“…In future work, we intend to generate more realistic adversarial attacks that project more easily into the problem space. To do so, we will follow some recommendations found in the literature, [70,65,44], namely i) restrict the space of features to be perturbed, i.e., avoid perturbing non-differentiable features so that the transformation is reversible, and the features directly related to the functionality of the flow so as not to impact it, ii) perform small amplitude perturbations and check that the values of the modified features remain valid (domain constraints), and iii) analyze the consistency of the values taken by the correlated features.…”