Practical Traffic-space Adversarial Attacks on Learning-based NIDSs

05/15/2020 ∙ by Dongqi Han, et al. ∙ Tsinghua University 0

Machine learning (ML) techniques have been increasingly used in anomaly-based network intrusion detection systems (NIDS) to detect unknown attacks. However, ML has shown to be extremely vulnerable to adversarial attacks, aggravating the potential risk of evasion attacks against learning-based NIDSs. In this situation, prior studies on evading traditional anomaly-based or signature-based NIDSs are no longer valid. Existing attacks on learning-based NIDSs mostly focused on feature-space and/or white-box attacks, leaving the study on practical gray/black-box attacks largely unexplored. To bridge this gap, we conduct the first systematic study of the practical traffic-space evasion attack on learning-based NIDSs. We outperform the previous work in the following aspects: (1) practical—instead of directly modifying features, we provide a novel framework to automatically mutate malicious traffic with extremely limited knowledge while preserving its functionality; (2) generic—the proposed attack is effective for any ML classifiers (i.e., model-agnostic) and most non-payload-based features; (3) explainable—we propose a feature-based interpretation method to measure the robustness of targeted systems against such attacks. We extensively evaluate our attack and defense scheme on Kitsune, a state-of-the-art learning-based NIDS, as well as measuring the robustness of various NIDSs using diverse features and ML classifiers. Experimental results show promising results and intriguing findings.



There are no comments yet.


page 1

page 3

page 8

page 10

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Network intrusion detection systems (NIDS) play a critical role on detecting malicious activities in networks. Based on the detection mechanism, NIDSs can be generally classified into two types: signature-based ones match abnormal patterns in the predefined signatures’ database while anomaly-based ones find deviations from normal profiles[1]. However, due to the intrinsic adversarial nature of NIDSs, skilled attackers continually strive to conduct evasion attacks to prevent their malicious activities from being detected[2, 3, 4]. Evasive techniques against signature-based NIDSs have been extensively studied in prior studies[2, 5, 6, 7, 8], of which the main principle is finding a stealthy way to conceal their abnormal signatures. As for anomaly-based NIDSs, some early work [9, 10, 11] conducted mimic attack that encoded malicious traffic to mimic the normal profile, in order to evade systems using simple statistics such as byte frequency [12].

Over the last decade, the paradigm on network attacks and intrusion detection has dramatically shifted. Anomaly-based NIDSs tend to play an incremental role to find unknown attacks (such as zero-day attack) that cannot be detected by signature-based ones. Moreover, as traffic volume grows exponentially as well as more and more traffic is encrypted, payload-based detection becomes difficult and inefficient. Recently, machine learning (ML) techniques are increasingly employed in anomaly-based NIDSs for non-payload-based detection. For example, Mirsky et al. presented Kitsune [13]

, an online NIDS using an ensemble of neural networks, achieving over 99% AUC (Area Under the Curve) in most cases.

In this context, existing evasion methods on signature-based [2, 5], or payload-based NIDSs [9, 10] are no longer effective. However, more opportunities can be provided due to internal vulnerabilities of ML discovered in recent research [14, 15, 16]. Although there have been many studies on evading other learning-based systems classifying images[17, 18, 19], videos[20], texts[21], and malware[22, 23, 24, 25], it is still non-trivial for NIDSs since: (1)feature extraction/mapping on network traffic is much more sophisticated; (2) we need to ensure that there is no communication violation or compromise of maliciousness when modifying malicious traffic.

Directly modify features
Knowledge on classifiers
Knowledge on feature extractors

0.8 FWA/FGA/FBA/TWA: Feature/Traffic-space White/Gray/Black box Attack

PGA/PBA (Ours): Practical (traffic-space) Gray/Black box Attack

Under this assumption, means the attacker has full knowledge about the ML model (including parameters, outputs, etc.),

can only acquire the output probabilities, and

neither has any knowledge nor can access to the ML model.

