In the third scenario, IDS is trained
l with the original network traffic dataset, adversarial samples
Pr ecision  (27)
l +n generated from WSCAN, and a corrected training dataset
with a defence mechanism. The proposed framework is eval-
uated in both balanced and imbalanced datasets.
The recall is defined as the proportion of network traffic
samples correctly identified as malicious out of total mali-
4.1 Scenario 1
cious network traffic samples, using Eq. 28.
The original network traffic dataset is pre-processed and nor-
l malized, features are extracted using PCA, and features are
Recall  (28) selected using LASCO. The attacks are leveled. Network
l +o

123
Adversarial attack detection framework based on optimized … 2367

Fig. 6 Three evaluation scenarios for the analysis of IDS in adversarial attacks

Table 5 Transformed extracted features with generated network samples and original network dataset

PC1 PC2 PC3 PC4 PC5 PC6 PC7 PC8 PC9 PC10

− 2.3874579 − 0.0520089 0.4039036 − 0.4212386 − 0.4444382 − 1.0774039 0.2511127 0.183508 − 0.2085869 − 0.0637675
− 2.800229 − 0.298451 0.5778567 1.9874548 − 0.1287246 − 0.8104782 − 1.700661 1.3027706 0.1607661 − 0.1771233
0.7000989 1.4046537 − 4.1112846 − 0.889538 − 0.4381019 0.0350623 1.0478822 − 1.0805345 0.0869719 0.0903951
0.685761 1.2945483 − 3.7652078 − 0.9346478 − 0.1077882 − 0.0921702 1.039185 − 0.8611829 0.0214558 0.0956127
0.3151581 2.0196977 − 1.5316126 − 1.2665882 0.5241469 − 0.7385545 0.8348879 − 0.3901929 − 0.3537512 0.0472945

samples are generated and combined with the original traf- Table 6 The IDS before adversarial attacks on the dataset
fic to the dataset to train the IDS with no adversarial attack
Performance indicators Category Outcome (%)
samples and without a defense mechanism. The imbalanced
dataset is used, and the transformed extracted features with Accuracy Benign 93.58
the combination of generated network samples and the orig- Malicious 90.74
inal network dataset are illustrated in Table 5. The outcomes
Precision Benign 70.67
are tested with the testing dataset.
Malicious 68.35
The four performance evaluation parameters considered
Recall Benign 78.58
are accuracy, recall, F1-score, and precision. The outcomes
are presented in Table 6, and it achieved an accuracy of Malicious 77.67
93.58% in detecting normal traffic and 90.74% in detect- F1-score Benign 75.12
ing malicious traffic without an adversarial scenario and no Malicious 74.89
defense mechanism.
Figure 7 demonstrates the Receiver Operating Character-
istic (ROC) curve with the Area under the ROC Curve (AUC) 4.2 Scenario 2
value and shows an AUC value of 0.92 in the imbalanced
dataset in scenario 1. In scenario 2, the adversarial samples are generated with
WCSAN. The IDS is trained with the original network

123
2368 K. Barik et al.

Fig. 7 ROC Curve with the AUC

value

dataset, and the adversarial samples are generated using the Table 8 IDS performance after adversarial attacks with no defense
WCSAN with no defence mechanism and without adversar-
Performance indicators Category Outcome (%)
ial training. The imbalanced dataset is used in scenario 2, and
the transformed extracted features with the combined adver- Accuracy Benign 92.78
sarial sample and the original training dataset are illustrated Malicious 85.72
in Table 7. The outcomes are tested with the testing dataset.
Precision Benign 74.67
The four performance evaluation parameters considered
Malicious 69.35
are accuracy, recall, F1-score, and precision. The outcomes
Recall Benign 77.58
are presented in Table 8. The IDS yielded in the detection of
normal packets an accuracy of 92.78%, precision of 74.67%, Malicious 73.67
recall of 77.58%, and f1-score of 75.12% in an adversarial F1-score Benign 75.12
attack scenario. In detecting attacks, IDS achieved an accu- Malicious 75.89
racy of 85.72%, precision of 69.35%, recall of 73.67%, and
f1-score of 75.89% in adversarial attack scenarios. How-
ever, the accuracy, precision, recall, and F1-score of the for 1000 iterations to check the performance in determin-
IDS with no defense mechanism, tested on a network traf- ing adversarial samples from each 200 iterations. The scatter
fic dataset with adversarial samples, was lower than the one plot of true versus adversarial samples for the WCSAN
without adversarial examples. This signifies that the adver- method is illustrated in Fig. 8. The orange distinguishes
sarial attacks generated by the WCSAN compromise the true network traffic samples, and the blue indicates adver-
performance of the IDS compared to scenario 1. Adversarial sarial samples. Table 9 depicts the classification accuracy of
samples increase the number of false positives and force the the discriminator of WCSAN for real and adversarial sam-
IDS to learn erroneous decision limits, as seen by the decrease ple discrimination. PSO significantly enhances the WCSAN
in IDS performance in an adversarial environment. This sig- method’s accurate and adversarial sample discrimination per-
nifies that the outcome is impacted by detecting adversarial formance.
attacks in scenario 2. Figure 9 demonstrates the ROC curve with the AUC value
The performance of the IDS with WCSAN-PSO-based and shows an AUC value of 0.84 in the imbalanced dataset
adversarial training is further tested. The WCSAN is trained in scenario 2.

