This study addresses a critical vulnerability in machine learning–based network intrusion detection systems (NIDS) deployed in Industrial Internet of Things (IIoT) environments, where benign traffic perturbed by malicious actors can trigger high false positive rates, severely disrupting security operations. The authors propose the first gradient-free False Positive Rate Manipulation Attack (FPA), which leverages domain knowledge of the MQTT protocol to craft lightweight, packet-level perturbations that cause NIDS to misclassify benign traffic as malicious. Through explainable AI (XAI) and statistical analysis, the work uncovers the underlying attack mechanism, moving beyond conventional adversarial attacks that primarily focus on evading detection (i.e., increasing false negatives). Experimental results demonstrate that FPA achieves success rates of 80.19%–100%, and even a small number of induced false alerts can delay responses to genuine threats by up to two hours. The study further shows that adversarial training significantly enhances model robustness against such attacks.

In the network security domain, due to practical issues -- including imbalanced data and heterogeneous legitimate network traffic -- adversarial attacks in machine learning-based NIDSs have been viewed as attack packets misclassified as benign. Due to this prevailing belief, the possibility of (maliciously) perturbed benign packets being misclassified as attack has been largely ignored. In this paper, we demonstrate that this is not only theoretically possible, but also a particular threat to NIDS. In particular, we uncover a practical cyberattack, FPR manipulation attack (FPA), especially targeting industrial IoT networks, where domain-specific knowledge of the widely used MQTT protocol is exploited and a systematic simple packet-level perturbation is performed to alter the labels of benign traffic samples without employing traditional gradient-based or non-gradient-based methods. The experimental evaluations demonstrate that this novel attack results in a success rate of 80.19% to 100%. In addition, while estimating impacts in the Security Operations Center, we observe that even a small fraction of false positive alerts, irrespective of different budget constraints and alert traffic intensities, can increase the delay of genuine alerts investigations up to 2 hr in a single day under normal operating conditions. Furthermore, a series of relevant statistical and XAI analyses is conducted to understand the key factors behind this remarkable success. Finally, we explore the effectiveness of the FPA packets to enhance models'robustness through adversarial training and investigate the changes in decision boundaries accordingly.