1. Introduction
Unmanned Aerial Vehicles (UAVs) are connected through ad hoc networks and controlled via smart devices, serving applications from military operations to aerial mapping [
1,
2]. The network security in these systems is based on security protocols and Intrusion Detection Systems (IDSs) [
3,
4]. However, every component of a UAV network, including the UAV itself, the Ground Control Station (GCS), and access points, is exposed to cyberattacks such as Denial of Service (DoS), replay, and Man-in-the-Middle (MITM) attacks [
1], as illustrated in
Figure 1. The growing deployment of UAVs in critical operations has made them targets for sophisticated attacks that exploit weaknesses in communication protocols [
5], particularly adversarial attacks that preserve semantic functionality while evading detection [
6,
7].
A critical challenge in UAV network security is that attackers can manipulate the features of network attacks to evade detection while preserving the operational validity of malicious cyberattacks [
7]. For example, an adversary conducting an Evil Twin attack might modify 802.11 frame control flags to avoid triggering anomaly detectors while still successfully impersonating a legitimate access point. Traditional feature selection methods fail to account for this dual objective, leading to IDS models that are either too permissive or prone to false positives under adversarial conditions.
Existing feature selection techniques for IDS, such as Principal Component Analysis (PCA) [
8], Random Forest importance ranking [
9], etc., focus solely on selecting features that maximize detection performance [
10]. They ignore whether features can be perturbed in ways that preserve cyberattack operational validity. For example, selecting the
ip.ttl feature for Distributed Denial of Service (DDoS) detection might improve accuracy, but adversaries can easily manipulate this feature while maintaining valid packet flows [
11]. Similarly, methods such as LIME [
12] identify which features are important for classification, but do not consider whether those features are essential for executing cyberattacks.
Moreover, current adversarial training approaches often generate unrealistic samples by perturbing all features indiscriminately. This results in packets that violate protocol specifications (e.g., invalid
wlan.fcs.checksum values) and would be dropped by real network stacks. Such samples provide limited value for hardening IDS against actual and zero-day threats [
13,
14].
To summarize, UAV networks are critically vulnerable to sophisticated adversarial attacks, particularly those that craft deceptive yet fully functional (semantic-preserving) network traffic to mimic benign behavior. Current security solutions [
13,
14,
15,
16,
17,
18] focus mainly on external threats and conventional malware, failing to address the unique challenge of these semantically preserved adversarial attacks that can bypass internal defenses. This drawback, compounded by suboptimal feature selection and high false positive rates in real-time operations, exposes UAV networks to potent threats. Motivated by these critical gaps, this research aims to develop a robust deep learning (DL)-IDS designed to detect semantically preserved adversarial attacks in UAV networks, enhancing their security posture and operational efficacy.
Current approaches to adversarial robustness in UAV-IDS exhibit three critical flaws:
- 1.
Performance-only feature selection: Traditional feature selection techniques such as PCA [
8], SHapley Additive exPlanations (SHAP) [
19], and LIME [
12] focus solely on model performance metrics and ignore functional feature constraints inherent to cyberattack execution.
- 2.
Unconstrained adversarial training: Generated samples often violate network protocol semantics (e.g., impossible packet sizes in DDoS attacks), producing unrealistic examples with limited defensive value.
- 3.
Lack of functionality-constrained adversarial training: Existing methods do not restrict perturbations to features that preserve attack operational validity, producing adversarial samples that would fail in real network environments and thus provide poor coverage of realistic threats.
Research Gap and Proposed Solution: These three limitations reveal a fundamental gap in current UAV-IDS research: existing approaches fail to recognize that adversarially robust intrusion detection requires features that are simultaneously critical for model decisions and essential for cyberattack execution. Moreover, adversarial training must generate samples that preserve network protocol semantics to provide meaningful robustness improvements. To address these gaps, we introduce the Dual-Impact Feature Selection (DIFS) framework, which (1) identifies features with high impact on both model performance (via IG and LIME) and attack functionality (via clustering-based FPC); (2) constrains adversarial perturbations to maintain operational validity within protocol-feasible bounds; (3) enables realistic adversarial training that hardens models against executable threats rather than protocol-violating noise. This approach bridges the disconnect between model-centric robustness and domain-specific attack realism, ensuring that defensive improvements translate to protection against real-world adversarial threats in UAV networks.
To address these gaps, this work makes the following key contributions to the field of adversarial robustness in UAV Intrusion Detection Systems (UAV-IDS):
- 1.
Designing a robust and efficient CNN-1D model (UAV-IDS-CNN-1D) to achieve a strong intrusion detection performance for UAVs in benchmark datasets.
- 2.
A feature-centric adversarial robustness framework that focuses defenses on the subset of features most critical to both the model’s decisions and the cyberattack’s functionality.
- 3.
Automated FPC Check: Introduced an unsupervised clustering-based method to constrain adversarial perturbations within the functional boundaries of each cyberattack class, ensuring the realism of adversarial examples without requiring domain experts.
- 4.
Explainable AI (XAI)-Driven Robustness: Bridged model performance and adversarial robustness by formally integrating LIME and IG with the FPC for feature selection, representing a dual-impact evaluation approach.
- 5.
Protocol-Aware Adversarial Attacks: Implemented constrained versions of FGSM and PGD attacks that are tailored to the UAV-IDS domain, perturbing only selected features within a semantically feasible space to generate realistic adversarial examples.
- 6.
Comprehensive Robustness Evaluation: Rigorously demonstrated that our approach facilitates significant performance recovery after adversarial retraining, quantitatively hardening the model against realistic, semantically constrained attacks. Performance is evaluated using six complementary metrics: Precision, Recall, F1-Score, and Accuracy quantify detection capability on clean data, while Attack Success Rate (ASR) and Robust Accuracy measure resilience against adversarial perturbations (detailed in
Section 5).
The proposed framework reduces the ASR while maintaining high robustness in network traffic. This work establishes a foundation for the development of more resilient cybersecurity systems capable of operating effectively in adversarial environments.