Table 7 Transformed extracted features with the combined adversarial sample and the original training dataset

PC1 PC2 PC3 PC4 PC5 PC6 PC7 PC8 PC9 PC10

0.8488575 0.7560821 0.8146192 0.6425675 0.3576311 0.4183124 0.8347974 0.8718762 0.8269289 0.8409152
0.9046618 0.8666568 0.7539278 0.8956943 0.7569068 0.7451112 0.9503375 0.642829 0.9042664 0.9279852
0.4679091 0.3894138 0.7861135 0.6702121 0.6995128 0.7555856 0.9398418 0.8276241 0.6017654 0.936344
0.7794187 0.8210003 0.8543053 0.7655664 0.8767144 0.5711125 0.5910316 0.6405485 0.6951845 − 0.1163267
0.9054413 0.8010286 0.8662278 0.7714617 0.7346173 0.9112899 0.9548118 0.9651832 0.8967986 0.3505101

123
Adversarial attack detection framework based on optimized … 2369

Fig. 8 Scatter plot of true versus adversarial samples in WCSAN a after 200 iterations. b After 400 iterations. c After 600 iterations. d After 800
iterations. e After 1000 iterations

Table 9 Classification accuracy of discriminator of WCSAN using a balanced and imbalanced dataset. The value counts
for each data class in imbalanced and balanced datasets are
Iteration Real sample Adversarial sample
shown in Fig. 10 (a) and (b), respectively.
199 0.98317855 1 It demonstrates that the value counts are not equal in an
399 0.98317855 1
imbalanced dataset, and the value counts for all classes are
equal when the data are balanced. The extracted transformed
599 0.98319892 1
combined features for the corrected training and adversarial
799 0.98319892 1
samples dataset generated by WCSAN-PSO for the imbal-
999 0.98315819 1
anced dataset are demonstrated in Table 10 and 11.
Figure 11 illustrates the confusion matrix for classifying
network traffic samples into benign and attack samples by
4.3 Scenario 3 IDS with WCSAN-PSO-based adversarial training in the bal-
anced dataset.
In scenario 3, The IDS is further trained on the combined Table 12 exhibits the proposed framework’s accuracy, pre-
dataset, i.e., the normal original traffic and adversarial sam- cision, recall, and f1-score in detecting adversarial attacks
ples generated from scenario 2. The IDS is trained with a with defense mechanisms in normal and malicious scenar-
corrected adversarial training dataset generated using the ios with adversarial training in the balanced dataset. Further,
proposed WCSAN-PSO defense. The common problem in using a signature database is maintained for the known attack;
machine learning is addressing class imbalance, especially it predicts initially without using bandwidth and computing
in IDS. The SMOTE is used in this study to address the resources. Once an unknown attack is detected, the proposed
data transformation issue from unbalanced to balanced. The framework updates the signature database so that a similar
proposed framework is evaluated on both balanced and attack can be predicted at the initial stage next time. This sig-
imbalanced datasets. The third evaluation scenario with the nificantly enhanced the robustness and performance of the
WCSAN-PSO defense mechanism with adversarial training framework. The proposed framework achieved an accuracy
in the adversarial scenario is depicted in Fig. 6 and evaluated of 99.36%, a precision of 98.96%, a recall of 97.56%, and

123
2370 K. Barik et al.

Fig. 9 ROC curve with the AUC

value

Fig. 10 Value counts for each

class a imbalanced dataset.
b balanced dataset

Table 10 Transformed extracted features for the corrected training dataset and adversarial sample in the imbalanced dataset

