Six months ago on the internal Red Team exercise Isolation Forest,trained on the monthly baseline from Zeek conn.log, missed a DNStunnel with an exfiltration volume of 800 KB. Feature vector - theaverage size of packages, the number of sessions per interval, theratio of forward/backward bytes - remained within two standarddeviations from the norm. The model with F1 0.97 on the CICIDS 2017dataset in the production was blind. After this case, each MLdetector that I deploy passes the adversarial test before beingincluded in the combat infrastructure. Below we will understand whatweaknesses can be found over and over again.
Isolation Forestis an algorithm of training without a teacher to detect anomaliesthat works on the principle of isolation of anomalies, and not on themost common methods of profiling normal points.
Adversarialtesting is a method of systematic evaluation of the machine learningmodel in order to study its behavior when exposed to harmful orunintentionally dangerous inputs.
What ML-based NIDSsees in network traffic
The unsigned IPSdoes not disassemble the contents of the packages as Snort orSuricata - it operates with a trait vector built from networksessions metadata. Understanding this vector is the starting pointfor both the detection engineer and the attacker, the evasion.
A detectionengineer is a cybersecurity specialist who develops, creates andmaintains the rules and logics used to detect malicious activity inan organization.
Evasion is thecircumvention of means of protecting information in order to deliveran exploit, attack or other form of malware to the target network orsystem without detection.
Featureengineering: a real set of detector signs
The standardflow-based detector receives the input network sessions identified by5-Tuple (SrcIP - DscPort - Proto). For each session, the traitsvector is calculated. Zeek generates records conn.log with fieldsthat form the basis of the feature set for the anomaly of ML-modelnetwork traffic:
Key fields Zeekconn.log for ML detector
Of these rawfields, derivative features are formed: the average number ofpackages per session, the standard deviation of the size of payload,the ratio of incoming and outgoing bytes (ratio), the duration of thesession, the number of simultaneous connections from one IP, theinterval between sessions. The session_analyzer tool, described byresearchers from the ISP RAS, calculates a similar set for eachTCP/UDP/UICMP stream.
And here the mostinteresting thing begins. According to the Hetman study and others.(SSP RAS, 2022), these signs directly depend on the physicalstructure of the network, hardware settings and specificimplementations of services. Dragged the model to another networkwithout retraining - received a degradation of accuracy. Publicdatasets like NSL-KDD or CICIDS 2017 do not reflect this effectbecause they are collected in sterile laboratory conditions.
In practice, afeature set determines that the model is able to see. There is noJA3/JA3S hash of TLS-hundshechy - the model is blind to anomalies inencrypted traffic. There are no DNS-specific features (ceremonylength, domain name entropy) - the DNS tunnel will go unnoticed. Noanalysis of certificate chains - C2 through legitimate CDN isindistinguishable from the user HTTPS. This is exactly what happenedin that case from the beginning of the article.
What models areused and where are wrong
Detection ofattacks by a neural network and classic ML models has been developingfor more than two decades. According to an axiv (2025) review,NN-based detection still stumbles when deploying practical - despiteall the beautiful numbers in publications. I will analyze the mainarchitectures from the point of view of real exploitation:
A separate pain isan imbalance of data. Researchers (PMC, 2025) record: in the realnetwork, normal traffic is the vast majority, attacks - a fraction ofa percent. A model optimized in accuracy can show 99.9% simplybecause almost everything in the test sample is legitimate. Precisionand recall in the class of “attack” are catastrophically low. Isaw a model with a 9.9% accuracy, which for a month did not catch asingle real incident - but aerates on legitimate traffic generatedtwenty-a-day pieces.
The location ofthe behavioral detector in the attack chain
Behavioral IDSdetection of intrusions works unevenly at different stages of killchain. Understanding this determines the evasion strategy.
Recon (externalperimeter): The model captures a surge of connections from one sourceto many ports or hosts. nmap -T4 -A almost guaranteed triggeritisIsolation Forest. But distributed recon with multiple IPs within theframework of the baseline model often misses, because each individualsource is not allocated from the norm.
