Machine learning–based network intrusion detection systems (ML-NIDS) are highly vulnerable to problem-space evasion attacks, which manipulate inputs while respecting protocol and traffic semantics. Method: This paper introduces the Perturbability Score (PS), a novel metric that explicitly models network protocol and traffic semantic constraints as a robustness-oriented defense mechanism. PS quantifies the vulnerability of each feature to adversarial manipulation in the problem space, guiding robustness-aware feature selection. Our approach integrates domain knowledge to define feature perturbation bounds and computes PS via combined statistical analysis and adversarial sensitivity evaluation, seamlessly embedding it into conventional feature engineering pipelines. Contribution/Results: Experiments demonstrate that retaining only low-PS features preserves over 95% of the original detection accuracy while reducing problem-space evasion attack success rates by up to 73%, significantly enhancing ML-NIDS resilience against realistic adversarial threats.

As network security threats continue to evolve, safeguarding Machine Learning (ML)-based Network Intrusion Detection Systems (NIDS) from adversarial attacks is crucial. This paper introduces the notion of feature perturb-ability and presents a novel Perturb-ability Score (PS) metric that identifies NIDS features susceptible to manipulation in the problem-space by an attacker. By quantifying a feature's susceptibility to perturbations within the problem-space, the PS facilitates the selection of features that are inherently more robust against evasion adversarial attacks on ML-NIDS during the feature selection phase. These features exhibit natural resilience to perturbations, as they are heavily constrained by the problem-space limitations and correlations of the NIDS domain. Furthermore, manipulating these features may either disrupt the malicious function of evasion adversarial attacks on NIDS or render the network traffic invalid for processing (or both). This proposed novel approach employs a fresh angle by leveraging network domain constraints as a defense mechanism against problem-space evasion adversarial attacks targeting ML-NIDS. We demonstrate the effectiveness of our PS-guided feature selection defense in enhancing NIDS robustness. Experimental results across various ML-based NIDS models and public datasets show that selecting only robust features (low-PS features) can maintain solid detection performance while significantly reducing vulnerability to evasion adversarial attacks. Additionally, our findings verify that the PS effectively identifies NIDS features highly vulnerable to problem-space perturbations.