Figure 1 illustrates the three-tier architecture of a typical UAV network and corresponding attack surfaces. The system comprises: (1) the UAV swarm communicating via an ad hoc wireless network, (2) the GCS managing flight operations, (3) three attack vectors. The
Cyberattack-Side (right) represents network-level threats, including DDoS, Brute-Force, Reconnaissance, and UAV-specific attacks like Fake Landing commands. The
Adversarial-Attack-Side (left) represents attacks targeting the IDS itself, with evasion attacks manipulating features at inference time, and poisoning attacks corrupting training data. This dual-threat model—conventional cyberattacks against UAV infrastructure and adversarial attacks against the detection system—directly motivates our DIFS framework. The IDS must not only detect diverse cyberattacks but also remain robust against the adversarial manipulation of the features it relies upon.
The remainder of this paper is organized as follows.
Section 2 provides the foundational background on adversarial attacks and their taxonomy.
Section 3 presents an overview of related work on UAV-IDS, feature selection, and adversarial defense approaches.
Section 4 details the components of our proposed DIFS methodology. The experimental setup and datasets are described in
Section 5.
Section 6 presents the evaluation results, followed by a discussion of the findings in
Section 7. Finally,
Section 8 concludes the paper and outlines future research directions.
2. Preliminaries
Combining DL models, primarily CNNs, in UAV applications has achieved notable improvements in IDSs and real-time object detection [
20,
21]. These models learn hierarchical feature representations from UAV IDS datasets, achieving state-of-the-art performances in classification tasks. Nevertheless, this high performance critically relies on the assumption that the training and test data come from the same distribution. This assumption is often violated in adversarial settings, where models are exposed to gradually manipulated data, revealing a deep exposure to malicious cyberattacks [
22]. Security threats to DL models can be taxonomized by the phase of the DL model learning pipeline that is compromised.
Figure 2 in the red region shows two primary attack vectors that can affect any DL model: (1) data poisoning, which targets the training process, (2) evasion attacks, which target the model during inference [
7,
22,
23].
Adversarial attacks represent a critical challenge for machine learning-based security systems. These attacks involve deliberately manipulating input data to cause misclassification, exploiting the mathematical properties of DL models [
22,
24]. In UAV networks, adversarial attacks pose unique challenges: perturbations must remain within operational protocol constraints to preserve attack operational validity, distinguishing this domain from conventional adversarial machine learning (ML), where semantic preservation is primarily perceptual [
7]. The following subsections examine the technical mechanisms of these attacks and their implications for UAV-IDS security.
2.1. Adversarial Attacks
The main adversarial attacks affecting DL models include data poisoning (or training time attacks), which compromise the integrity of the model’s learning procedure. An attacker injects a set of adversarial samples
into the training dataset
[
24,
25]. The model parameters
are then optimized on the corrupted dataset
, leading to a compromised prediction model. As poisoning occurs before deployment, it is difficult to detect; the model appears to perform well until a trigger is activated or its general performance degrades. Formally, the standard training objective is subverted in Equation (
1):
This standard training objective optimizes the model parameters
to minimize the expected loss over the training distribution [
23].
The impact of poisoning can be classified into two types. The first is performance degradation, where the model’s overall performance on a clean test set
is reduced. The second is backdoor injection (an integrity attack), where the model performs well on
but exhibits malicious behavior when a trigger
is present. The learning objective is covertly altered so that for inputs
x from the clean test distribution, we use Equation (
2):
where
is the attacker’s target label and
is the backdoor trigger pattern [
23].
Second, evasion attacks [
23], often used interchangeably with adversarial attacks, occur after the DL model is trained and deployed. An attacker crafts a perturbation
to a data input
x to generate an adversarial example
that causes the model to misclassify, i.e.,
. The perturbation is constrained by
to remain small enough to be imperceptible to a human observer. This constraint, typically enforced under a
norm, ensures that the semantic content of
x is preserved. The general formulation of an evasion attack can be written as the following constrained optimization problem in Equation (
3):
where
is the maximum perturbation allowed and the input is scaled to
. This formulation establishes the core evasion attack framework [
22,
24].
Several algorithms have been proposed to solve this problem. The Fast Gradient Sign Method (FGSM) [
24] is a single-step attack. While computationally efficient, FGSM often leads to suboptimal attacks due to its linear approximation in a highly nonlinear loss landscape. To overcome the limitations of FGSM [
26], the Basic Iterative Method (BIM) was introduced, as described in
Section 2.3.
2.2. FGSM Adversarial Attack
The FGSM is a simple and efficient one-step attack to generate adversarial examples, illustrating the core vulnerability of models to gradient-based perturbations [
24].
Core Idea: Perturb the input data in the direction of the sign of the loss function’s gradient with respect to the input. This single step maximizes the loss and leads to misclassification.
where
: The generated adversarial example.
x: The original clean input.
: The perturbation budget, controlling the maximum deviation under the norm.
: The gradient of the model’s loss function with respect to the input.
2.3. BIM and Projected Gradient Descent (PGD)
BIM extends FGSM to a more powerful multi-step attack [
26]. This approach is formally equivalent to PGD in the negative loss function, and is considered a standard benchmark for evaluating adversarial robustness [
27].
Core Idea: Apply FGSM multiple times with a small step size
. After each step, the adversarial example is projected back onto the
-ball around the original input
x to ensure that the perturbation constraint is satisfied.
where
: The adversarial example at iteration t.
: The step size, typically set as for T iterations.
: The projection operator that confines the adversarial example to the feasible set , e.g., .
As a white-box attack, BIM/PGD is highly potent. The iterative process allows it to navigate the model’s nonlinear loss landscape more effectively than FGSM, often finding stronger adversarial examples.
2.4. Comparison and Scope: Poisoning vs. Evasion Attacks
Although both threaten IDSs based on ML, data poisoning and evasion attacks differ fundamentally.
Table 1 provides a concise comparison.
