Adversarial attacks against multi-layer perceptron on DDoS data
摘要
Multi-Layer Perceptrons are widely used for Distributed Denial-of-Service detection due to their high accuracy in distinguishing malicious from benign traffic. However, their vulnerability to adversarial perturbations, subtle input modifications that evade detection, remains largely unexplored which poses significant risks for real-world deployment. This study evaluates the susceptibility of a state-of-the-art Multi-Layer Perceptron model (Sharif et al. in IEEE Access 11:51810–51819, 2023), with a baseline accuracy of 99.1%, trained on the CICIDS2017 and CICDDoS2019 benchmarks. We demonstrate that minimal, protocol-compliant perturbations (e.g., shuffling Flow IAT Mean) reduce accuracy from 99.1 to 1.5%—exposing critical operational risks in deployed systems. Unlike prior gradient-based attacks, our method requires no internal model knowledge, enabling practical exploitation by low-resource adversaries. We explore three attack strategies: perturbing malicious samples to induce false negatives (accuracy drops to 64.5%), perturbing benign samples to amplify false positives (accuracy drops to 36.2%), and perturbing both classes simultaneously (accuracy drops to 1.5%). We further reveal that adversarial retraining only partially mitigates risks (93.4% recovery), demanding continuous defense adaptation. These findings highlight the critical need to assess adversarial risks alongside traditional performance metrics in DDoS detection systems.