PC1 PC2 PC3 PC4 PC5 PC6 PC7 PC8 PC9 PC10

0.1635971 0.2862763 − 0.3474317 − 0.9001193 0.9156828 − 0.2313149 − 0.790592 0.4767821 0.4169529 − 0.3781796
0.6447493 0.4485475 − 0.8793359 − 0.8039202 0.4526681 − 0.6978667 0.2069586 0.8472676 0.5431126 0.3478841
−0.3650534 0.6004493 − 0.3187721 − 0.6268917 0.4436878 − 0.5397366 − 0.1966288 0.3021472 0.3040808 0.206059
0.0454293 0.2957718 − 0.5242466 − 0.9403765 0.9371705 0.0972641 − 0.8363273 0.4402154 0.2895089 − 0.2385539
0.3529987 0.7379372 0.3213875 − 0.5913125 0.5550004 0.6555107 − 0.8531961 0.3473344 0.0643052 − 0.3071494

an f1-score of 95.54% in identifying normal samples. Mean- Figure 12 displays the ROC curve with the AUC value for
while, detecting attacks yielded an accuracy of 98.55%, a classifying network traffic samples into benign and attack
precision of 97.33%, a recall of 94.96%, and an f1-score samples by the proposed framework using the balanced
of 93.81%. This symbolizes that the proposed framework dataset and achieving an AUC value of 0.99.
enhances the performance of detecting malicious attacks in Table 13 displays the proposed framework’s accuracy,
adversarial scenarios after applying the defense mechanism precision, recall, f1-score, and AUC value in detecting adver-
compared to scenario 2. sarial attacks with adversarial training with the imbalanced
dataset. The proposed framework performed an accuracy of

Table 11 Transformed extracted features for the corrected training dataset and adversarial sample in the balanced dataset

PC1 PC2 PC3 PC4 PC5 Pc6 PC7 PC8 PC9 PC10

0.7412561 0.3977996 0.6727271 0.7125944 0.5600536 0.7012566 0.7008215 0.8453897 0.6375687 0.7290632
0.9150863 0.9467107 0.5309644 0.8906117 0.9469074 0.572613 0.954946 0.975059 0.6177086 0.946415
0.9024052 0.8110246 0.0832738 0.860105 0.4311961 0.9057025 0.8233756 0.9682738 0.742722 0.8514427
0.7307583 0.7950293 0.1272996 0.6692681 0.5939809 0.7015559 0.7232251 0.8969641 0.5855946 0.7693119
0.9715712 0.9447051 0.279698 0.9250448 0.6990635 0.5575316 0.9361724 0.8332815 0.8031395 0.9500042

123
Adversarial attack detection framework based on optimized … 2371

Fig. 11 Confusion matrix in the

balanced dataset

Table 12 Performance analysis of the proposed framework in the bal- Table 13 Performance analysis of the proposed framework in the imbal-
anced dataset anced dataset

Performance indicators Category Proposed Performance indicators Category Proposed

Accuracy Benign 99.36 Accuracy Benign 98.92

Malicious 98.55 Malicious 95.55
Precision Benign 98.96 Precision Benign 97.95
Malicious 97.33 Malicious 92.53
Recall Benign 97.56 Recall Benign 96.58
Malicious 94.96 Malicious 91.54
F1-score Benign 95.54 F1-score Benign 92.64
Malicious 93.81 Malicious 92.35

Figure 13 illustrates the ROC curve with the AUC value

using an imbalanced dataset, which yielded an AUC value of
98.92%, a precision of 97.95%, a recall of 96.58%, and an 0.97.
f1-score of 92.64% in identifying normal samples. However, The summary of the comparative performance analysis of
detecting attacks achieved an accuracy of 95.55%, a precision the proposed framework using a balanced and imbalanced
of 92.53%, a recall of 91.54%, and an f1-score of 92.35%. dataset is depicted in Fig. 14. The AUC value in the balanced

Fig. 12 ROC curve with AUC

score in the balanced dataset

123
2372 K. Barik et al.

Fig. 13 ROC curve with AUC

value in the imbalanced dataset

Fig. 14 Outcome comparison 100

with the imbalanced and 98
balanced dataset 96
94
Outcome (%)

92
90
88
86
84
82
80
Benign Malicious Benign Malicious Benign Malicious Benign Malicious
Accuracy Precision Recall F1-score

Proposed (Inbalanced dataset ) Proposed (Balanced dataset)