Focus of This Work: Evasion Attacks. This paper addresses evasion attacks, the primary realistic threat to deployed UAV-IDS systems. Our rationale is as follows: (1) operational UAV networks secure training environments, making poisoning difficult; (2) evasion attacks require lower adversary capabilities; (3) deployed systems face continuous evasion attempts [
29]. The DIFS framework specifically targets evasion robustness through functionality-preserving adversarial training (
Section 4.3 and
Section 4.4).
3. Related Works
The development of robust IDSs for UAVs sits at the intersection of several critical research areas [
1,
30]. This section examines the existing literature, starting with intrusion detection in UAV networks, then exploring the feature selection methods that underpin effective IDSs, and finally analyzing the threat of adversarial attacks that can compromise DL-based protection models. This structured review establishes the foundation of this research and identifies the gaps that this research aims to address.
The unique constraints of UAVs, such as limited computational resources and the critical need for real-time operation, have driven research into efficient and accurate IDSs. Previous studies have utilized diverse strategies, often DL models, on benchmark network datasets. For example, Ferrag et al. [
30] used multiple DL methods to identify novel attacks and employed 10-fold cross-validation for evaluation. Similarly, Basnet et al. [
31] combined the CIC-IDS2017 and CIC-IDS2018 datasets to evaluate the generalizability of an IDS across 12 learning algorithms. Nevertheless, their approach is limited by the assumption that categorical features have the same number of distinct values across both datasets, which may not hold and could compromise the model’s integrity.
To address specific attack vectors, such as GPS spoofing, novelty-based detection systems have been proposed. The work in [
16] presents a one-class classifier approach trained solely on normal flight logs. By using PCA for dimensionality reduction, their model achieved high F1-scores against GPS spoofing, demonstrating strong cross-platform detection capabilities. Other approaches, such as Binary Decision Trees, have also been reported to achieve near-perfect performances on standard metrics, highlighting the potential of ML for securing UAV networks.
The performance of any ML-based IDS is heavily dependent on the quality and relevance of the input features. Consequently, feature selection (FS) is a critical preprocessing step to reduce computational overhead and improve detection accuracy. Traditional FS methods have focused on statistical properties, using techniques such as Correlation-based Feature Selection (CFS) and information gain [
10,
32,
33].
More recently, advanced optimization and rough set models have been applied to this problem. For example, Han et al. [
34] presented a binary Particle Swarm Optimization (PSO) method with a wrapper-based approach to improve the interaction between feature selection and model training. To further enhance performance, Almomani [
33] introduced an ensemble FS model that combines the gray wolf optimizer, genetic algorithms, the firefly algorithm and PSO. In the context of UAVs, a lightweight IDS was proposed in [
35], leveraging an improved fuzzy rough set model with adaptive neighborhoods for efficient feature selection that handles partially missing data.
XAI has also emerged as a powerful tool for feature selection. As demonstrated in [
36], SHAP can identify the most significant features in datasets such as CICIDS2017. By creating optimal feature subsets, they showed that a reduced feature set can maintain a high accuracy for models such as CNNs and Random Forest (RF). This aligns with frameworks like Enhanced Dynamic Filter-Based Feature Selection (E-DFBFS), which uses NSGA-II to achieve a superior accuracy and F-measure.
While DL models have proven highly effective, they are notoriously vulnerable to adversarial attacks—carefully crafted inputs designed to cause misclassification. Although early investigations focused on the image domain [
20,
21,
37], this threat has since been extended to network security, including IDSs.
Research by Yang et al. [
38] confirmed this threat to DL-based network IDSs, using model substitution to execute successful black-box attacks. Subsequent studies have further explored these vulnerabilities. For instance, Wang et al. [
39] analyzed the divergence between the manifold of adversarial instances and the model’s decision boundaries, while Peng et al. [
40] systematically benchmarked the performance of various ML models under adversarial settings. In response, defense mechanisms are being developed. Debicha et al. [
41] analyzed the impact of attacks and presented adversarial training as a defensive countermeasure. Sauka et al. [
28] merged adversarial training with an XAI framework based on SHAP to address both vulnerability and model interpretability. The threat to Internet of Things (IoT) ecosystems is also being investigated, with Papadopoulos et al. [
42] studying the impact of adversarial attacks on ML-based IDS in IoT.
Despite these advances, a notable study gap continues in the design of adversarially robust IDSs for UAV networks. First, many investigations focus on assessing model performance against known attacks but fail to proactively build robust DL models that can resist adversarial perturbations. Second, while feature selection methods prioritize metrics that improve detection accuracy, they often neglect to constrain the feature set to those that preserve the operational semantics of cyberattacks. This direction means that adversarial instances, though effective in misleading the model, may render non-functional or malformed network traffic that would not be viable in a real-world cyberattack scenario. Finally, the prevailing adversarial training methods do not focus on training models, especially on a refined subset of high-impact, functionality-preserving features, thereby restricting their efficacy in the resource-constrained UAV environment.
Table 2 summarizes the key differences between existing UAV-IDS and adversarial robustness approaches and our proposed DIFS framework, highlighting the novel contributions of this work.
4. Methodology
This section describes the pipeline of the proposed approach, which focuses on improving the adversarial robustness of DL models within a UAV-IDS. The method is structured into four sequential phases, each building on the previous to achieve robustness improvements.
The process starts with the structure and initial evaluation of three CNN-1D-based UAV-IDS models, as described in
Section 4.2. Following this foundational step, we use our feature-scoring method (DIFS) in
Section 4.3. The output of this feature selection phase is necessary for the following evaluation, facilitating a focused examination of CNN models against C-FGSM and C-BIM constrained adversarial attacks in
Section 4.4. In
Section 4.5, the insights achieved from this adversarial evaluation directly inform the final phase: the implementation of an adversarial retraining strategy to construct a robust and interpretable final detection model.
Figure 3 gives an overview of the overall proposed methodology.
4.1. Terminology
Throughout this paper, we use the following terminology consistently:
Robustness refers to the model’s ability to maintain a high detection accuracy under adversarial perturbations. We quantify robustness using Robust Accuracy and ASR. A robust model exhibits high Robust Accuracy and low ASR.
