GMA-SAWGAN-GP: A Novel Data Generative Framework to Enhance IDS Detection Performance
arXiv:2603.28838v1 Announce Type: new Abstract: Intrusion Detection System (IDS) is often calibrated to known attacks and generalizes poorly to unknown threats. This paper proposes GMA-SAWGAN-GP, a novel generative augmentation framework built on a Self-Attention-enhanced Wasserstein GAN with Gradient Penalty (WGAN-GP). The generator employs Gumbel-Softmax regularization to model discrete fields, while a Multilayer Perceptron (MLP)-based AutoEncoder acts as a manifold regularizer. A lightweight gating network adaptively balances adversarial and reconstruction losses via entropy regularization, improving stability and mitigating mode collapse. The self-attention mechanism enables the generator to capture both short- and long-range dependencies among features within each record while preserv
View PDF HTML (experimental)
Abstract:Intrusion Detection System (IDS) is often calibrated to known attacks and generalizes poorly to unknown threats. This paper proposes GMA-SAWGAN-GP, a novel generative augmentation framework built on a Self-Attention-enhanced Wasserstein GAN with Gradient Penalty (WGAN-GP). The generator employs Gumbel-Softmax regularization to model discrete fields, while a Multilayer Perceptron (MLP)-based AutoEncoder acts as a manifold regularizer. A lightweight gating network adaptively balances adversarial and reconstruction losses via entropy regularization, improving stability and mitigating mode collapse. The self-attention mechanism enables the generator to capture both short- and long-range dependencies among features within each record while preserving categorical semantics through Gumbel-Softmax heads. Extensive experiments on NSL-KDD, UNSW-NB15, and CICIDS2017 using five representative IDS models demonstrate that GMA-SAWGAN-GP significantly improves detection performance on known attacks and enhances generalization to unknown attacks. Leave-One-Attack-type-Out (LOAO) evaluations using Area Under the Receiver Operating Characteristic (AUROC) and True Positive Rate at a 5 percent False Positive Rate confirm that IDS models trained on augmented datasets achieve higher robustness under unseen attack scenarios. Ablation studies validate the contribution of each component to performance gains. Compared with baseline models, the proposed framework improves binary classification accuracy by an average of 5.3 percent and multi-classification accuracy by 2.2 percent, while AUROC and True Positive Rate at a 5 percent False Positive Rate for unknown attacks increase by 3.9 percent and 4.8 percent, respectively, across the three datasets. Overall, GMA-SAWGAN-GP provides an effective approach to generative augmentation for mixed-type network traffic, improving IDS accuracy and resilience.
Comments: 13 pages, 2 figures
Subjects:
Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI)
Cite as: arXiv:2603.28838 [cs.CR]
(or arXiv:2603.28838v1 [cs.CR] for this version)
https://doi.org/10.48550/arXiv.2603.28838
arXiv-issued DOI via DataCite
Submission history
From: Ziyu Mu [view email] [v1] Mon, 30 Mar 2026 14:35:23 UTC (5,984 KB)
Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
modelannouncefeature
QUANTUM HORIZONS Your Passwords Have an Expiry Date. Nobody Told You.