dataset is 0.99, as demonstrated in Fig. 12, whereas using is essential to safeguarding computer networks and sys-
the imbalanced dataset is 0.97, as presented in Fig. 13. It tems. Traditional IDS, however, are susceptible to adversarial
indicates that the performance of the proposed framework is attacks, in which hackers modify or obscure network traffic to
consistent but slightly better in the balanced dataset. avoid detection. Inadequate capacity for identifying known
The outcome of the proposed framework is compared network attacks at the beginning stage, high false alarm rates,
based on adversarial attack detection on IDS with the exist- and inadequate feature engineering and selection increase the
ing studies, namely IDS-ANN [50], C4N [51], RNN-ADV usage of high bandwidth and compute resources. IDS should
[53], DNN-IDS [54], JSMA [55], CNN-IDS [56] and Apol- successfully classify large-scale intrusion data in the complex
lon [57]. The comparative analysis with the existing studies is network application environment. The proposed approach
presented in Table 14 and Fig. 15. The proposed framework addresses the issues by incorporating adequate feature selec-
achieved an accuracy of 98.55%, followed by IDS-ANN with tion. extraction and maintaining updated signature-based
an accuracy of 60%, C4N of 76.93%, RNN-ADV of 71.38%, systems, identifying the known attack at the initial stage and
DNN-IDS of 74.05%, JSMA of 97.3%, CNN-IDS of 89.4% thus reducing computing resources.
and Apollon of 93.04%. The proposed framework yielded a Three scenarios are presented in this study, demonstrated
precision of 97.33%, and JSMA demonstrates a precision of in Fig. 6. In the first scenario, the IDS is trained with the
97.3%. original imbalanced dataset, and network samples are gener-
ated and tested with no defense technique. The details of
the outcome with the SVC classifier are demonstrated in
Table 6, and an accuracy of 93.58% in normal and 90.74%
5 Discussion in attack detection is achieved. In the second scenario, the
IDS model with no defense mechanism is trained using the
The identification and mitigation of malicious behavior and original network traffic dataset and generated adversarial
breaches of security is the preliminary function of IDS, which samples from the WCSAN, as demonstrated in Algorithm

123
Adversarial attack detection framework based on optimized … 2373

Table 14 Comparative analysis

with the existing studies Performance IDS- C4N RNN- DNN- JSMA CNN- Apollon Proposed
indicators ANN ADV IDS IDS

Accuracy 60 76.93 71.38 74.05 97.3 89.4 93.04 98.55

Precision 60 68.86 47.23 76.25 97.3 89.1 93.1 97.33
Recall 91 69.73 31.22 75.2 97.3 88.3 92.24 94.96
F1-score 11 69.29 37.59 74.22 97.3 89.21 88.35 93.81

Fig. 15 Performance evaluations 100

with the existing studies 90
80
Outcome (%) 70
60
50
40
30
20
10
0
Accuracy Precision Recall F1-score
IDS-ANN C4N RNN-ADV DNN-IDS JSMA CNN-IDS Apollon Proposed

1. The performance is evaluated on the test imbalanced of known and unknown types while maintaining attack
dataset, and an accuracy of 92.78% in normal packets and signature datasets. An increase in the intrusion detection
85.72% in attack detection is achieved, as demonstrated in performance of IDS with WCSAN-PSO-based adversarial
Table 8 with the SVC classifier. This symbolizes that the training in adversarial conditions demonstrates that it pushed
adversarial attacks generated by the WCSAN reduce the the IDS to learn and train efficiently between benign and
performance of the IDS. The IDS is further trained with malicious network traffic. The framework can be adapted to
a corrected adversarial training dataset generated using the emerging adversarial techniques and attack patterns. Also,
proposed WCSAN-PSO defense in scenario 3. It is tested the proposed framework can be scaled to manage large
on a dataset with an updated signature-based mechanism, datasets and high-throughput environments, making them
as demonstrated in Fig. 3. The PSO optimization is demon- suitable for real-time and high-performance applications in
strated in Algorithm 2. The proposed framework is evaluated adversarial environments.
in balanced and unbalanced datasets to validate its effective-
ness. The proposed framework in adversarial attacks with a
defense mechanism achieved an accuracy of 99.36% in nor- 6 Limitations and future work
mal and 98.55% in detecting malicious attacks, as depicted in
Table 12. The ROC curve with AUC value is demonstrated in 6.1 Limitations
Figs. 12 and 13 for balanced and imbalanced datasets, which
signifies the performance is consistent but slightly better in This analysis of the study is based on one publicly available
the balanced dataset. dataset. The study mainly concentrated on the attacks present
The comparative analysis with the existing studies in in the dataset. The adversarial environment is extensive
adversarial attack scenarios is presented in Table 14 and and constantly changing. Focusing solely on these partic-
Fig. 15. However, it should be noted that existing stud- ular attacks may cover a partial range of threats faced in
ies are performed in different environments. The proposed real-world situations. The experiment used static datasets,
framework accomplished an accuracy of 98.55%, whereas which may not fully represent network traffic’s dynamic and
IDS-ANN of 60%, C4N of 76.93%, RNN-ADV of 71.38%, evolving nature and adversarial behaviors. Real-world IDS
DNN-IDS of 74.05%, JSMA of 97.3%, CNN-IDS of 89.4% function in dynamic settings, and the research results may not
and Apollon of 93.04% in adversarial attack detection. The completely correspond with these functional complications.
process is similar to adversarial sample generation. However, The study examined different adversarial defense methods,
the proposed framework is distinct since it uses WCSAN- but it was necessary to analyze all potential defense tools
PSO to make IDS more resistant to adversarial concerns comprehensively. Various defense strategies could produce

123
2374 K. Barik et al.