Resilience describes the model’s capacity to recover and maintain performance after adversarial retraining. Resilience is demonstrated through improvements in ASR reduction when comparing initial to retrained model performance. A resilient model shows significant performance recovery after exposure to adversarial examples.
Functionality-preserving pertains to adversarial samples that maintain the operational semantics of the original cyberattack. We ensure this property through the FPC, which identifies features whose alteration would render the cyberattack non-functional.
4.2. Baseline Deep UAV-CNN-1D Training
This section presents, step by step, the design and training of the best CNN-1D model architecture. The model was trained using the three UAV-IDS datasets to create three UAV-IDS-CNN-1D models. The objective of this step is to establish a high-performance benchmark model on unperturbed data, which will serve as the foundation for robustness analysis and the feature selection approach in subsequent models.
4.2.1. Dataset Preprocessing
This paper utilizes three UAV-IDS datasets, which are described in detail in
Section 5.1, containing labeled instances of normal traffic and a diverse set of 10 attack categories: Scanning, Reconnaissance, DoS, DDoS, GPS Jamming, MITM, Replay, Evil Twin, Brute-Force, and Fake Landing. We use an advanced preprocessing pipeline that includes the following standard formal steps.
- 1.
Data Cleaning: Handle missing values using robust imputation (median for numerical features, mode for categorical features).
- 2.
Categorical Encoding: Convert all categorical features (e.g., protocol type) into numerical representations using label encoding.
- 3.
Feature Scaling: Standardize all numerical features using to ensure stable and efficient convergence of the model.
After preparing the UAV-IDS datasets for the evaluation of the main model, we use stratified data splitting, where data are partitioned into training sets (70%), validation sets (15%), and test sets (15%) using stratified sampling. This guarantees that the distribution of all attack classes is preserved across splits, ensuring a fair and representative evaluation.
Figure 4 illustrates the training and evaluation pipeline of the UAV-IDS-CNN-1D model.
4.2.2. UAV-IDS-CNN-1D Model Architecture
Rationale for 1D-CNN Architecture: We select CNN-1D based on domain-specific considerations for UAV network intrusion detection. CNN-1D architectures extract local patterns from sequential packet-level features through 1D convolution kernels [
43], enabling parallel processing for faster inference compared to recurrent architectures (LSTM, GRU), which is critical for resource-constrained UAV platforms [
44]. Prior work has demonstrated CNN-1D’s strong performance on network intrusion detection tasks [
45], making it a proven baseline for adversarial robustness evaluation. The core of our IDS is a CNN-1D designed to hierarchically extract features from sequential network traffic data. The primary objective of this phase is to construct and evaluate the CNN UAV-IDS model before generating adversarial attacks. During this phase, we train three CNN models using different UAV-IDS datasets, as each dataset is constructed under different scenarios. The architecture, summarized in
Figure 5, is as follows:
- 1.
Input and Convolutional Blocks: The network accepts a 1D vector of preprocessed features. This is processed by three convolutional blocks. Each block contains a 1D convolutional layer with ReLU activation, batch normalization, and a max-pooling layer (pool size = 2) for progressive feature extraction and dimensionality reduction. The number of filters increases block by block (64, 128, and 256) to capture more complex patterns.
- 2.
Classification Head: The output of the final convolutional block is flattened and fed into two dense layers (512 and 256 units, each with ReLU activation). A dropout rate of 0.3 is applied after each dense layer to mitigate overfitting. The final output layer is a dense layer with a softmax activation function, corresponding to the number of classes (10 attacks + normal).
- 3.
Training Configuration: To handle the inherent class imbalance in the dataset, we used a weighted cross-entropy loss function, where class weights were calculated inversely proportional to their frequencies. The model was trained with the Adam optimizer using an initial learning rate of 0.001. We further incorporated two regularization techniques: a ReduceLROnPlateau scheduler to adapt the learning rate upon validation loss stagnation and early stopping with a patience of 10 epochs to restore the best model weights and prevent overfitting.
4.3. DIFS Framework
This phase focuses on selecting the most critical DIFs to build a robust UAV-IDS-CNN-1D model. In contrast to existing methods that prioritize only a model’s predictive performance, our approach identifies the top ten features that are both significant for the model’s predictions and semantically essential to the operational validity of cyberattacks. This dual focus on performance and functional semantics is fundamental for improving the model’s resilience against realistic adversarial attacks. We employ two complementary feature importance techniques to quantitatively assess feature contributions. The overall DIFS process is illustrated in
Figure 6, while Algorithm 1 provides a detailed, step-by-step explanation with illustrative examples.
MPI Calculation: We first use IG to compute the integral of gradients along the path from a baseline input to the actual input, providing a principled and efficient mechanism for global feature attribution. Subsequently, we employ LIME on specific, difficult-to-classify samples to validate that the features identified as significant in a global context remain relevant locally. IG primary attribution scores are normalized and aggregated into a global MPI score, allowing the identification of the top features consistently leveraged by the model. The MPI score for feature
i is mathematically represented in Equation (
6):
where
FPC Calculation: To automatically identify the most critical features for a cyberattack’s functionality, we introduce the FPC score. This approach begins by modeling the natural variations within a cyberattack class using an unsupervised cluster-based functional representation. For each cyberattack class, we apply K-means clustering to its training samples, with the optimal number of clusters determined using the silhouette score. The core hypothesis is that each cluster represents a distinct semantically valid cyberattack.
This clustering enables a cluster-constrained perturbation strategy. Instead of random permutation, we perturb a feature by shifting its value toward the centroid of its own cluster or a nearby cluster of the same attack class. This ensures that the perturbed sample remains a realistic and functionally consistent sample of the original cyberattack.