TABLE I: Comparison of assumptions in evasion attacks

Unfortunately, existing studies on evading learning-based NIDSs [26, 27, 28, 29, 30] mostly conduct the feature-space attacks—they only focus on modifying the input of classifiers (i.e., features) rather than the input of systems (i.e., network traffic). However, feature extraction/mapping in NIDSs is neither invertible nor differentiable, making feature-space attacks rather over-simplistic and impractical. Meanwhile, most studies directly employ gradient-based adversarial example attacks against image classification [16, 17, 18, 19]

. However, such attacks are only useful for Deep Neural Networks but cannot be applied to other ML models without obtainable gradients such as Decision Tree. Moreover, although there are few studies conducting

traffic-space attacks, they are just randomly mutating the traffic [31, 32], or based on a strong white-box assumption of having full knowledge about the NIDS [33].

In summary, we face three challenges to develop a practical and generic study on evading learning-based NIDSs:

  • []

  • Practicability. How to perform a functionality-preserving traffic-space evasion attack with extremely limited knowledge and affordable overhead?

  • Generality. How to propose a generic framework effective for NIDSs using various features and ML models?

  • Explainability. How to interpret the fragility and improve the robustness of learning-based NIDSs against such attacks?

In light of the challenges, we formulate the evasion attack as a bi-level optimization problem and solve it by presenting a heuristic adversarial packet crafting framework, which can automatically mutate malicious traffic and select the best traffic mutant whose extracted features are most like

benign. To solve the first and second challenges, we summarize commonly used features in most state-of-the-art learning-based NIDSs and then present several traffic mutation operators which can influence all summarized features without breaking malicious functionality. Attackers without detailed information about the feature extractor in the targeted system can also benefit from this summarized intelligence. Moreover, we extend the prior ideas of using generative adversarial network (GAN) to treat the targeted ML classifiers as a black box, thus can evade any ML models. To solve the third challenge, we propose a feature-space interpretation method to effectively measure the robustness of NIDSs. By quantifying the extent to which each feature is manipulated by attackers, we propose a defense strategy by removing features with poor security scores.

Contributions. Our major contributions involve presenting a novel evasion attack and defense on learning-based NIDSs in practical settings, followed by evaluation and interpretation. Specifically, they are elaborated as follows:

  • We present the first practical traffic-space evasion attack on learning-based NIDSs under gray and black box assumptions.

  • We propose a feature interpretation method for evaluating the adversarial robustness of targeted NIDSs.

  • We use six attack traffic sets to extensively evaluate our attack and defense method on the state-of-the-art NIDS Kitsune, as well as various learning-based NIDSs including six typical ML classifiers and two feature extractors (packet-based and flow-based). Significant insights behind the attack are also explored through in-depth analysis.

The rest of the paper is organized as follows: We start by providing backgrounds in Section II. Section III introduces the threat model, as well as the formulation, motivation, and overview of our attack. Section IV and Section V elaborate two steps in our attack. The defense schemes are provided in Section VI. Experimental results and findings are shown in Section VII. We make discussions on limitations and improvements in Section VIII. Finally, we summarize the related work in Section IX and conclude in Section X.

Ii Background

In this section, we introduce the general architecture of learning-based NIDSs and introduce non-payload-based detection. Then we formulate existing evasion attacks and summarize their unreasonable assumptions.

Learning-based NIDS. In general, a learning-based NIDS consists of traffic capture, feature engineering and classification as shown in Fig. 1. First, network traffic is captured for generating traffic dataset. Then the set of features is extracted, selected, and eventually fed into the ML classifier for training or prediction. To give an illustration of learning-based NIDSs, we briefly introduce Kitsune[13]

as a state-of-the-art case. Kitsune employs external libraries (e.g. tshark) to acquire raw packets. Then its feature extractor called AfterImage retrieves one feature vector from the meta information of each packet which contains over 100 statistics. Finally, features are mapped into groups and then fed into two-layer ensemble Autoencoders.