varying outcomes, necessitating further research. The study extended by considering different types of attacks, datasets,
predominantly utilized traditional evaluation metrics such and optimization techniques to enhance attack detection,
as accuracy, precision, recall, f1-score, and AUC. Although accuracy, and efficiency in reducing high false positive rates.
informative, these metrics must fully encompass the impact
Author contributions Kousik Barik(KB), Sanjay Misra(SM), Luis Fer-
of adversarial attacks on IDS systems. Further metrics and
nandez Sanz(LFS), KB and SM conceptualize the topic. KB, SM, and
practical testing could offer a more thorough evaluation. LFS are involved in Methodology, investigation, and validation. SM and
LFS supervised the whole work. All authors reviewed the manuscript.
6.2 Future work
Funding Open access funding provided by Institute for Energy Tech-
nology.
Future research can explore the impact of emerging adver-
sarial attack techniques on NIDS systems. It is paramount to Data availability The data is available at https://www.unb.ca/cic/data
stay updated on developing attack strategies to improve the sets/ids-2017.html.
resilience of NIDS. There is a tremendous opportunity to cre-
ate a strong new framework to resist adversarial attacks for Declarations
IDS. This framework should surpass existing known attacks
Conflict of interest Authors do not have any financial or non-financial
and adjust to new threats, enhancing NIDS systems against interests that are directly or indirectly related to the work submitted for
adversarial attacks. Incorporating comprehensibility and publication.
model interpretation into NIDS models indicates significant
potential. Explicit model predictions help analysts quickly Ethical approval No ethical approval is required based on the following
a. This article does not contain any studies with animals performed by
detect adversarial attacks and develop efficient responses. any of the authors. b. This article does not contain any studies with
Heuristic-based solutions are proficient at identifying new human participants or animals performed by any of the authors.
and unfamiliar threats, whereas verified countermeasures
efficiently combat recognized threats. Combining the two Open Access This article is licensed under a Creative Commons Attri-
bution 4.0 International License, which permits use, sharing, adaptation,
achieves a thorough threat range, minimizing the chances distribution and reproduction in any medium or format, as long as you
of missing threats and triggering false alarms. Therefore, give appropriate credit to the original author(s) and the source, pro-
it would be a useful direction for research. The proposed vide a link to the Creative Commons licence, and indicate if changes
framework can be extended by using different attacks and were made. The images or other third party material in this article are
included in the article’s Creative Commons licence, unless indicated
live datasets. otherwise in a credit line to the material. If material is not included in
the article’s Creative Commons licence and your intended use is not
permitted by statutory regulation or exceeds the permitted use, you will
7 Conclusion need to obtain permission directly from the copyright holder. To view a
copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

This study presented a proposed WCSAN-PSO-based frame-

work on a weighted conditional stepwise adversarial network
with particle swarm optimization and support vector classi-
fier for classification to effectively detect adversarial attacks References
in IDS. The framework uses updated signature-based attack
detection to predict known attacks in the first stage, which 1. Ince, K.: A novel approach for intrusion detection systems: V-IDS.
Turk. J. Electr. Eng. Comput. Sci. 29(4), 1929–1943 (2021)
reduces computing resources. The study analyzed adversarial
2. Chimuco, F.T., Sequeiros, J.B., Lopes, C.G., Simões, T.M., Freire,
attacks and defense mechanisms through three comprehen- M.M., Inácio, P.R.: Secure cloud-based mobile apps: attack taxon-
sive scenarios with practical and quantitative evaluation. The omy, requirements, mechanisms, tests and automation. Int. J. Inf.
proposed framework achieved an accuracy of 99.36% in Secur. 22(4), 833–867 (2023)
3. Amro, A., Gkioulos, V.: Cyber risk management for autonomous
determining normal traffic and 98.55% in identifying mali- passenger ships using threat-informed defense-in-depth. Int. J. Inf.
cious traffic in an adversarial attack scenario. The proposed Secur. 22(1), 249–288 (2023)
framework yielded an AUC value of 0.99 in the balanced 4. He, K., Kim, D.D., Asghar, M.R.: Adversarial machine learning
dataset and 0.97 using an imbalanced dataset, which sig- for network intrusion detection systems: a comprehensive survey.
IEEE Commun. Surv. Tutor. 25(1), 538–566 (2023)
nifies consistency. Adversaries may modify many network 5. Javaheri, D., Gorgin, S., Lee, J.A., Masdari, M.: Fuzzy logic-based
traffic features without affecting network behavior, making DDoS attacks and network traffic anomaly detection methods: clas-
it difficult to detect intrusions. The future goal is to study sification, overview, and future perspectives. Inf. Sci. 626, 315–338
the impact of the proposed framework on various ML and (2023)
6. Park, N.E., Lee, Y.R., Joo, S., Kim, S.Y., Kim, S.H., Park, J.Y., Lee,
DL techniques. This approach can be expanded to explore I.G.: Performance evaluation of a fast and efficient intrusion detec-
the transferability concept in adversarial machine learning tion framework for advanced persistent threat-based cyberattacks.
with advanced techniques. The proposed framework can be Comput. Electr. Eng. 105, 108548 (2023)