The FPC score for a given feature is then calculated as the performance drop (e.g., a decrease in F1-Score) when the model is evaluated on a test set in which that feature has been perturbed using this method. A large performance drop indicates that the feature is as functionally critical as its perturbation, even within semantically valid bounds. We then select the top 10 features with the highest FPC scores as those most essential for preserving the semantic meaning of the cyberattack after any permutations. FPC measures the performance impact of the feature perturbation calculated in Equation (
7):
In this work, the FPC metric is introduced as a novel approach to quantifying feature criticality from a perspective of cyberattack functionality, complementing existing model-centric feature importance methods [
12,
19].
The final feature ranking, which combines MPI and FPC, is calculated using Equation (
8). The resulting features are classified into four quadrants based on their scores, as defined in
Table 3.
The methodology of the DIFS framework ensures that selected features cannot be manipulated by adversaries without fundamentally altering the nature of cyberattacks, providing inherent robustness against evasion attempts while maintaining a high detection accuracy.
4.3.1. Rationale for Dual-Criteria Feature Selection
The DIFS framework deliberately combines two complementary criteria, model MPI and FPC, because neither criterion alone is sufficient for generating realistic, adversarially robust samples.
Why MPI alone is insufficient: MPI (via IG and LIME) identifies features the model relies upon most heavily for classification. However, a high-MPI feature may be trivially manipulable by an adversary without affecting the attack’s real-world behavior. For example, the ip.ttl field is highly informative for DDoS detection (high MPI), yet an attacker can freely modify TTL values while maintaining a valid packet flow. Perturbing such features generates adversarial samples that evade detection but no longer represent functional cyberattacks.
Why FPC alone is insufficient: FPC identifies features whose modification fundamentally breaks attack functionality. However, a high-FPC feature may contribute little to the model’s classification decision. Focusing only on FPC could select features that are operationally critical but provide no adversarial leverage—yielding weak adversarial examples that fail to challenge the model.
Are MPI and FPC independent? The two criteria are partially correlated but measure distinct properties. MPI reflects the model’s internal decision landscape, while FPC reflects the operational structure of network cyberattacks. A feature can have high MPI and low FPC (e.g.,
ip.ttl—important to the model, easy to perturb without breaking the attack), low MPI and high FPC (e.g.,
wlan.fc.subtype—critical to attack execution but underweighted by the model), or high MPI and high FPC (e.g.,
radiotap.channel.flags.cck—both model-critical and operationally essential).
Table 3 captures this four-quadrant structure. Only features in the top-left quadrant (Core Features) are selected as DIFs, indicating that both criteria are jointly necessary.
Real-network example: Consider the wlan.fc.subtype feature in a de-authentication attack. This field carries the management frame subtype, where subtype = 12 indicates a de-authentication frame. From an FPC perspective, any perturbation away from 12 fundamentally transforms the packet from a de-authentication attack into normal data traffic, thereby breaking the attack’s functionality entirely. From an MPI perspective, IG assigns a high attribution score to this feature because the model has learned its discriminative value. This dual criticality makes wlan.fc.subtype an ideal DIF: perturbing it within functional bounds forces the model to learn robust representations, while ensuring the generated adversarial example remains a valid cyberattack.
4.3.2. DIFS: Illustrative Examples with Algorithm 1
To solidify the conceptual understanding of DIFS from the previous diagrams and equations, we now present a detailed numerical example. We will walk through each key step of Algorithm 1 with a sample feature of cyberattacks, demonstrating how the rankings are computed in practice. The results of this walkthrough are consolidated in
Table 4.
Lines 3–6: MPI Analysis Example: The algorithm computes MPI scores by evaluating each feature’s importance through IG and LIME validation. For instance, when analyzing network traffic features,
udp.length might receive a high MPI score of 0.156. This occurs because the model identifies that larger packet sizes (e.g., >1450 bytes) are strong indicators of flooding attacks, whereas normal traffic typically exhibits smaller packets (58–1518 bytes). The LIME validation step confirms that this feature’s importance remains consistent even in borderline cases, ensuring that global importance translates to local relevance.
| Algorithm 1 DIFS |
Require: Feature set F, trained model M, dataset D, clusters k, weight Ensure: Selected feature subset S |
- 1:
Initialize , - 2:
- 3:
for each feature do ▹ Lines 3–6: MPI Analysis - 4:
- 5:
- 6:
- 7:
end for - 8:
▹ Lines 8–17: FPC Analysis - 9:
for each feature do - 10:
- 11:
for each sample do - 12:
- 13:
- 14:
end for - 15:
- 16:
- 17:
end for - 18:
▹ Lines 19–22: Score Combination - 19:
- 20:
- 21:
- 22:
return S
|
Lines 8–17: FPC Analysis Example: The algorithm performs feature perturbation clustering by first grouping the dataset into k clusters (e.g., ) representing different traffic patterns. The clustering reveals distinct behavioral patterns:
Cluster 1 (Normal traffic): Characterized by small packet sizes: frame.len: 84B, udp.length: 58B.
Cluster 2 (Flooding attacks): Exhibits large packet sizes: frame.len: 1512B, udp.length: 1450B.
Cluster 3 (Wireless attacks): Shows specific wireless signatures: wlan.fc.subtype: 8, radiotap.dbm_antsignal: −52 dBm.
For each feature, values are systematically replaced with their corresponding cluster centroid values. For example, when perturbing udp.length, a sample originally containing udp.length: 1450B from Cluster 2 maintains this value after perturbation since it matches the centroid. This approach preserves data distribution while testing feature importance.
The FPC score is calculated as performance degradation after perturbation. Example results demonstrate varying impact levels:
udp.length: FPC = 0.892 − 0.469 = 0.423 (critical impact).
wlan.fc.subtype: FPC = 0.892 − 0.494 = 0.398 (critical impact).
frame.len: FPC = 0.892 − 0.521 = 0.371 (high impact).
Semantic Impact Analysis: The perturbation reveals critical semantic changes. For de-authentication attacks, the original feature wlan.fc.subtype equals 12 (indicating de-auth frame), leading to correct attack detection. However, when perturbed to different values such as 0 (data frame), the attack becomes undetectable, demonstrating how fundamental frame-type alterations can transform malicious traffic into normal behavior.
