This study addresses a critical gap in the adversarial evaluation of machine learning–based network intrusion detection systems (ML-NIDS), which typically applies perturbations in feature space or at the packet-capture level, disregarding the practical constraint that attackers can only manipulate host-level behaviors. The work introduces, for the first time, the concept of “host-space perturbations,” defining them as modifications achievable through attacker-controllable host operations, and develops an analytical framework linking problem-space actions to their effects in feature space. Through a synthesis of 316 literature sources, real-world network experiments, and simulated SSH brute-force attacks, the research demonstrates that altering just a single character in an attack command can effectively evade state-of-the-art ML-NIDS. This finding reveals that minimal host-level changes can induce substantial feature-space shifts, thereby exposing the unrealistic assumptions and overestimated robustness inherent in current evaluation methodologies.

Network Intrusion Detection Systems (NIDS) are now increasingly leveraging Machine Learning (ML) techniques to detect malicious network activities. Numerous papers have scrutinized the security of ML-based NIDS (ML-NIDS) by testing them against various attacks involving adversarial perturbations. The findings were oftentimes worrying: by making imperceptible changes to a given input, powerful ML models would be bypassed. In this context, we took a step back and wondered: where (i.e., in what "space") have these perturbations been applied? We argue that real-world adversaries can apply adversarial perturbations only by operating on the hosts they can control -- a concept which we define as _host-space perturbations_. To some, such an observation may seem trivial. And yet, through a systematic literature review (n=316), we found that prior work applied perturbations by manipulating pre-collected datapoints (e.g., a packet _captured by the router_, or a network flow _analysed by the ML-NIDS_). Such operations, while not impossible, may be outside the reach of an attacker who can only control some (unprivileged) hosts in a network. Hence, to demonstrate how to craft host-space perturbations and study some of their effects, we experimented on well-known benchmarks and a real-world network. We show that ML-NIDS that can detect the SSH-bruteforcing attempts launched via a given command string cannot detect any attempt launched by changing _a single character_ of such a string. We then examined how such a minuscule change in the "problem space" (i.e., the attacker's host) can lead to devastating effects on the "feature space". We derive lessons learned on how to practically assess host-space perturbations. Our stance is that the security of ML-NIDS should be re-assessed.