Breaking Transferability by Design: Gradient-Misaligned Ensembles for IDS

Add a transferability penalty to ensemble training that explicitly minimizes cosine similarity between input gradients (or loss Hessian eigenvectors) of ensemble members, subject to maintaining high clean and adversarial accuracy. At inference, use diversified votes or a learned gate. Optionally, adversarially co-train the ensemble against a learned surrogate to harden against Guo et al.’s (Secur. Commun. Netw. 2021) black-box substitution attacks. Tafreshian & Zhang (TrustCom 2024) use ensembles among other techniques but don’t optimize them to be non-transferable. This proposes a differentiable objective that shapes the decision boundary geometry to disrupt transfer (i.e., reduce gradient alignment), bridging theory and practice on why transfer works. Targets the specific attack vector demonstrated by Guo et al. (2021)—transfer from a substitute trained on query feedback. Surveys highlight transfer attacks and the need for real-time, scalable defenses; ensemble gradient diversification is training-time overhead with minimal inference cost. Transferability is a major enabler for practical black-box attacks. Breaking alignment directly attacks the mechanism attackers exploit while retaining standard IDS performance. Impact: A general recipe to degrade black-box success across modalities (network flows, spectrogram-based RFF, logs), complementing adversarial training without requiring attacker knowledge.

References:

1. A Black-Box Attack Method against Machine-Learning-Based Anomaly Network Flow Detection Models. Sensen Guo, Jinxiong Zhao, Xiaoyu Li, Junhong Duan, Dejun Mu, Xiao Jing (2021). Secur. Commun. Networks.
2. A Defensive Framework Against Adversarial Attacks on Machine Learning-Based Network Intrusion Detection Systems. Benyamin Tafreshian, Shengzhi Zhang (2024). International Conference on Trust, Security and Privacy in Computing and Communications.