Lines 19–22: Score Integration Example: The algorithm normalizes both MPI and FPC scores and combines them using the weight parameter . The resulting rankings reveal complementary strengths.
4.4. Performing Adversarial Attacks Using DIFS
This subsection details the application of adversarial attacks, specifically FGSM and BIM, constrained to use only the features identified by DIFS lists for each UAV-IDS dataset. This methodology ensures the generation of functional adversarial samples that preserve the semantic integrity of the original cyberattacks.
These crafted samples serve a two-fold evaluation: first, to assess the adversarial ASR against the initially deployed UAV-IDS-CNN-1D model; and second, to augment the training data for retraining and re-evaluating the robustness of the three original UAV-IDS-CNN-1D models.
Figure 6 illustrates the overall adversarial evaluation pipeline. The process begins with selecting the top 10 DIFs. These 10 DIFs are then used to generate adversarial perturbations via FGSM or BIM. Finally, the resulting adversarial samples are used to rigorously evaluate the robustness of the initial UAV-IDS-CNN-1D models.
Figure 6.
The DIFS framework and evaluation pipeline. Phase 1 (green): DIFS process for selecting robust features. Phase 2 (white): UAV-IDS-CNN-1D model evaluation under functional adversarial attacks.
Figure 6.
The DIFS framework and evaluation pipeline. Phase 1 (green): DIFS process for selecting robust features. Phase 2 (white): UAV-IDS-CNN-1D model evaluation under functional adversarial attacks.
4.5. UAV-IDS-CNN-1D Adversarial Retraining Phase
This subsection presents the final phase of our approach: a hardening framework for the initially proposed UAV-IDS-CNN-1D model. The process begins by combining the functionally crafted adversarial samples with the original clean training data. This step is crucial for two reasons: it serves as data augmentation and, more importantly, enhances the model’s generalization against realistic adversarial examples.
Subsequently, the combined dataset is split into training (70%), validation (15%), and test (15%) sets, consistent with the original partitioning described in
Section 4.2.1. The model then undergoes 10 epochs of retraining to refine its defenses. Finally, the robustness of the hardened UAV-IDS-CNN-1D model is rigorously re-evaluated against both adversarial and clean test samples. The objective of this phase is to strengthen existing models, adopt a zero-trust posture, and significantly reduce the effectiveness of potential adversarial attacks.
Figure 7 depicts the complete adversarial training pipeline.
6. Results and Analysis
This section presents a comprehensive performance evaluation of the proposed UAV-IDS-CNN-1D models. The analysis is structured in four progressive stages to thoroughly assess the system’s capabilities. First, baseline performance is established by evaluating the models on clean, unaltered test data without adversarial attacks. Subsequently, the models’ inherent vulnerability is assessed by subjecting them to adversarial evasion attacks using the full feature set. Following this, a DIF analysis is performed to identify a robust subset of features that are critical to both high classification accuracy and the preservation of the semantic integrity of cyberattacks. Finally, the robustness of the UAV-IDS-CNN-1D models is re-evaluated under the same evasion attacks using the selected features from the DIFS analysis to demonstrate the effectiveness of the proposed feature selection method.
6.1. Phase 1: Baseline UAV-IDS-CNN-1D Performance Results
To establish a baseline for evaluating robustness, this section first presents the performance of the proposed CNN-1D architecture on clean test data. These initial results are a prerequisite for the subsequent adversarial robustness analysis.
The classification reports for the three models are detailed in
Table 9,
Table 10 and
Table 11.
Table 9 presents the initial performance of the UAV1-IDS-CNN-1D model, demonstrating strong detection capabilities for most attack categories, with a high performance for classes such as Brute-Force, DDoS, and Normal. Nevertheless, it shows challenges in detecting Reconnaissance attacks and a lower performance on De-authentication and Fake Landing.
For comparative analysis,
Table 10 shows the results for the UAV2-IDS-CNN-1D model, which achieves a high performance in nearly all classes, with a slight decrease in performance for DDoS attacks.
Table 11 reveals a more varied performance profile for the UAV3-IDS-CNN-1D model, with excellent results for Brute-Force and DDoS, but significant difficulties in correctly classifying Benign traffic, De-authentication, Evil Twin, and Fake Landing attacks.
Moreover, the training progression of the three models is illustrated in
Figure 8. The sub-figures plot Precision, Recall, and F1-score over 25 training epochs, highlighting the epoch at which early stopping was triggered to prevent overfitting.
6.2. Phase 2: Evaluating UAV-IDS-CNN-1D Under Adversarial Attacks Using All Features
This study hypothesizes that while adversarial evasion attacks can successfully craft samples misclassified as normal class, thus degrading the performance of the UAV-IDS model, they often fail to preserve the underlying semantics of the original cyberattack. Consequently, these samples may have no practical impact in a real network environment.
To validate the necessity of DIFS, FGSM and BIM attacks were applied to the three UAV-IDS CNN-1D models using all features without using DIFS. The results demonstrate that, while the attacks achieve substantial ASR, the adversarial samples generated by perturbing all features lack functional or semantic equivalence to realistic cyberattacks.
Table 12,
Table 13 and
Table 14 summarize adversarial robustness metrics for both initial and retrained models under FGSM and BIM attacks.
The experimental results reveal three key observations. First, the initial models exhibit moderate vulnerability, with ASR values ranging from 4.36% to 13.68% across datasets and attack types. Second, retrained models demonstrate significantly enhanced robustness, reducing ASR to nearly negligible levels (0.03–0.37%) while maintaining a high clean accuracy (91.78–95.82%). In particular, the UAV3-IDS dataset shows the largest improvement, with the BIM Attack Success Rate decreasing from 13.68% to 0.03% after retraining.
6.3. Phase 3: DIFS Feature Selection Analysis
To optimize adversarial robustness testing, we applied the DIFS method to the three UAV-IDS datasets. DIFS integrates MPI and FPC to identify a refined set of critical features.