Initial access: Ifthe exploit is delivered through one HTTPS request to a legitimateweb server, the flow-based ML NIDS will not see anything abnormal.Payload is encrypted, the metha data of the session (one query,standard size) does not differ from the usual user.
Lateral movement(internal pentest, modern infrastructure): ML IDS is the most useful.Abnormal SMB connections between workstations, RDP to servers withwhich the host has not contacted before - all this deviates frombaseline. But the operator, who studied the regular routes (via thejump hosts, according to the existing AD-guests), remains within thenormal range.
Exfiltration:Large-scale data transmission will cause an altrate if the model istrained on the baseline outgoing traffic. Breaking into smallportions via DNS or HTTPS to CDN is a classic way to stay below thethreshold. Here is the Data Obfuscation (T1001, Command and Control)and Protocol Tunneling (T1572, Command and Control) work best.
The link to NISTCSF 2.0 DE.AE-01: the behavioral threat detection only works if thebaseline network operations and expected data streams are created andsupported. Without the actual baseline ML detector, by definition.
Adversarialevasion: bypassing behavioral analysis in practice
Adversarialmachine learning IDS is not a theory from academic articles. TheSpringer Review (2025) highlights evasion attacks and poisoningattacks as recognized categories of adversarial evasion IDS. Let'sunderstand specific techniques with reference to MITRE ATT&CK.
Low-and-slow: staybelow the anomaly threshold
Isolation Forestand Autoencoder ML models are looking for away points far from thedistribution center. If the attacker holds all parameters within 1-2standard deviations from the average, anomaly score will not exceedthe threshold.
Applicability:internal pentest, any infrastructure with behavioral IDS detection ofintrusions. Particularly effective against Isolation Forest withdefault thresholds.
Practicaltechniques of bypass IDS by machine learning:
•Exfiltration by drop: instead of transmitting 10 MB per session - 50KB every 10 minutes through DNS A/TXT records. Package size and ratiorequest/response remain normal with fairly small portions. Applicablethrough the Application Layer Protocol (T1071, Command and Control).
• Lateralmovement with a minimum speed: 1-2 SMB-connections per hour insteadof mass spray. At the feature vector level, it looks like a standardAD activity.
•Almondization of intervals (jitter): LSTM-models catch theperiodicity of bacon. Jitter 30-50% to the base interval breaks thetime pattern. Most C2-frameworks (Cobalt Strike, Sliver, Havoc)support this parameter out of the box.
• Legitimatechannels: Protocol Tunneling (T1572, Command and Control) viaDNS-over-HTTPS or WebSocket through CDN makes C2 traffic visuallyindistinguishable from the user.
The LSTM model isa special architecture of recurrent neural networks, speciallydesigned to process successive data and solve the problem of anattenuating gradient.
Limitation:Low-and-slow increases the time of operation by dozens of times. On ashort external pentest (1-2 weeks), this may be unacceptable. On along Red Team exercise - the main mode of operation.
Poisoning
oisoning of training data
If the attacker ispresent on the network before or during the model learning phase, itcan affect baseline. Generation of small amounts of abnormal trafficduring the training period “stretches” the limit of the norm.
Applicability: APTscenario, long-term presence, legacy infrastructure withoutprotecting the training pypaline. On a short-term pentest is notapplicable.
According to theSpringer (2025) review, poisoning tests is a recognized category ofadversarial machine learning for IDS. The operator for the first twoweeks after compromising generates background traffic, similar innature to a future C2 channel, but without real commands. When themodel is retrained (and this happens periodically to combat theconcept drift), this traffic gets to the baseline. After retraining,the real C2 for the model is the norm.
Concept driftoccurs when the fundamental relationship between the inputs of themachine learning model and its target variable changes over time.
This intersectswith Disable or Modify Tools (T1562, Stealth:: Targeted weakening ofthe detection mechanism.
Limitationoisoning requires understanding when and how the model is retrained.In infrastructure with a protected ML-pyplayline (isolated trainingdata, distribution monitoring) it is much more complicated.