123
Adversarial attack detection framework based on optimized … 2375

7. Xu, H., Sun, Z., Cao, Y., Bilal, H.: A data-driven approach for 27. Molina-Coronado, B., Mori, U., Mendiburu, A., Miguel-Alonso,
intrusion and anomaly detection using automated machine learning J.: Survey of network intrusion detection methods from the per-
for the Internet of Things. Soft. Comput. 27(19), 14469–14481 spective of the knowledge discovery in databases process. IEEE
(2023) Trans. Netw. Serv. Manage. 17(4), 2451–2479 (2020)
8. Lampe, B., Meng, W.: Intrusion detection in the automotive 28. Ahmad, Z., Shahid Khan, A., Wai Shiang, C., Abdullah, J., Ahmad,
domain: A comprehensive review. IEEE Commun. Surv. Tutor. F.: Network intrusion detection system: a systematic study of
(2023). https://doi.org/10.1109/COMST.2023.3309864 machine learning and deep learning approaches. Trans. Emerg.
9. Saheed, Y.K., Misra, S.: A voting gray wolf optimizer-based Telecommun. Technol. 32(1), e4150 (2021)
ensemble learning models for intrusion detection in the Internet of 29. Martins, I., Resende, J.S., Sousa, P.R., Silva, S., Antunes, L., Gama,
Things. Int. J. Inf. Secur. (2024). https://doi.org/10.1007/s10207- J.: Host-based IDS: a review and open issues of an anomaly detec-
023-00803-x tion system in IoT. Futur. Gener. Comput. Syst. 133, 95–113 (2022)
10. Goyal, S., Doddapaneni, S., Khapra, M.M., Ravindran, B.: A sur- 30. Chaabouni, N., Mosbah, M., Zemmari, A., Sauvignac, C., Faruki,
vey of adversarial defenses and robustness in nlp. ACM Comput. P.: Network intrusion detection for IoT security based on learning
Surv. 55(14s), 1–39 (2023) techniques. IEEE Commun. Surv. Tutor. 21(3), 2671–2701 (2019)
11. Rosenberg, I., Shabtai, A., Elovici, Y., Rokach, L.: Adversarial 31. Dutt, I., Borah, S., Maitra, I.K.: Immune system based intrusion
machine learning attacks and defense methods in the cyber security detection system (IS-IDS): A proposed model. IEEE Access 8,
domain. ACM Comput. Surv. (CSUR) 54(5), 1–36 (2021) 34929–34941 (2020)
12. Apruzzese, G., Andreolini, M., Ferretti, L., Marchetti, M., Cola- 32. Goodfellow, I. J., Shlens, J., & Szegedy, C. (2014). Explaining and
janni, M.: Modeling realistic adversarial attacks against network harnessing adversarial examples. arXiv preprint arXiv:1412.6572.
intrusion detection systems. Digital Threats 3(3), 1–19 (2022) 33. Deldjoo, Y., Noia, T.D., Merra, F.A.: A survey on adversarial rec-
13. Catillo, M., Del Vecchio, A., Pecchia, A., & Villano, U. (2023). A ommender systems: from attack defense strategies to generative
case study with CICIDS2017 on the robustness of machine learning adversarial networks. ACM Comput. Surv. (CSUR) 54(2), 1–38
against adversarial attacks in intrusion detection. In Proceedings (2021)
of the 18th international conference on availability, reliability and 34. Alatwi, H. A., & Morisset, C. (2021). Adversarial machine learning
security (pp. 1–8). in network intrusion detection domain: A systematic review. arXiv
14. Lansky, J., Ali, S., Mohammadi, M., Majeed, M.K., Karim, S.H.T., preprint arXiv:2112.03315
Rashidi, S., Rahmani, A.M.: Deep learning-based intrusion detec- 35. Hernandez-Ramos, J. L., Karopoulos, G., Chatzoglou, E., Kou-
tion systems: a systematic review. IEEE Access 9, 101574–101599 liaridis, V., Marmol, E., Gonzalez-Vidal, A., & Kambourakis, G.
(2021) (2023). Intrusion Detection based on Federated Learning: a sys-
15. Kuzlu, M., Catak, F.O., Cali, U., Catak, E., Guler, O.: Adversarial tematic review. arXiv preprint arXiv:2308.09522.
security mitigations of mmWave beamforming prediction models 36. Papamartzivanos, D., Mármol, F.G., Kambourakis, G.: Introduc-
using defensive distillation and adversarial retraining. Int. J. Inf. ing deep learning self-adaptive misuse network intrusion detection
