This work addresses the limited robustness of existing machine learning–based network intrusion detection systems against adversarial threats such as gradient-based attacks and distributional shifts, as well as their inability to adaptively respond to diverse attack types. To overcome these limitations, the authors propose an attack-aware, multi-stage defense framework that uniquely integrates three complementary signals—ensemble disagreement, prediction uncertainty, and distributional anomaly—and incorporates a two-stage adaptive weight learning mechanism to enable differentiated responses to heterogeneous adversarial attacks. Experimental results demonstrate that the proposed method achieves an AUC of 94.2% on standard benchmarks, outperforming current adversarially trained ensemble models by 4.5% in accuracy and 9.0 points in F1 score. Notably, it maintains 94.4% accuracy under white-box adaptive attacks, significantly enhancing both robustness and generalization.

Machine learning based network intrusion detection systems are vulnerable to adversarial attacks that degrade classification performance under both gradient-based and distribution shift threat models. Existing defenses typically apply uniform detection strategies, which may not account for heterogeneous attack characteristics. This paper proposes an attack-aware multi-stage defense framework that learns attack-specific detection strategies through a weighted combination of ensemble disagreement, predictive uncertainty, and distributional anomaly signals. Empirical analysis across seven adversarial attack types reveals distinct detection signatures, enabling a two-stage adaptive detection mechanism. Experimental evaluation on a benchmark intrusion detection dataset indicates that the proposed system attains 94.2% area under the receiver operating characteristic curve and improves classification accuracy by 4.5 percentage points and F1-score by 9.0 points over adversarially trained ensembles. Under adaptive white-box attacks with full architectural knowledge, the system appears to maintain 94.4% accuracy with a 4.2% attack success rate, though this evaluation is limited to two adaptive variants and does not constitute a formal robustness guarantee. Cross-dataset validation further suggests that defense effectiveness depends on baseline classifier competence and may vary with feature dimensionality. These results suggest that attack-specific optimization combined with multi-signal integration can provide a practical approach to improving adversarial robustness in machine learning-based intrusion detection systems.