When the ML IDScatches and when it passes
Instead ofabstract reasoning - decision table for the operator:
Key pattern: MLIDS catches well what is knocked out of the baseline in terms ofvolume, speed, or unusual direction. Everything that fits into thenormal distribution of the space feature passes.
How the DetectionEngine Closes These Holes
If you buildprotection - that's what really works against the describedtechniques of bypassing behavioral analysis.
Ensemble-approach:One model is easier to deceive than a combination. Isolation Forestat the flow-level + LSTM on time-series + DNS query entrophy analyzercreate a cross-covered coating. Mimicry, which deceives thestream-based model, may not pass temporal analysis. On one project,it was LSTM that caught beacon, which Isolation Forest missed - theperiodicity gave, although everything was normal in volume.
Adversarialvalidation: Taught the model - attack it yourself. Generate mimicrytraffic, slow-scan, beacon with jitter and check what goes through.Every failure of an adversarial test is an occasion to add a featureor revise the anomaly score threshold.
Diversification offeatures: JA3/JA3S for TLS fingerprinting, DNS entropy, HTTPUser-Agent clustering, certificate transparency logs – eachadditional feature expands the space in which the attacker needs tomimic normality. The more axes, the more complex the mimicry.
DistributionTransfer Monitoring: if baseline suddenly "swimmed" withoutvisible infrastructure changes - poisoning is possible. A simplestatistical test detects drift at an early stage:
NIST CSF DE.AE-01requires that the baseline network operations not only exist, but ismanaged: regularly valid, defended against modification, updated incontrol.
Most ML IDS in theproducts work on the same feature sets as described in the 2017–2018publications. Isolation Forest on conn.log with default five signs -a ceiling for 80% of the installations I saw during the audits.Vendors pack this model in marketing wraps "behavioralanalytics" and "AI-driven detection", but under thehood - the same signs, the same threshold of anomaly score, the samemissing adversarial validation.
Adversarialvalidation is a machine learning method used to detect changes inperformance and the differences between training and test data sets.
The arxiv review(2025) directly indicates that despite two decades of research,NN-based detection is still stalled in practical deployment. Hybridsystems - signatures + ML + manual analytics - is the only thing thatgives the result in real environments.
Isolation Forestis an algorithm of training without a teacher to detect anomaliesthat works on the principle of isolation of anomalies, and not on themost common methods of profiling normal points.
Adversarialtesting is a method of systematic evaluation of the machine learningmodel in order to study its behavior when exposed to harmful orunintentionally dangerous inputs.
What ML-based NIDSsees in network traffic
The unsigned IPSdoes not disassemble the contents of the packages as Snort orSuricata - it operates with a trait vector built from networksessions metadata. Understanding this vector is the starting pointfor both the detection engineer and the attacker, the evasion.
A detectionengineer is a cybersecurity specialist who develops, creates andmaintains the rules and logics used to detect malicious activity inan organization.
Evasion is thecircumvention of means of protecting information in order to deliveran exploit, attack or other form of malware to the target network orsystem without detection.
Featureengineering: a real set of detector signs
The standardflow-based detector receives the input network sessions identified by5-Tuple (SrcIP - DscPort - Proto). For each session, the traitsvector is calculated. Zeek generates records conn.log with fieldsthat form the basis of the feature set for the anomaly of ML-modelnetwork traffic:
Key fields Zeekconn.log for ML detector
Of these rawfields, derivative features are formed: the average number ofpackages per session, the standard deviation of the size of payload,the ratio of incoming and outgoing bytes (ratio), the duration of thesession, the number of simultaneous connections from one IP, theinterval between sessions. The session_analyzer tool, described byresearchers from the ISP RAS, calculates a similar set for eachTCP/UDP/UICMP stream.
And here the mostinteresting thing begins. According to the Hetman study and others.(SSP RAS, 2022), these signs directly depend on the physicalstructure of the network, hardware settings and specificimplementations of services. Dragged the model to another networkwithout retraining - received a degradation of accuracy. Publicdatasets like NSL-KDD or CICIDS 2017 do not reflect this effectbecause they are collected in sterile laboratory conditions.