Secur. 22(2), 319–332 (2022) systems. IEEE Access 7, 13546–13560 (2019)
16. Vitorino, J., Praça, I., Maia, E.: SoK: Realistic adversarial attacks 37. Ferdowsi, A., & Saad, W. (2019, December). Generative adver-
and defenses for intelligent network intrusion detection. Comput. sarial networks for distributed intrusion detection in the internet of
Secur. 134, 103433 (2023) things. In 2019 IEEE global communications conference (GLOBE-
17. Alhussien, N., Aleroud, A., Melhem, A., Khamaiseh, S.Y.: Con- COM) (pp. 1–6). IEEE.
straining adversarial attacks on network intrusion detection sys- 38. Caminero, G., Lopez-Martin, M., Carro, B.: Adversarial envi-
tems: transferability and defense analysis. IEEE Trans. Netw. Serv. ronment reinforcement learning algorithm for intrusion detection.
Manag. (2024). https://doi.org/10.1109/TNSM.2024.3357316 Comput. Netw. 159, 96–109 (2019)
18. Liu, Y., Xu, L., Yang, S., Zhao, D., Li, X.: Adversarial sample 39. Qiu, H., Dong, T., Zhang, T., Lu, J., Memmi, G., Qiu, M.: Adver-
attacks and defenses based on LSTM-ED in industrial control sys- sarial attacks against network intrusion detection in IoT systems.
tems. Comput. Secur. 140, 103750 (2024) IEEE Internet Things J. 8(13), 10327–10335 (2020)
19. Sarker, I.H.: Machine learning: algorithms, real-world applications 40. Alhajjar, E., Maxwell, P., Bastian, N.: Adversarial machine learning
and research directions. SN computer science 2(3), 160 (2021) in network intrusion detection systems. Expert Syst. Appl. 186,
20. Darwish, A., Hassanien, A.E., Das, S.: A survey of swarm and 115782 (2021)
evolutionary computing approaches for deep learning. Artif. Intell. 41. Anthi, E., Williams, L., Rhode, M., Burnap, P., Wedgbury, A.:
Rev. 53, 1767–1812 (2020) Adversarial attacks on machine learning cybersecurity defences in
21. Bottou, L., Curtis, F.E., Nocedal, J.: Optimization methods for industrial control systems. J. Inf. Secur. Appl. 58, 102717 (2021)
large-scale machine learning. SIAM Rev. 60(2), 223–311 (2018) 42. Chatzoglou, E., Kambourakis, G., Kolias, C.: Empirical evaluation
22. Mayer, R., Jacobsen, H.A.: Scalable deep learning on distributed of attacks against IEEE 802.11 enterprise networks: the AWID3
infrastructures: Challenges, techniques, and tools. ACM Comput- dataset. IEEE Access 9, 34188–34205 (2021)
ing Surveys (CSUR) 53(1), 1–37 (2020) 43. Smiliotopoulos, C., Kambourakis, G., Barbatsalou, K.: On the
23. Zhao, R., Yan, R., Chen, Z., Mao, K., Wang, P., Gao, R.X.: Deep detection of lateral movement through supervised machine learn-
learning and its applications to machine health monitoring. Mech. ing and an open-source tool to create turnkey datasets from Sysmon
Syst. Signal Process. 115, 213–237 (2019) logs. Int. J. Inf. Secur. 22, 1893–1919 (2023)
24. Thompson, N. C., Greenewald, K., Lee, K., & Manso, G. F. (2020). 44. Yu, J., Ye, X., Li, H.: A high precision intrusion detection system
The computational limits of deep learning. arXiv preprint arXiv: for network security communication based on multi-scale convo-
2007.05558. lutional neural network. Futur. Gener. Comput. Syst. 129, 399–406
25. Biermann, E., Cloete, E., Venter, L.M.: A comparison of intrusion (2022)
detection systems. Comput. Secur. 20(8), 676–683 (2001) 45. Chatzoglou, E., Kambourakis, G., Kolias, C., Smiliotopoulos, C.:
26. Depren, O., Topallar, M., Anarim, E., Ciliz, M.K.: An intelligent Pick quality over quantity: expert feature selection and data pre-
intrusion detection system (IDS) for anomaly and misuse detection processing for 802.11 intrusion detection systems. IEEE Access
in computer networks. Expert Syst. Appl. 29(4), 713–722 (2005) 10, 64761–64784 (2022)
46. Khan, A.R., Kashif, M., Jhaveri, R.H., Raut, R., Saba, T., Bahaj,
S.A.: Deep learning for intrusion detection and security of Internet

123
2376 K. Barik et al.