Figure 9 presents the top 10 features selected by DIFS for the UAV1-IDS dataset, where MPI scores (from IG or LIME) are shown in green, FPC scores in orange, and the final combined DIFS score (with
) in gray. The results for the UAV2-IDS and UAV3-IDS datasets are provided in
Figure 10 and
Figure 11, respectively.
This refined feature set was subsequently used to evaluate the robustness of the UAV-IDS CNN-1D model. Adversarial attacks (FGSM and BIM) were configured to perturb only these top 10 selected features.
6.4. Phase 4: Evaluating UAV-IDS-CNN-1D Under Adversarial Attacks Using DIFs
This section evaluates the robustness of the proposed UAV-IDS-CNN-1D model against realistic adversarial attacks crafted using the DIFS method. The adversarial strategy perturbs only the top 10 features identified by IG and LIME methods while adhering to FPC, ensuring that generated samples maintain realistic cyberattack patterns that could evade detection in real-world UAV environments.
The experimental methodology comprises two phases. First, initially trained models are evaluated on both clean test samples and adversarial samples crafted using the top 10 DIFS features. This assessment reveals substantial inherent resilience against functionally constrained cyberattacks. Second, models undergo adversarial retraining using augmented datasets that incorporate both clean and adversarial samples to improve generalizability.
The results in
Table 15,
Table 16 and
Table 17 demonstrate the effectiveness of this approach. Adversarial retraining produces significant improvements in model robustness in all configurations. UAV1-IDS-CNN-1D achieves 99.91% Robust Accuracy against BIM attacks using LIME + FPC features, while UAV2-IDS-CNN-1D achieves 99.93% Robust Accuracy against BIM attacks with IG + FPC features. UAV3-IDS-CNN-1D achieves 99.97% Robust Accuracy against BIM attacks using both feature selection methods.
ASR drops to minimal levels across all models, with several configurations achieving ASR values below 0.1%. These results validate the robustness of the proposed approach, successfully hardening UAV-IDS-CNN-1D against sophisticated evasion techniques while maintaining a reliable performance on legitimate network traffic. However, some configurations exhibit notable trade-offs that warrant discussion. The UAV2-IDS model with IG + FPC under FGSM shows a clean accuracy reduction from 95.27% to 70.69% after retraining, indicating that IG-based feature selection may produce overly conservative decision boundaries for certain dataset–attack combinations. Similarly, the UAV3-IDS models retain a lower clean accuracy (73.54–82.29%) compared to UAV1-IDS and UAV2-IDS, reflecting the inherent difficulty of the GCS-based attack scenario with its larger feature space (85 features). These results indicate that robustness improvements are not uniformly cost-free, and practitioners should evaluate the trade-off between clean accuracy and robustness for their specific deployment context.
7. Discussion
7.1. Interpretation of Key Findings
The experimental results demonstrate several significant aspects of adversarial robustness in UAV-IDS CNN-1D models. The remarkable reduction in ASR from initial levels of 4.36–13.68% to nearly negligible values (0.02–0.37%) after adversarial retraining underscores the effectiveness of the proposed DIFS methodology. This substantial improvement can be attributed to three primary factors.
Firstly, strategic feature selection through DIFS enabled focusing perturbation on the most critical features, creating more meaningful adversarial examples during retraining. The consistent performance across the three UAV datasets (UAV1-IDS, UAV2-IDS, and UAV3-IDS) validates the generalizability of this approach.
Secondly, the maintained clean accuracy (91.78–95.82%) alongside improved Robust Accuracy (99.63–99.97%) indicates that adversarial retraining does not compromise the model’s performance on legitimate traffic while significantly enhancing its defensive capabilities.
Table 18 illustrates the final checklist for all UAV-IDS-CNN-1D models.
7.2. Expected Trade-Offs in the DIFS Framework
The DIFS framework involves deliberate trade-offs designed to optimize adversarial robustness and operational feasibility. Feature Space Reduction vs. Attack Coverage: By selecting only the top-10 DIFs (22% of features in UAV1-IDS to 12% in UAV3-IDS), we intentionally reduce the attack surface for adversarial perturbation. This trade-off is strategically desirable for three reasons: Firstly, it forces adversarial training to focus on realistic, functionality-preserving attacks rather than protocol-violating perturbations. Secondly, focusing on 10 features reduces computational complexity, making attacks tractable for both red teams and defenders [
24]. Thirdly, security practitioners can more easily monitor the top-10 critical features in deployed systems.
Clean Accuracy vs. Robust Accuracy: Adversarial retraining on DIFS-constrained samples may cause slight reductions in clean accuracy as the model learns more conservative decision boundaries [
27]. This is most evident in the UAV3-IDS dataset, where clean accuracy decreased from 78.93% to 77.52% in some configurations. However, this trade-off is not only acceptable but desirable in high-security UAV deployments. The corresponding improvement in Robust Accuracy (86.32% → 99.97%) and ASR reduction (13.68% → 0.03%) far outweighs the minor clean accuracy loss. In adversarial environments, clean accuracy alone is misleading—an IDS with 95% clean accuracy but 50% ASR provides little practical security.
Computational Efficiency vs. Comprehensiveness: Focusing adversarial training on 10 DIFs rather than all features (45–85) yields substantial computational benefits: the training time is approximately 4–8× faster, the inference overhead is significantly reduced and the memory footprint is 78–88% smaller [
5]. This trade-off accepts that adversaries might find evasion opportunities in non-DIF features, but such evasions would necessarily be functionality-violating.
Table 19 summarizes the expected and observed performance changes.
The DIFS framework optimizes the balance between adversarial robustness and operational feasibility—a trade-off that strongly favors deployment in real-world UAV security scenarios.
7.3. Implications of Testbed-Generated Data for Model Generalizability
The use of physically generated UAV-NIDD datasets [
29] has significant implications for model generalizability. Unlike simulated datasets, testbed data captures authentic protocol behaviors, physical layer properties, and genuine attack execution patterns [
5]. This realism provides three key advantages:
- 1.