In practice, afeature set determines that the model is able to see. There is noJA3/JA3S hash of TLS-hundshechy - the model is blind to anomalies inencrypted traffic. There are no DNS-specific features (ceremonylength, domain name entropy) - the DNS tunnel will go unnoticed. Noanalysis of certificate chains - C2 through legitimate CDN isindistinguishable from the user HTTPS. This is exactly what happenedin that case from the beginning of the article.
What models areused and where are wrong
Detection ofattacks by a neural network and classic ML models has been developingfor more than two decades. According to an axiv (2025) review,NN-based detection still stumbles when deploying practical - despiteall the beautiful numbers in publications. I will analyze the mainarchitectures from the point of view of real exploitation:
A separate pain isan imbalance of data. Researchers (PMC, 2025) record: in the realnetwork, normal traffic is the vast majority, attacks - a fraction ofa percent. A model optimized in accuracy can show 99.9% simplybecause almost everything in the test sample is legitimate. Precisionand recall in the class of “attack” are catastrophically low. Isaw a model with a 9.9% accuracy, which for a month did not catch asingle real incident - but aerates on legitimate traffic generatedtwenty-a-day pieces.
The location ofthe behavioral detector in the attack chain
Behavioral IDSdetection of intrusions works unevenly at different stages of killchain. Understanding this determines the evasion strategy.
Recon (externalperimeter): The model captures a surge of connections from one sourceto many ports or hosts. nmap -T4 -A almost guaranteed triggeritisIsolation Forest. But distributed recon with multiple IPs within theframework of the baseline model often misses, because each individualsource is not allocated from the norm.
Initial access: Ifthe exploit is delivered through one HTTPS request to a legitimateweb server, the flow-based ML NIDS will not see anything abnormal.Payload is encrypted, the metha data of the session (one query,standard size) does not differ from the usual user.
Lateral movement(internal pentest, modern infrastructure): ML IDS is the most useful.Abnormal SMB connections between workstations, RDP to servers withwhich the host has not contacted before - all this deviates frombaseline. But the operator, who studied the regular routes (via thejump hosts, according to the existing AD-guests), remains within thenormal range.
Exfiltration:Large-scale data transmission will cause an altrate if the model istrained on the baseline outgoing traffic. Breaking into smallportions via DNS or HTTPS to CDN is a classic way to stay below thethreshold. Here is the Data Obfuscation (T1001, Command and Control)and Protocol Tunneling (T1572, Command and Control) work best.
The link to NISTCSF 2.0 DE.AE-01: the behavioral threat detection only works if thebaseline network operations and expected data streams are created andsupported. Without the actual baseline ML detector, by definition.
Adversarialevasion: bypassing behavioral analysis in practice
Adversarialmachine learning IDS is not a theory from academic articles. TheSpringer Review (2025) highlights evasion attacks and poisoningattacks as recognized categories of adversarial evasion IDS. Let'sunderstand specific techniques with reference to MITRE ATT&CK.
Low-and-slow: staybelow the anomaly threshold
Isolation Forestand Autoencoder ML models are looking for away points far from thedistribution center. If the attacker holds all parameters within 1-2standard deviations from the average, anomaly score will not exceedthe threshold.
Applicability:internal pentest, any infrastructure with behavioral IDS detection ofintrusions. Particularly effective against Isolation Forest withdefault thresholds.
Practicaltechniques of bypass IDS by machine learning:
•Exfiltration by drop: instead of transmitting 10 MB per session - 50KB every 10 minutes through DNS A/TXT records. Package size and ratiorequest/response remain normal with fairly small portions. Applicablethrough the Application Layer Protocol (T1071, Command and Control).
• Lateralmovement with a minimum speed: 1-2 SMB-connections per hour insteadof mass spray. At the feature vector level, it looks like a standardAD activity.