Non-payload-based NIDS. In this study, we focus on evading learning-based NIDSs in which packets’ payload is not inspected (called non-payload-based). We think this is reasonable due to two considerations: Firstly, we find that most learning-based NIDSs are likely to use non-payload-based features as inspecting payload is heavy and even impossible for encrypted traffic nowadays. Secondly, evading payload-based anomaly-based NIDSs has been well studied [10, 9]. Note that non-payload-based NIDSs prefer to detect attacks that rely on volume and/or iteration such as DoS/DDoS (Distributed Denial of Service), scanning, brute force, and Bot/Botnet. Other attacks related to specific content such as remote code execution and SQL injection are out of the scope of such NIDSs.

Fig. 1: The general architecture of learning-based NIDSs.
(a) Intuitive attack framework in feature space
(b) Motivation examples of adversarial features generation
(a) Intuitive attack framework in feature space
(c) The complete framework of our evasion attack.
Fig. 2: Attack methodology. In (fig2a) and (b), each plot depicts a high-dimensional feature space, in which the distribution of benign features in the targeted classifier is enclosed by a solid line with green; benign, malicious, and adversarial features are represented by small solid circles, crosses, and triangles respectively. In (b), the limited ability/overhead of an attacker is represented by a red neighborhood.

Existing evasion attacks. In a nutshell, evasion attacks aim at finding variants with the same malicious behavior as original samples but can be misclassified as benign by the targeted system. For illustration purposes, we use the function to represent the extraction from a series of related traffic to feature vectors and to represent ML classifiers that take feature vectors as input and output the malicious probabilities. At any certain time, we denote by and two series of related original and mutated malicious traffic used to extract two feature vectors and , respectively (i.e., and ). Table I lists current evasion attacks (i.e., FWA/FGA/FBA and TWA) on learning-based NIDSs and their assumptions. In general, there are two impractical assumptions in these studies:

  1. [leftmargin=1.5em]

  2. Directly modifying features’ value (e.g.,[26, 29, 30]). Many previous studies merely find evasive features as solving , which directly modify features’ value without considering how to mutate traffic.

  3. Requiring targeted classifiers’ output (e.g.,[24, 29, 33]). Some work assumes that classifiers’ specific output is attainable, then evasion attacks can be regarded as solving an optimization problem: .

However, directly modifying features cannot be operated in practice as extraction from traffic to features is not invertible. Detailed settings or output probability of ML classifiers are often unavailable since they are just an intermediate step in real-world NIDSs. Since the above two assumptions are rather impractical in real-world settings, we relax them in our attack.

Iii Attack Methodology

In this section, we firstly define the threat model of two practical attacks, and then present our attack method by formulating it into an optimization problem. Finally, the motivation and overview of our solution are introduced.

Iii-a Threat Model

We consider an attacker starts with a series of traffic with malicious intent and wants to evade a learning-based NIDS using non-payload-based features. Unlike previous white/gray-box attacks, the attacker neither requires any knowledge about the target classifier nor its output label or probability. Unlike previous feature-space attacks, the attacker can only mutate original traffic generated from the devices he/she controls (i.e. traffic-space attack) at an affordable overhead. Additionally, based on the different knowledge of features used in the targeted NIDS, the attacker can perform the following two attacks:

  • Practical Gray-box Attack (PGA). In this case, the full features used in the targeted NIDS are known, which means that the attacker can build the same feature extractor as the NIDS and use it to extract features exactly. This may seem extreme, but the features are often published [34, 13, 35, 36, 37, 38, 39].

  • Practical Black-box Attack (PBA). We assume a more practical case, in which the attacker has very limited knowledge about the features used in the targeted NIDS. In this case, the attacker can only use his/her knowledge about widely-used features and build a surrogate feature extractor.

