GIANT: Structure-Agnostic Practical Adversarial Attacks for Graph-based Network Intrusion Detection Systems

Graph-based Network Intrusion Detection Systems (GNIDS) have emerged as a promising solution by capturing sophisticated interaction patterns through inter-flow analysis. However, their robustness remains a critical yet unexplored issue. Despite efforts devoted to GNIDS robustness evaluation, most of them exclusively focus on feature attacks while neglecting topological vulnerabilities. Moreover, many studies either oversimplify the adversary by adopting random topology perturbations, or conversely assume unrealistic adversary's knowledge and capabilities, such as privileged network access or complete graph awareness. The lack of practical robustness evaluation severely hinders the deployment of GNIDS in real-world security applications. To fill this gap, we propose GIANT, a structure-agnostic practical adversarial attack framework for comprehensive robustness evaluation of GNIDS. Different from prior methods that perturb flow features or presuppose a fixed graph construction mode, GIANT injects extra adversarial network flows without altering existing traffic data to jointly manipulate graph topology and flow features, ensuring transferability across diverse GNIDS. Specifically, GIANT first transforms network flows into a hypothetical line graph and then performs a two-phase attack to determine adversarial flow endpoints and optimize adversarial flow features, balancing maximum adversarial impact and stealthiness. The iterative injection of adversarial flows induces erroneous decisions in the target GNIDS. Extensive experiments on two public datasets covering IoT and cloud environments validate GIANT's effectiveness, transferability, and efficiency against existing attack methods, providing a practical robustness evaluation solution for GNIDS, and offering critical insights into their fundamental vulnerabilities.