Adversarial robustness evaluation of hybrid CNN-LSTM-transformer NIDS on evolving threats

[EN]Current Network Intrusion Detection Systems (NIDS) often fail to detect adversarial evasion attacks, creating critical security blind spots. To address this, we propose a standardized adversarial evaluation protocol that quantifies performance degradation against Fast Gradient Sign Method (FGSM)...

Descripción completa

Detalles Bibliográficos
Autores: González Ramos, Juan Antonio, Abril Domingo, Evaristo José, Fernández Reguero, Patricia, Prieto Tejedor, Javier, Chamoso Santos, Pablo
Tipo de recurso: artículo
Estado:Versión publicada
Fecha de publicación:2026
País:España
Institución:Universidad de Salamanca (USAL)
Repositorio:GREDOS. Repositorio Institucional de la Universidad de Salamanca
OAI Identifier:oai:dnet:gredos______::b3339865c1cf5fb1b6e8955a173b52d4
Acceso en línea:http://hdl.handle.net/10366/171053
Access Level:acceso abierto
Palabra clave:Network intrusion detection
Adversarial robustness
Deep learning
Hybrid architecture
CICIoT2023
1203.04 Inteligencia Artificial
Descripción
Sumario:[EN]Current Network Intrusion Detection Systems (NIDS) often fail to detect adversarial evasion attacks, creating critical security blind spots. To address this, we propose a standardized adversarial evaluation protocol that quantifies performance degradation against Fast Gradient Sign Method (FGSM), Projected Gradient Descent (PGD), and AutoAttack ensemble attacks, establishing empirically observed performance bounds. We implemented a high-throughput hybrid architecture combining 1D-CNN, Bidirectional LSTM, and Transformer mechanisms, designed specifically to balance varying traffic dynamics and robustness. Unlike prior studies that report only clean-data accuracy, our evaluation of UNSW-NB15, CICIDS2017, and CICIoT2023 demonstrates competitive performance (e.g., strong multi-class F1 scores) while revealing robustness profiles up to an operational limit of e=0.05. Crucially, we validated our results under a temporal split using the official UNSW-NB15 train/test partition, confirming that binary detection (94.20% accuracy, 95.69% F1) generalizes under distribution shift. We further compared the proposed method with PGD-based adversarial training (PGD-AT) to quantify the robustness–accuracy trade-off. Our results advocate the use of security curves as a standard metric for NIDS validation in hostile environments.