GIANT: Structure-Agnostic Practical Adversarial Attacks for Graph-based Network Intrusion Detection Systems

Jianjin Zhao; Dongqi Han; Chao Ma; Qi Li; Zhiwei Cui; Hongliang Zhu; Hua Zhang; Mingshu He; Yijun Lu; Jiong Dong; Yuyin Ma; Meng Shen

doi:10.1145/3774904.3792601

GIANT: Structure-Agnostic Practical Adversarial Attacks for Graph-based Network Intrusion Detection Systems

Jianjin Zhao
, Dongqi Han
, Chao Ma
, Qi Li^*
, Zhiwei Cui
, Hongliang Zhu
, Hua Zhang
, Mingshu He
, Yijun Lu
, Jiong Dong
, Yuyin Ma
, Meng Shen

^*Corresponding author for this work

School of Cyberspace Science and Technology

Beijing University of Posts and Telecommunications
Waseda University
Xuchang University
Xinjiang University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Graph-based Network Intrusion Detection Systems (GNIDS) have emerged as a promising solution by capturing sophisticated interaction patterns through inter-flow analysis. However, their robustness remains a critical yet unexplored issue. Despite efforts devoted to GNIDS robustness evaluation, most of them exclusively focus on feature attacks while neglecting topological vulnerabilities. Moreover, many studies either oversimplify the adversary by adopting random topology perturbations, or conversely assume unrealistic adversary's knowledge and capabilities, such as privileged network access or complete graph awareness. The lack of practical robustness evaluation severely hinders the deployment of GNIDS in real-world security applications. To fill this gap, we propose GIANT, a structure-agnostic practical adversarial attack framework for comprehensive robustness evaluation of GNIDS. Different from prior methods that perturb flow features or presuppose a fixed graph construction mode, GIANT injects extra adversarial network flows without altering existing traffic data to jointly manipulate graph topology and flow features, ensuring transferability across diverse GNIDS. Specifically, GIANT first transforms network flows into a hypothetical line graph and then performs a two-phase attack to determine adversarial flow endpoints and optimize adversarial flow features, balancing maximum adversarial impact and stealthiness. The iterative injection of adversarial flows induces erroneous decisions in the target GNIDS. Extensive experiments on two public datasets covering IoT and cloud environments validate GIANT's effectiveness, transferability, and efficiency against existing attack methods, providing a practical robustness evaluation solution for GNIDS, and offering critical insights into their fundamental vulnerabilities.

Original language	English
Title of host publication	WWW 2026 - Proceedings of the ACM Web Conference 2026
Publisher	Association for Computing Machinery, Inc
Pages	3347-3357
Number of pages	11
ISBN (Electronic)	9798400723070
DOIs	https://doi.org/10.1145/3774904.3792601
Publication status	Published - 12 Apr 2026
Event	35th ACM Web Conference, WWW 2026 - Dubai, United Arab Emirates Duration: 29 Jun 2026 → 3 Jul 2026

Publication series

Name	WWW 2026 - Proceedings of the ACM Web Conference 2026

Conference

Conference	35th ACM Web Conference, WWW 2026
Country/Territory	United Arab Emirates
City	Dubai
Period	29/06/26 → 3/07/26

Keywords

adversarial attacks
graph neural networks
network intrusion detection systems

Access to Document

10.1145/3774904.3792601

Cite this

Zhao, J., Han, D., Ma, C., Li, Q., Cui, Z., Zhu, H., Zhang, H., He, M., Lu, Y., Dong, J., Ma, Y., & Shen, M. (2026). GIANT: Structure-Agnostic Practical Adversarial Attacks for Graph-based Network Intrusion Detection Systems. In WWW 2026 - Proceedings of the ACM Web Conference 2026 (pp. 3347-3357). (WWW 2026 - Proceedings of the ACM Web Conference 2026). Association for Computing Machinery, Inc. https://doi.org/10.1145/3774904.3792601