Iii-B Practical Traffic-space Evasion Attack Problem

According to the threat model, firstly, we relax two assumptions in Section II by training a substitute classifier with probabilistic output to approximate . This also solves the problem that some ML models without continuous output values (such as Isolation Forest) are difficult to optimize. Another difficulty is how to ensure that the mutated traffic still contains the malicious behavior. For one thing, we guarantee that original traffic will not be destroyed during mutating. For another, the extra injected traffic should not affect the functionality of the original traffic. (Details on how to preserve the functionality will be discussed later in Section V-A). Secondly, we build the surrogate feature extractor . As for PGA, is exactly the same as , while is simulated as for PBA. Additionally, we denote the mutate operation as which can transform original traffic to a set consists of all possible mutated traffic . We say a mutate operation is safe (denoted by ) if the mutation can preserve the malicious functionality of . Therefore, the evasion attack can be formulated as solving:


Obviously, problem (1) is intuitive but hard to solve. We now transform it through the idea of mimicking normal features: Since the normal profile in a learning-based NIDS is constructed by the classifier fed with features, there are reasonable grounds to believe that features can implicitly give expression to the normal profile. Therefore, given a rational distance metric and a benign feature , the closer a feature vector is to , the more likely is classified as benign by the targeted classifier. Consequently, we transform problem (1) into the following bi-level optimization problem:


where is the anomaly threshold in the ML model. means that is classified as benign.

Overall, we solve the above problem by separately solving the lower and upper-level objective function. In other words, we firstly solve in (3) under the constraint (4), and then use the solved to search in (2) under the constraint (5). To give intuition of this solving process, Fig. 1(b) depicts these two steps from the perspective of feature-space. The classifier in a targeted NIDS is trained beforehand to make a distinction between the distribution of benign and malicious features. Firstly, for each malicious feature, an is produced which can be not only classified as benign but also as close as possible to the malicious feature in terms of features’ value; we refer to such feature as adversarial feature. In general, lies on the low-confidence region of the classifier. Generating adversarial features is what problem (3) aims to solve. Secondly, original malicious traffic is mutated to transfer its features to the closest adversarial/benign ones, which is what the whole problem (2) aims to solve.

Iii-C Motivation and Overview of Solution

We now introduce specific methods employed in the aforementioned two steps to solve the bi-level optimization. We use an enhanced generative adversarial network (GAN) model to generate the adversarial features (Eq. (3

)), and particle swarm optimization (PSO) to search evasive traffic mutants (Eq. (

2)). We now introduce the motivation of adopting GAN and PSO, and how to combine them to complete the evasion attack.

Why generating ? In a nutshell, adversarial features can save the overhead of modifying traffic/features when the attacker’s overhead budget or ability is limited. For one thing, an attacker is likely to have a budget of overhead (such as the extra time and crafted traffic volume to evade detection). For another, we note that the attacker’s ability to modify traffic/features is limited in practice. For examples, excessively increasing the interval time will cause the connection timeout, and injecting excessive traffic may be perceived by the victim. Fig. 2b provides examples to demonstrate the necessity of adversarial features. If a malicious feature is beyond the attacker’s overhead budget/ability, it cannot be transformed into a benign one by any means (Scenario 1). Without guidance of adversarial features, a malicious feature may eventually fail to reach the nearest benign space (Scenario 2) or miss the transient benign space (Scenario 3).

Why GAN? Adversarial features generation needs to be: (1) model-agnostic—we assume the attacker has no knowledge about the ML classifier; and (2) efficient—there may be tons of malicious/traffic in practice. GAN [40] consists of two neural networks, generator and discriminator, contesting with each other to complete a min-max game. Inspired by previous ideas[25, 29], GAN is highly competent to generating adversarial features since (1) the discriminator can be trained as a substitute for the targeted classifier, thus conducting model-agnostic attack; (2) once the generator is trained, it can generate efficiently for any malicious feature.

