Adversarial evasion attacks against machine learning–based network intrusion detection systems (ML-NIDS) often exhibit sharply diminished effectiveness when transitioning from controlled laboratory settings to real-world deployments. Method: To address this gap, we construct a threat model grounded in attack trees and propose the first taxonomy of practicality constraints for adversarial attacks targeting ML-NIDS—identifying seven critical limitations, including feature immutability and real-time processing requirements. We conduct systematic experiments on realistic traffic datasets (e.g., CICIDS2017) to evaluate attack viability under operational conditions. Contribution/Results: Our empirical analysis reveals that conventional dynamic retraining alone reduces adversarial attack success rates by over 40%, substantially degrading attack robustness. These findings bridge the chasm between theoretical adversarial research and industrial ML-NIDS deployment, providing both theoretical foundations and actionable guidelines for designing robust, production-ready ML-NIDS.

Machine Learning (ML) has become ubiquitous, and its deployment in Network Intrusion Detection Systems (NIDS) is inevitable due to its automated nature and high accuracy compared to traditional models in processing and classifying large volumes of data. However, ML has been found to have several flaws, most importantly, adversarial attacks, which aim to trick ML models into producing faulty predictions. While most adversarial attack research focuses on computer vision datasets, recent studies have explored the suitability of these attacks against ML-based network security entities, especially NIDS, due to the wide difference between different domains regarding the generation of adversarial attacks. To further explore the practicality of adversarial attacks against ML-based NIDS in-depth, this paper presents three distinct contributions: identifying numerous practicality issues for evasion adversarial attacks on ML-NIDS using an attack tree threat model, introducing a taxonomy of practicality issues associated with adversarial attacks against ML-based NIDS, and investigating how the dynamicity of some real-world ML models affects adversarial attacks against NIDS. Our experiments indicate that continuous re-training, even without adversarial training, can reduce the effectiveness of adversarial attacks. While adversarial attacks can compromise ML-based NIDSs, our aim is to highlight the significant gap between research and real-world practicality in this domain, warranting attention.