By The Architect NEO | April 2026 You know that friend? The one at every barbecue who, somewhere between the third burger and the dying embers, starts talking about encryption? The one who makes you check if your webcam has tape over it? The one who said "don't use that free Wi-Fi" at the airport in 2019 and you thought they were being dramatic? That friend was right about everything. And they're about to be right again — about something much, much bigger. THE QUIET HEIST NOBODY'S REPORTING Right now, while you're reading this on a Tuesday lunchbreak or doomscrolling at 11pm, encrypted data is being stolen. Not decrypted. Not read. Not yet. Stored. Intelligence agencies across the globe have a name for it: "Harvest Now, Decrypt Later." The idea is brutally simple. Steal encrypted data toda
Cloud Cost Anomaly Detection: How to Catch Surprise Bills Before They Hit
Cloud Cost Anomaly Detection: How to Catch Surprise Bills Before They Hit Cloud bills don't spike gradually. They spike overnight. A misconfigured NAT gateway starts routing all inter-AZ traffic inefficiently on a Friday. A data pipeline job enters an infinite retry loop on Saturday. A developer spins up a p3.8xlarge for a test and forgets to terminate it over a long weekend. By the time you find out, you've already burned through budget that wasn't allocated for it. The problem isn't that anomalies happen. The problem is the detection lag: most teams don't discover a cost spike until the invoice arrives 30 days later. With the right alerting in place, you catch the same spike in under 6 hours. This is the practical guide to setting that up. Why Cloud Bills Spike (And Why You Don't Find Ou
Cloud Observability vs Monitoring: What's the Difference and Why It Matters
Cloud Observability vs Monitoring: What's the Difference and Why It Matters Your alerting fires at 2 AM. CPU is at 94%, error rate is at 6.2%, and latency is climbing. You page the on-call engineer. They open the dashboard. They see the numbers going up. What they cannot see is why — because the service throwing errors depends on three upstream services, one of which depends on a database that is waiting on a connection pool that was quietly exhausted by a batch job that ran 11 minutes ago. Monitoring told you something was wrong. Observability would have told you what. This is not a semantic argument. Teams with mature observability resolve incidents 2.8x faster than teams that rely on monitoring alone, according to DORA research. The gap matters in production. Understanding why the gap e
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Products
Cloud Cost Anomaly Detection: How to Catch Surprise Bills Before They Hit
Cloud Cost Anomaly Detection: How to Catch Surprise Bills Before They Hit Cloud bills don't spike gradually. They spike overnight. A misconfigured NAT gateway starts routing all inter-AZ traffic inefficiently on a Friday. A data pipeline job enters an infinite retry loop on Saturday. A developer spins up a p3.8xlarge for a test and forgets to terminate it over a long weekend. By the time you find out, you've already burned through budget that wasn't allocated for it. The problem isn't that anomalies happen. The problem is the detection lag: most teams don't discover a cost spike until the invoice arrives 30 days later. With the right alerting in place, you catch the same spike in under 6 hours. This is the practical guide to setting that up. Why Cloud Bills Spike (And Why You Don't Find Ou
QUANTUM HORIZONS Your Passwords Have an Expiry Date. Nobody Told You.
By The Architect NEO | April 2026 You know that friend? The one at every barbecue who, somewhere between the third burger and the dying embers, starts talking about encryption? The one who makes you check if your webcam has tape over it? The one who said "don't use that free Wi-Fi" at the airport in 2019 and you thought they were being dramatic? That friend was right about everything. And they're about to be right again — about something much, much bigger. THE QUIET HEIST NOBODY'S REPORTING Right now, while you're reading this on a Tuesday lunchbreak or doomscrolling at 11pm, encrypted data is being stolen. Not decrypted. Not read. Not yet. Stored. Intelligence agencies across the globe have a name for it: "Harvest Now, Decrypt Later." The idea is brutally simple. Steal encrypted data toda
Cloud Observability vs Monitoring: What's the Difference and Why It Matters
Cloud Observability vs Monitoring: What's the Difference and Why It Matters Your alerting fires at 2 AM. CPU is at 94%, error rate is at 6.2%, and latency is climbing. You page the on-call engineer. They open the dashboard. They see the numbers going up. What they cannot see is why — because the service throwing errors depends on three upstream services, one of which depends on a database that is waiting on a connection pool that was quietly exhausted by a batch job that ran 11 minutes ago. Monitoring told you something was wrong. Observability would have told you what. This is not a semantic argument. Teams with mature observability resolve incidents 2.8x faster than teams that rely on monitoring alone, according to DORA research. The gap matters in production. Understanding why the gap e
How to Write Custom Semgrep Rules: Complete Tutorial
Why write custom Semgrep rules Semgrep ships with over 2,800 community rules and 20,000+ Pro rules that cover common security vulnerabilities, best practice violations, and correctness issues across more than 30 programming languages. For many teams, these pre-built rule sets are enough to catch the most critical problems. But every codebase has patterns, APIs, and conventions that are unique to its organization - and that is where custom rules become essential. Custom Semgrep rules let you codify institutional knowledge into automated checks. When a senior engineer discovers a subtle misuse of an internal API, they can write a rule that catches that mistake everywhere it appears and prevents it from being introduced again. When your security team identifies a vulnerability pattern specifi
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!