of things (IoT): current analysis, challenges, and possible solutions. 58. Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating
Secur. Commun. Netw. (2022). https://doi.org/10.1155/2022/40 a new intrusion detection dataset and intrusion traffic characteriza-
16073 tion. ICISSp 1, 108–116 (2018)
47. Chatzoglou, E., Kambourakis, G., Smiliotopoulos, C., Kolias, C.: 59. Gudivada, V., Apon, A., Ding, J.: Data quality considerations for
Best of both worlds: Detecting application layer attacks through big data and machine learning: going beyond data cleaning and
802.11 and non-802.11 features. Sensors 22(15), 5633 (2022) transformations. Int. J. Adv. Softw. 10(1), 1–20 (2017)
48. Usmani, M., Anwar, M., Farooq, K., Ahmed, G., & Siddiqui, S. 60. Elmasry, W., Akbulut, A., Zaim, A.H.: Evolving deep learning
(2022). Predicting ARP spoofing with machine learning. In 2022 architectures for network intrusion detection using a double PSO
international conference on emerging trends in smart technologies metaheuristic. Comput. Netw. 168, 107042 (2020)
(ICETST) (pp. 1–6). IEEE. 61. Rm, S.P., Maddikunta, P.K.R., Parimala, M., Koppu, S., Gadekallu,
49. Ramachandran, V., & Nandi, S. (2005). Detecting ARP spoofing: T.R., Chowdhary, C.L., Alazab, M.: An effective feature engineer-
an active technique. In: Information systems security: first interna- ing for DNN using hybrid PCA-GWO for intrusion detection in
tional conference, ICISS 2005, Kolkata, India, December 19–21, IoMT architecture. Comput. Commun. 160, 139–149 (2020)
2005. Proceedings 1 (pp. 239-250). Springer Berlin Heidelberg 62. Li, F., Lai, L., Cui, S.: On the adversarial robustness of LASSO
50. Pawlicki, M., Choraś, M., Kozik, R.: Defending network intrusion based feature selection. IEEE Trans. Signal Process. 69, 5555–5567
detection systems against adversarial evasion attacks. Futur. Gener. (2021)
Comput. Syst. 110, 148–154 (2020) 63. Zhong, G., Liu, F., Jiang, J., Chen, C.P.: CauseFormer: interpretable
51. Taheri, R., Javidan, R., Pooranian, Z.: Adversarial android malware anomaly detection with stepwise attention for cloud service. IEEE
detection for mobile multimedia applications in IoT environments. Trans. Netw. Serv. Manag. (2023). https://doi.org/10.1109/TNSM.
Multimed. Tools Appl. 80, 16713–16729 (2021) 2023.3299846
52. Yang, Y., Zheng, K., Wu, B., Yang, Y., Wang, X.: Network intrusion 64. Donkol, A.A.E.B., Hafez, A.G., Hussein, A.I., Mabrook, M.M.:
detection based on supervised adversarial variational auto-encoder Optimization of intrusion detection using likely point PSO and
with regularization. IEEE access 8, 42169–42184 (2020) enhanced LSTM-RNN hybrid technique in communication net-
53. Qureshi, A.U.H., Larijani, H., Yousefi, M., Adeel, A., Mtetwa, works. IEEE Access 11, 9469–9482 (2023)
N.: An adversarial approach for intrusion detection systems using 65. Alsarhan, A., Alauthman, M., Alshdaifat, E.A., Al-Ghuwairi, A.R.,
jacobian saliency map attacks (jsma) algorithm. Computers 9(3), Al-Dubai, A.: Machine Learning-driven optimization for SVM-
58 (2020) based intrusion detection system in vehicular ad hoc networks. J.
54. Debicha, I., Bauwens, R., Debatty, T., Dricot, J.M., Kenaza, T., Ambient. Intell. Humaniz. Comput. 14(5), 6113–6122 (2023)
Mees, W.: TAD: Transfer learning-based multi-adversarial detec-
tion of evasion attacks against network intrusion detection systems.
Futur. Gener. Comput. Syst. 138, 185–197 (2023)
Publisher’s Note Springer Nature remains neutral with regard to juris-
55. Roshan, K., Zafar, A., Haque, S.B.U.: Untargeted white-box adver-
dictional claims in published maps and institutional affiliations.
sarial attack with heuristic defence methods in real-time deep
learning based network intrusion detection system. Comput. Com-
mun. 218, 97–113 (2023)
56. Alotaibi, A., Rassam, M.A.: Enhancing the sustainability of
deep-learning-based network intrusion detection classifiers against
adversarial attacks. Sustainability 15(12), 9801 (2023)
57. Paya, A., Arroni, S., García-Díaz, V., Gómez, A.: Apollon: a robust
defense system against adversarial machine learning attacks in
intrusion detection systems. Comput. Secur. 136, 103546 (2024)

123