•Almondization of intervals (jitter): LSTM-models catch theperiodicity of bacon. Jitter 30-50% to the base interval breaks thetime pattern. Most C2-frameworks (Cobalt Strike, Sliver, Havoc)support this parameter out of the box.
• Legitimatechannels: Protocol Tunneling (T1572, Command and Control) viaDNS-over-HTTPS or WebSocket through CDN makes C2 traffic visuallyindistinguishable from the user.
The LSTM model isa special architecture of recurrent neural networks, speciallydesigned to process successive data and solve the problem of anattenuating gradient.
Limitation:Low-and-slow increases the time of operation by dozens of times. On ashort external pentest (1-2 weeks), this may be unacceptable. On along Red Team exercise - the main mode of operation.
Poisoning
oisoning of training dataIf the attacker ispresent on the network before or during the model learning phase, itcan affect baseline. Generation of small amounts of abnormal trafficduring the training period “stretches” the limit of the norm.
Applicability: APTscenario, long-term presence, legacy infrastructure withoutprotecting the training pypaline. On a short-term pentest is notapplicable.
According to theSpringer (2025) review, poisoning tests is a recognized category ofadversarial machine learning for IDS. The operator for the first twoweeks after compromising generates background traffic, similar innature to a future C2 channel, but without real commands. When themodel is retrained (and this happens periodically to combat theconcept drift), this traffic gets to the baseline. After retraining,the real C2 for the model is the norm.
Concept driftoccurs when the fundamental relationship between the inputs of themachine learning model and its target variable changes over time.
This intersectswith Disable or Modify Tools (T1562, Stealth:: Targeted weakening ofthe detection mechanism.
Limitation
oisoning requires understanding when and how the model is retrained.In infrastructure with a protected ML-pyplayline (isolated trainingdata, distribution monitoring) it is much more complicated.When the ML IDScatches and when it passes
Instead ofabstract reasoning - decision table for the operator:
Key pattern: MLIDS catches well what is knocked out of the baseline in terms ofvolume, speed, or unusual direction. Everything that fits into thenormal distribution of the space feature passes.
How the DetectionEngine Closes These Holes
If you buildprotection - that's what really works against the describedtechniques of bypassing behavioral analysis.
Ensemble-approach:One model is easier to deceive than a combination. Isolation Forestat the flow-level + LSTM on time-series + DNS query entrophy analyzercreate a cross-covered coating. Mimicry, which deceives thestream-based model, may not pass temporal analysis. On one project,it was LSTM that caught beacon, which Isolation Forest missed - theperiodicity gave, although everything was normal in volume.
Adversarialvalidation: Taught the model - attack it yourself. Generate mimicrytraffic, slow-scan, beacon with jitter and check what goes through.Every failure of an adversarial test is an occasion to add a featureor revise the anomaly score threshold.
Diversification offeatures: JA3/JA3S for TLS fingerprinting, DNS entropy, HTTPUser-Agent clustering, certificate transparency logs – eachadditional feature expands the space in which the attacker needs tomimic normality. The more axes, the more complex the mimicry.
DistributionTransfer Monitoring: if baseline suddenly "swimmed" withoutvisible infrastructure changes - poisoning is possible. A simplestatistical test detects drift at an early stage:
NIST CSF DE.AE-01requires that the baseline network operations not only exist, but ismanaged: regularly valid, defended against modification, updated incontrol.
Most ML IDS in theproducts work on the same feature sets as described in the 2017–2018publications. Isolation Forest on conn.log with default five signs -a ceiling for 80% of the installations I saw during the audits.Vendors pack this model in marketing wraps "behavioralanalytics" and "AI-driven detection", but under thehood - the same signs, the same threshold of anomaly score, the samemissing adversarial validation.
Adversarialvalidation is a machine learning method used to detect changes inperformance and the differences between training and test data sets.
The arxiv review(2025) directly indicates that despite two decades of research,NN-based detection is still stalled in practical deployment. Hybridsystems - signatures + ML + manual analytics - is the only thing thatgives the result in real environments.