@inproceedings{70806da2d7bc4f459eda0a8ccbf952c3,

title = "GIANT: Structure-Agnostic Practical Adversarial Attacks for Graph-based Network Intrusion Detection Systems",

abstract = "Graph-based Network Intrusion Detection Systems (GNIDS) have emerged as a promising solution by capturing sophisticated interaction patterns through inter-flow analysis. However, their robustness remains a critical yet unexplored issue. Despite efforts devoted to GNIDS robustness evaluation, most of them exclusively focus on feature attacks while neglecting topological vulnerabilities. Moreover, many studies either oversimplify the adversary by adopting random topology perturbations, or conversely assume unrealistic adversary's knowledge and capabilities, such as privileged network access or complete graph awareness. The lack of practical robustness evaluation severely hinders the deployment of GNIDS in real-world security applications. To fill this gap, we propose GIANT, a structure-agnostic practical adversarial attack framework for comprehensive robustness evaluation of GNIDS. Different from prior methods that perturb flow features or presuppose a fixed graph construction mode, GIANT injects extra adversarial network flows without altering existing traffic data to jointly manipulate graph topology and flow features, ensuring transferability across diverse GNIDS. Specifically, GIANT first transforms network flows into a hypothetical line graph and then performs a two-phase attack to determine adversarial flow endpoints and optimize adversarial flow features, balancing maximum adversarial impact and stealthiness. The iterative injection of adversarial flows induces erroneous decisions in the target GNIDS. Extensive experiments on two public datasets covering IoT and cloud environments validate GIANT's effectiveness, transferability, and efficiency against existing attack methods, providing a practical robustness evaluation solution for GNIDS, and offering critical insights into their fundamental vulnerabilities.",

keywords = "adversarial attacks, graph neural networks, network intrusion detection systems",

author = "Jianjin Zhao and Dongqi Han and Chao Ma and Qi Li and Zhiwei Cui and Hongliang Zhu and Hua Zhang and Mingshu He and Yijun Lu and Jiong Dong and Yuyin Ma and Meng Shen",

note = "Publisher Copyright: {\textcopyright} 2026 Owner/Author.; 35th ACM Web Conference, WWW 2026 ; Conference date: 29-06-2026 Through 03-07-2026",

year = "2026",

month = apr,

day = "12",

doi = "10.1145/3774904.3792601",

language = "English",

series = "WWW 2026 - Proceedings of the ACM Web Conference 2026",

publisher = "Association for Computing Machinery, Inc",

pages = "3347--3357",

booktitle = "WWW 2026 - Proceedings of the ACM Web Conference 2026",

}

Zhao, J, Han, D, Ma, C, Li, Q, Cui, Z, Zhu, H, Zhang, H, He, M, Lu, Y, Dong, J, Ma, Y & Shen, M 2026, GIANT: Structure-Agnostic Practical Adversarial Attacks for Graph-based Network Intrusion Detection Systems. in WWW 2026 - Proceedings of the ACM Web Conference 2026. WWW 2026 - Proceedings of the ACM Web Conference 2026, Association for Computing Machinery, Inc, pp. 3347-3357, 35th ACM Web Conference, WWW 2026, Dubai, United Arab Emirates, 29/06/26. https://doi.org/10.1145/3774904.3792601

GIANT: Structure-Agnostic Practical Adversarial Attacks for Graph-based Network Intrusion Detection Systems. / Zhao, Jianjin; Han, Dongqi; Ma, Chao et al.
WWW 2026 - Proceedings of the ACM Web Conference 2026. Association for Computing Machinery, Inc, 2026. p. 3347-3357 (WWW 2026 - Proceedings of the ACM Web Conference 2026).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - GIANT

