PROOF OF CONCEPTADVERSARIAL ML · IDS EVASION

Adversarial ML Attack Suite

Name: Moddux Platform
Author: Moddux

Constrained adversarial example generation against ML-based Network Intrusion Detection Systems — demonstrating that 99%+ accuracy classifiers can be evaded at 87% success rate, and what it takes to defend them.

87.3%

PGD evasion vs. DNN

73.2%

Transfer attack (DNN→RF)

91.8%

C&W evasion rate

89.2%

Post-defence accuracy

Attack Implementations

All attacks operate under network semantic constraints — generated adversarial flows must remain functional as attacks.

PGD (Projected Gradient Descent)

White-box

Iterative gradient ascent on the loss surface, projected back onto the semantic constraint set after each step. Strongest practical white-box attack.

87.3%

evasion rate

Carlini–Wagner L2

White-box

Constrained optimisation minimising perturbation magnitude while achieving misclassification. Highest success rate; slower than PGD.

91.8%

evasion rate

JSMA (Jacobian Saliency Map)

White-box

Targets a small subset of high-influence features using the forward derivative. Minimal perturbation; good for sparse feature manipulation.

72.1%

evasion rate

Substitute Model Transfer

Black-box

Train a substitute DNN via Jacobian-guided query augmentation. Generate adversarial examples against the substitute — they transfer to the target RF model at 73.2% success rate.

73.2%

evasion rate

Robustness Under PGD Attack

Adversarial accuracy (% of attack traffic correctly detected) under constrained PGD-40 (ε=0.05).

DNN (baseline)

clean: 99.2%adv: 12.7%

DNN (adv. trained 50%)

clean: 97.4%adv: 74.8%

Random Forest

clean: 99.7%adv: 31.4%

LSTM

clean: 98.8%adv: 44.1%

Ensemble

clean: 99.1%adv: 78.6%

Defence Countermeasures

Four evaluated defences with clean accuracy preservation and adversarial robustness trade-offs.

Defence	Clean Acc.	Adv. Acc.	Cost	Recommendation
Adversarial Training (25% ratio)	98.1%	56.3%	Low	Recommended baseline defence
Adversarial Training (50% ratio)	97.4%	74.8%	Medium	For high-security deployments
Timing Feature Removal	97.8%	48.3% (limited attack surface)	None	Remove 12 timing features; halves attack surface
Ensemble (RF + DNN + LSTM)	99.1%	78.6% (transfer: 21.4% evasion)	3× inference cost	Highest robustness against transfer attacks

Feature Constraint Taxonomy

Not all network flow features can be manipulated. The constraint taxonomy defines what's mutable without breaking the attack.

A — Freely Mutable

→ Flow Duration (+200%)
→ Fwd IAT Mean (±300%)
→ Bwd Pkt Length Mean (+50%)

No semantic coupling — changes don't affect attack functionality

B — Constrained Mutable

→ Fwd Pkts/s (±50%)
→ Pkt Size Avg (MTU bounded)
→ Flow Bytes/s (rate bounded)

Adjustable within functional bounds; too extreme breaks the connection

C — Immutable

→ Destination Port
→ Protocol (TCP/UDP)
→ TCP Flags (SYN/FIN/RST)

Changing these changes the attack itself — not mutable

D — Attack-Type Dependent

→ Packet Count (fixed for scans)
→ Payload Bytes (fixed for exploits)
→ Active Mean (flexible for beacons)

Mutability depends on the specific attack class being disguised

Research Output

This project accompanies a research paper documenting the full experimental methodology, dataset construction, and countermeasure analysis. The paper is available in the Moddux Research Papers section.

Read Research Paper →Research Overview

Loading

Initializing quantum state...

Attack Implementations

All attacks operate under network semantic constraints — generated adversarial flows must remain functional as attacks.

PGD (Projected Gradient Descent)

White-box

Iterative gradient ascent on the loss surface, projected back onto the semantic constraint set after each step. Strongest practical white-box attack.

87.3%

evasion rate

Carlini–Wagner L2

White-box

Constrained optimisation minimising perturbation magnitude while achieving misclassification. Highest success rate; slower than PGD.

91.8%

evasion rate

JSMA (Jacobian Saliency Map)

White-box

Targets a small subset of high-influence features using the forward derivative. Minimal perturbation; good for sparse feature manipulation.

72.1%

evasion rate

Substitute Model Transfer

Black-box

Train a substitute DNN via Jacobian-guided query augmentation. Generate adversarial examples against the substitute — they transfer to the target RF model at 73.2% success rate.

73.2%

evasion rate

Defence Countermeasures

Four evaluated defences with clean accuracy preservation and adversarial robustness trade-offs.

Defence	Clean Acc.	Adv. Acc.	Cost	Recommendation
Adversarial Training (25% ratio)	98.1%	56.3%	Low	Recommended baseline defence
Adversarial Training (50% ratio)	97.4%	74.8%	Medium	For high-security deployments
Timing Feature Removal	97.8%	48.3% (limited attack surface)	None	Remove 12 timing features; halves attack surface
Ensemble (RF + DNN + LSTM)	99.1%	78.6% (transfer: 21.4% evasion)	3× inference cost	Highest robustness against transfer attacks

Feature Constraint Taxonomy

Not all network flow features can be manipulated. The constraint taxonomy defines what's mutable without breaking the attack.

A — Freely Mutable

→ Flow Duration (+200%)
→ Fwd IAT Mean (±300%)
→ Bwd Pkt Length Mean (+50%)

No semantic coupling — changes don't affect attack functionality

B — Constrained Mutable

→ Fwd Pkts/s (±50%)
→ Pkt Size Avg (MTU bounded)
→ Flow Bytes/s (rate bounded)

Adjustable within functional bounds; too extreme breaks the connection

C — Immutable

→ Destination Port
→ Protocol (TCP/UDP)
→ TCP Flags (SYN/FIN/RST)

Changing these changes the attack itself — not mutable

D — Attack-Type Dependent

→ Packet Count (fixed for scans)
→ Payload Bytes (fixed for exploits)
→ Active Mean (flexible for beacons)

Mutability depends on the specific attack class being disguised