ROBUSTNESS OF DEEP INTRUSION DETECTION MODELS UNDER MASSIVE CYBERATTACKS: STRESS-TESTING AND ARCHITECTURAL FEATURES OF HYBRID AWRED

Abstract

The evolutionary trajectory of modern cyber threats involves a shift from isolated intrusion attempts to sophisticated, massive cyber operations capable of fundamentally altering the statistical nature of network traffic. In the context of large-scale DDoS campaigns or synchronized global botnet activities, the proportion of malicious packets within the input stream can surge rapidly, effectively transforming the anomaly into the dominant behavioral pattern. This emerging reality creates a critical barrier for traditional Deep Learning-based Network Intrusion Detection Systems (NIDS), such as autoencoders or Deep SVDD. These architectures rely on the fundamental axiom of unsupervised learning—that legitimate traffic constitutes the statistical majority. However, in scenarios of extreme data contamination, this hypothesis collapses, leading to "Model Poisoning," where the neural network erroneously adapts to the flood of attacks, interpreting it as the new normal operational mode.

This paper proposes a comprehensive solution to adversarial instability through the Hybrid AWRED (Adaptive Weighted Reconstruction with Regularized Energy and Dynamics) method. Unlike existing approaches, the presented methodology relies on a profound architectural modification of the learning process. System resilience is ensured by the synergy of adaptive error weighting, an oscillating Center Loss function, and topological stabilization. A key innovation of this research is the rejection of learning exclusively on "raw" data. For the first time, Density-Aware Input Augmentation technology is applied to enhance deep network robustness. The standard 41-feature vector was expanded to 42 features by integrating a local density score calculated using the k-Nearest Neighbors (kNN) algorithm. This metric feature acts as a "topological anchor," providing the neural network with an orientation reference independent of the global distribution.

Empirical validation was conducted on the "Hard Mode Benchmark" synthetic dataset across three distinct scenarios simulating different phases of a cyber threat: baseline background noise (1% prevalence), moderate threat escalation (17%), and critical channel saturation (50%). Comparative analysis with current SOTA architectures (DAGMM, Deep SVDD, AE, DAE) revealed a distinct degradation trajectory for competing models. While most showed high efficiency at the 1% level, signs of instability appeared at 17%, and at the extreme 50% contamination level, their efficiency collapsed to the level of random guessing (AUC < 0.35) due to feature space collapse. In contrast, Hybrid AWRED demonstrated phenomenal resilience across the entire testing spectrum, maintaining high resolution even at 50% attack prevalence with AUC-ROC scores of 0.725 and Average Precision of 0.619. These results conclusively suggest that integrating deterministic metric algorithms into the flexible structure of deep neural networks is the only viable path for creating reliable next-generation NIDS capable of operating in hostile environments without losing situational control.

Keywords: Intrusion Detection, NIDS, Deep Learning, Hybrid AWRED, Contamination Robustness, Feature Hybridization, Deep SVDD, Adversarial Attacks, kNN.

Referenses

1. Dovzhenko, T.P. (2026). HYBRID AWRED: Synerhiia adaptyvnoi rekonstruktsii ta topolohichnoi klasteryzatsii dlia vyiavlennia anomalii u multymodalnykh danykh. Zviazok. No. 1. pp. 81-89.
2. Mirsky, Y., Doitshman, T., Elovici, Y., & Shabtai, A. (2018). Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection. Proceedings of the Network and Distributed System Security Symposium (NDSS). URL: https://arxiv.org/abs/1802.09089
3. Zong, B., Song, Q., Min, M. R., Cheng, W., Lumezanu, C., Cho, D., & Chen, H. (2018). Deep Autoencoding Gaussian Mixture Model for Unsupervised Anomaly Detection. International Conference on Learning Representations (ICLR). URL: https://openreview.net/forum?id=BJJLHbb0-
4. Ruff, L., Vandermeulen, R., Goernitz, N., Deecke, L., Siddiqui, S. A., Binder, A., ... & Kloft, M. (2018). Deep one-class classification. International Conference on Machine Learning (ICML), 4393-4402. URL: https://proceedings.mlr.press/v80/ruff18a.html
5. Goodfellow, I., Bengio, Y., & Courville, A. (2016). Deep Learning. MIT Press. URL: https://www.deeplearningbook.org/
6. Kwon, D., Kim, H., Kim, J., Suh, S. C., Kim, I., & Kim, K. J. (2019). A Survey of Deep Learning-based Network Anomaly Detection. Cluster Computing, 22(1), 949-961. URL: https://link.springer.com/article/10.1007/s10586-017-1117-8
7. Ring, M., Wunderlich, S., Scheuring, D., Landes, D., & Hotho, A. (2019). A Survey of Network Intrusion Detection Data Sets. Computers & Security, 86, 147-163. URL: https://arxiv.org/abs/1903.02460
8. Kingma, D. P., & Ba, J. (2014). Adam: A Method for Stochastic Optimization. arXiv preprint arXiv:1412.6980. URL: https://arxiv.org/abs/1412.6980