T2 - 35th ACM Web Conference, WWW 2026

AU - Zhao, Jianjin

AU - Han, Dongqi

AU - Ma, Chao

AU - Li, Qi

AU - Cui, Zhiwei

AU - Zhu, Hongliang

AU - Zhang, Hua

AU - He, Mingshu

AU - Lu, Yijun

AU - Dong, Jiong

AU - Ma, Yuyin

AU - Shen, Meng

PY - 2026/4/12

Y1 - 2026/4/12

N2 - Graph-based Network Intrusion Detection Systems (GNIDS) have emerged as a promising solution by capturing sophisticated interaction patterns through inter-flow analysis. However, their robustness remains a critical yet unexplored issue. Despite efforts devoted to GNIDS robustness evaluation, most of them exclusively focus on feature attacks while neglecting topological vulnerabilities. Moreover, many studies either oversimplify the adversary by adopting random topology perturbations, or conversely assume unrealistic adversary's knowledge and capabilities, such as privileged network access or complete graph awareness. The lack of practical robustness evaluation severely hinders the deployment of GNIDS in real-world security applications. To fill this gap, we propose GIANT, a structure-agnostic practical adversarial attack framework for comprehensive robustness evaluation of GNIDS. Different from prior methods that perturb flow features or presuppose a fixed graph construction mode, GIANT injects extra adversarial network flows without altering existing traffic data to jointly manipulate graph topology and flow features, ensuring transferability across diverse GNIDS. Specifically, GIANT first transforms network flows into a hypothetical line graph and then performs a two-phase attack to determine adversarial flow endpoints and optimize adversarial flow features, balancing maximum adversarial impact and stealthiness. The iterative injection of adversarial flows induces erroneous decisions in the target GNIDS. Extensive experiments on two public datasets covering IoT and cloud environments validate GIANT's effectiveness, transferability, and efficiency against existing attack methods, providing a practical robustness evaluation solution for GNIDS, and offering critical insights into their fundamental vulnerabilities.

AB - Graph-based Network Intrusion Detection Systems (GNIDS) have emerged as a promising solution by capturing sophisticated interaction patterns through inter-flow analysis. However, their robustness remains a critical yet unexplored issue. Despite efforts devoted to GNIDS robustness evaluation, most of them exclusively focus on feature attacks while neglecting topological vulnerabilities. Moreover, many studies either oversimplify the adversary by adopting random topology perturbations, or conversely assume unrealistic adversary's knowledge and capabilities, such as privileged network access or complete graph awareness. The lack of practical robustness evaluation severely hinders the deployment of GNIDS in real-world security applications. To fill this gap, we propose GIANT, a structure-agnostic practical adversarial attack framework for comprehensive robustness evaluation of GNIDS. Different from prior methods that perturb flow features or presuppose a fixed graph construction mode, GIANT injects extra adversarial network flows without altering existing traffic data to jointly manipulate graph topology and flow features, ensuring transferability across diverse GNIDS. Specifically, GIANT first transforms network flows into a hypothetical line graph and then performs a two-phase attack to determine adversarial flow endpoints and optimize adversarial flow features, balancing maximum adversarial impact and stealthiness. The iterative injection of adversarial flows induces erroneous decisions in the target GNIDS. Extensive experiments on two public datasets covering IoT and cloud environments validate GIANT's effectiveness, transferability, and efficiency against existing attack methods, providing a practical robustness evaluation solution for GNIDS, and offering critical insights into their fundamental vulnerabilities.

KW - adversarial attacks

KW - graph neural networks

KW - network intrusion detection systems

UR - https://www.scopus.com/pages/publications/105038566859

U2 - 10.1145/3774904.3792601

DO - 10.1145/3774904.3792601

M3 - Conference contribution

AN - SCOPUS:105038566859

T3 - WWW 2026 - Proceedings of the ACM Web Conference 2026

SP - 3347

EP - 3357

BT - WWW 2026 - Proceedings of the ACM Web Conference 2026

PB - Association for Computing Machinery, Inc

Y2 - 29 June 2026 through 3 July 2026

ER -

GIANT: Structure-Agnostic Practical Adversarial Attacks for Graph-based Network Intrusion Detection Systems

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this