ML Security PapersUncovering and Understanding FPR Manipulation Attack in Industrial IoT Networks
Mohammad Shamim Ahsan , Peng Liu
Published on arXiv
2601.14505
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
FPA achieves 80.19%–100% attack success rate against ML-based NIDSs using non-gradient domain-specific MQTT packet perturbations, causing up to 2-hour delays in genuine alert investigations.
FPR Manipulation Attack (FPA)
Novel technique introduced
In the network security domain, due to practical issues -- including imbalanced data and heterogeneous legitimate network traffic -- adversarial attacks in machine learning-based NIDSs have been viewed as attack packets misclassified as benign. Due to this prevailing belief, the possibility of (maliciously) perturbed benign packets being misclassified as attack has been largely ignored. In this paper, we demonstrate that this is not only theoretically possible, but also a particular threat to NIDS. In particular, we uncover a practical cyberattack, FPR manipulation attack (FPA), especially targeting industrial IoT networks, where domain-specific knowledge of the widely used MQTT protocol is exploited and a systematic simple packet-level perturbation is performed to alter the labels of benign traffic samples without employing traditional gradient-based or non-gradient-based methods. The experimental evaluations demonstrate that this novel attack results in a success rate of 80.19% to 100%. In addition, while estimating impacts in the Security Operations Center, we observe that even a small fraction of false positive alerts, irrespective of different budget constraints and alert traffic intensities, can increase the delay of genuine alerts investigations up to 2 hr in a single day under normal operating conditions. Furthermore, a series of relevant statistical and XAI analyses is conducted to understand the key factors behind this remarkable success. Finally, we explore the effectiveness of the FPA packets to enhance models' robustness through adversarial training and investigate the changes in decision boundaries accordingly.
Key Contributions
- Introduces FPR Manipulation Attack (FPA), a novel adversarial attack that makes benign MQTT traffic misclassified as malicious by ML-based NIDSs — the reverse of traditional evasion attacks
- Demonstrates 80.19%–100% attack success rate using only domain knowledge-driven packet-level perturbations without gradient-based optimization
- Quantifies SOC-level operational impact: even a small FPA-inflated false positive rate can delay genuine alert investigation by up to 2 hours per day
🛡️ Threat Analysis
The paper proposes an input manipulation attack (FPA) that crafts benign network packets to cause misclassification as attack at inference time — the inverse of traditional evasion attacks. The attack operates without gradient information, using MQTT protocol domain knowledge for systematic packet-level perturbations that manipulate ML-NIDS outputs.