This work addresses the challenge of generating adversarial examples against network intrusion detection systems (NIDS) under strict black-box constraints, where structured network traffic exhibits complex inter-feature dependencies. We propose a low-query, adaptive attack method that jointly leverages change-point detection and causal analysis to construct a lightweight, dynamic feature selection mechanism—identifying sensitive features without access to model internals or gradients. Integrated with a minimal-perturbation strategy, our approach significantly reduces both query overhead and perturbation magnitude. Experiments on mainstream NIDS demonstrate high evasion rates (>92%), 67% fewer queries, and 41% lower average perturbation magnitude compared to baselines, while maintaining cross-dataset generalizability. The method provides a reproducible, practical paradigm for systematic NIDS robustness evaluation and vulnerability analysis.

Adversarial attacks, wherein slight inputs are carefully crafted to mislead intelligent models, have attracted increasing attention. However, a critical gap persists between theoretical advancements and practical application, particularly in structured data like network traffic, where interdependent features complicate effective adversarial manipulations. Moreover, ambiguity in current approaches restricts reproducibility and limits progress in this field. Hence, existing defenses often fail to handle evolving adversarial attacks. This paper proposes a novel approach for black-box adversarial attacks, that addresses these limitations. Unlike prior work, which often assumes system access or relies on repeated probing, our method strictly respect black-box constraints, reducing interaction to avoid detection and better reflect real-world scenarios. We present an adaptive feature selection strategy using change-point detection and causality analysis to identify and target sensitive features to perturbations. This lightweight design ensures low computational cost and high deployability. Our comprehensive experiments show the attack's effectiveness in evading detection with minimal interaction, enhancing its adaptability and applicability in real-world scenarios. By advancing the understanding of adversarial attacks in network traffic, this work lays a foundation for developing robust defenses.