Protocol Fidelity: Network features reflect actual physical layer characteristics, MAC-layer timing, and real hardware constraints. For example, RSSI values, packet inter-arrival times, and retransmission patterns in the UAV-NIDD datasets represent genuine wireless channel behavior rather than idealized simulations [
46].
- 2.
Attack Realism: Adversarial samples represent executable attacks that succeeded against actual UAV hardware and network stacks. This ensures our robust models defend against threats that can genuinely compromise deployed systems, not just theoretical attack vectors.
- 3.
Hardware Variability: Natural variations in testbed equipment (different radio chipsets, antenna configurations, and environmental RF conditions) introduce diversity that aids cross-platform generalization [
4].
However, generalization boundaries exist. Models trained on DJI Mavic Air 2 traffic patterns may require adaptation for significantly different UAV architectures, though commercial platforms sharing similar protocol stacks (MAVLink, DJI SDK) should exhibit strong cross-platform generalization. Attack coverage is limited to the cyberattack types present in UAV-NIDD, including DDoS, DoS, UDP Flooding, ICMP Flooding, De-authentication, Brute-Force, Evil Twin, Scanning, Reconnaissance, GPS Jamming, Fake Landing, MITM, and Replay; emerging attack classes would necessitate dataset updates and model retraining.
Environmental factors present additional challenges. The UAV-NIDD testbed [
29] operated in controlled indoor/outdoor conditions with known RF interference profiles. Deployment in different electromagnetic environments (urban canyons, military jamming scenarios, and extreme weather) may require online adaptation mechanisms or periodic retraining with location-specific data [
30].
Estimated Generalization Boundaries: Based on the UAV-NIDD dataset characteristics and our model architecture, we estimate the following generalization boundaries. These estimates are based on architectural similarity and protocol overlap, and have not been empirically validated on external datasets:
Strong generalization (>95% accuracy): Commercial UAVs using MAVLink or DJI SDK protocols with similar frequency bands (2.4 GHz, 5.8 GHz). Examples: DJI Phantom series, Parrot Anafi, and 3DR Solo.
Good generalization (85–95% accuracy): UAV swarms and multi-platform networks with transfer learning or fine-tuning on small platform-specific validation sets (100–500 samples). The DIFS feature selection approach remains valid even if specific feature distributions shift.
Moderate generalization (70–85% accuracy): Custom military or industrial UAV systems with proprietary protocols. These would require fine-tuning on domain-specific data, though the dual-criteria feature selection methodology transfers directly.
Limited generalization (<70% accuracy): Non-UAV IoT networks or ground vehicle telematics. While the DIFS methodology (combining MPI and FPC) remains applicable as a framework, the specific DIFs identified would not transfer. New feature selection would be required.
The achieved performance metrics in this work (99.8% clean accuracy, ASR reduction to 0.002) reflect both the quality of testbed-generated training data and the effectiveness of functionality-preserving adversarial training. We emphasize that these results reflect performance on UAV network traffic that adheres to the protocol and that reflects the attack characteristics present in the UAV-NIDD datasets. Practitioners deploying our approach in significantly different UAV environments should budget for validation testing and potential fine-tuning, though the core DIFS framework provides a solid foundation for adversarial robustness across diverse platforms.
7.4. Comparative Analysis with the Existing Literature
Compared to conventional adversarial training approaches that alter all features [
10,
14,
32,
47], our DIFS method demonstrates improved efficiency. The focused perturbation on the top-10 features achieved comparable or better robustness while reducing computational overhead and maintaining the semantic validity of adversarial samples.
The Robust Accuracy (99–99.97%) against BIM attacks compares favorably with reported results in similar Intrusion Detection Systems [
29], particularly noting the challenging nature of UAV network environments with their unique traffic patterns and constraints.
7.5. Methodological Contributions
This work contributes to the practical and methodological understanding of adversarial robustness in the following ways. The DIFS methodology provides a framework for balancing feature importance with functional constraints, addressing the semantic validity challenge in adversarial sample generation. The consistent performance improvement across datasets with different feature counts (45, 51, and 85) demonstrates the approach’s adaptability within the evaluated UAV-IDS domain. Furthermore, the success of targeted feature perturbation suggests that strategic, focused perturbations can yield results that are competitive or superior to those achieved with comprehensive feature coverage, at least within the scope of the datasets and attack models examined here.
8. Conclusions
This paper presented a four-phase framework for evaluating and improving the adversarial robustness of UAV-IDS-CNN-1D models. The methodology integrates DIFS with adversarial training, demonstrating a significant improvement in model resilience against evasion attacks. Three distinct UAV-IDS-CNN-1D models were constructed and evaluated across three UAV-IDS datasets that represent different cyberattack scenarios targeting the network components of a real UAV testbed. Multiple DIFS configurations (combining IG or LIME with FPC) were used to identify the most critical functional features. These features were then used to execute two constrained adversarial attacks, FGSM and BIM, generating functional cyber–semantic samples. These samples served a dual purpose: first, to evaluate the initial UAV-IDS-CNN-1D models, and second, to conduct adversarial retraining as the final robustness phase. The experimental results indicate that the initial UAV-IDS-CNN-1D models already exhibit considerable robustness, with only a slight drop in Robust Accuracy and ASR. Furthermore, adversarial retraining using only DIF-selected samples proved highly effective, driving the ASR to near-zero levels and achieving a Robust Accuracy of 99–99.98% across all models. These findings suggest that an approach focused on the top functional features can yield robust UAV-IDS-CNN-1D models, though further validation across multiple UAV platforms and attack scenarios is needed to establish broader generalizability.
Future research will explore several promising directions. Firstly, we plan to extend the proposed framework to handle streaming data and operate in online learning scenarios for real-time intrusion detection. Secondly, we will investigate more complex black-box attack strategies, leveraging generative models and metaheuristic approaches such as Genetic Algorithms (GAs) and PSO at an abstract feature level. Finally, a deeper analysis of the functionality and semantic preservation of adversarial samples for individual cyberattack classes is warranted to develop more nuanced and effective defense mechanisms.