Why PSO? Network traffic is difficult to directly participate in the numerical calculation, so we vectorize traffic as high dimensional vectors involving meta-information of packets’ header. Note that, the vectorization from traffic to vectors is invertible. Therefore, problem (2) turns into finding best meta-info vectors. However, unlike continuous feature space, each dimension of the meta-info vectors has various discrete values, thus problem (2

) is indeed a hard combinatorial optimization task (NP-complete). Hence, we resort to swarm intelligence algorithms to find approximate solutions. We employ PSO

[41] since it is a simple but powerful method with great adaptability on dealing with high dimensional tasks.

How they work together? In a nutshell, GAN generates the optimization objective of PSO. In other words, when mutating malicious traffic based on PSO, we find traffic mutants with the best evasive effectiveness by measuring their similarity to the adversarial features generated by GAN. Specifically, the proposed evasion attack method is illustrated in Fig. 1(c), including the following two steps:

  • Adversarial Features Generation: We assume an attacker wants to launch some activities, which will induce a series of malicious traffic. First, the attacker needs to collect some benign traffic in the network he/she controls. Then, two kinds of traffic are extracted into features by the surrogate extractor, and fed into our GAN model. After the training phase, the generator is capable to generate adversarial features.

  • Malicious Traffic Mutation: After generating adversarial features, we employ PSO with predefined operators to mutate malicious traffic automatically. Each particle in the swarm represents a vector consists of meta-info of mutated malicious traffic. The swarm is iteratively searching the traffic-space under the guidance of the temporary best particle whose features are most similar to the adversarial feature. Finally, the best particle is selected after several iterations.

The details of the above two steps are elaborated in next two sections IV and V, respectively.

Iv Generating Adversarial Features

We now introduce the procedure of generating adversarial features. Our enhanced GAN model is shown in Fig. 1(c) on the top, which consists of a generator and a discriminator.


The generator is a feed-forward neural network whose aim is to transform a malicious feature into its adversarial version. It takes the concatenation of a malicious feature vector

and a noise vector from a distribution as input and outputs a generated feature vector represented by

. To train the generator, its loss function is defined in (

6) as:


where is the set of original malicious features. should be minimized with respect to the weights in the generator’s network. In this study, we extend prior GANs by additionally computing a construct error between the input and output. In this study, we use the root mean square error where is the dimensionality of the input and output features. Thus, the generated features can mimic the distribution of benign features while approaching malicious ones.

Discriminator. The discriminator is used to distinguish generated features from benign ones. It is also a feed-forward neural network whose input consists of the above two classes of feature vectors, and its output is a probability of determining an input vector is generated. The discriminator is trained to maximize the output of generated input vector while minimize the output of benign input vectors. Thus, its loss function is:


where is the set of features extracted from benign traffic collected in the network the attacker controls beforehand. is the set of features generated by the generator.

The training process is an iterative and mutual optimization between the generator and discriminator until a convergence. Then, the generated features from the generator can work as adversarial features .

V Mutating Malicious Traffic

In this section, we introduce how to automatically mutate traffic through our heuristic method. First, we design the mutation operators on malicious traffic. Then, we introduce the vectorization from traffic to meta-info vectors. Finally, we propose the PSO-based traffic mutation algorithm.

V-a Basic Traffic Mutation Operators

We now introduce how to design basic mutation operators on malicious traffic (i.e. in Eq. (5)). Generally, the mutation operators should be able to affect as many types of features as possible (in order to be generic), even when there is only limited knowledge of the features used in the targeted system (for PBA). Besides, the mutation operators should be functionality-preserving and stealthy to prevent being perceived by victims. However, the feature extraction methods of learning-based NIDSs in recent studies seem to be different, which raises the difficulty to conduct a generic attack. Nonetheless, we find a consensus

on extraction methods among studies on non-payload-based NIDSs and other network anomaly detection systems

[34, 13, 35, 36, 37, 38, 39]. Based on this, we summarize the feature types widely used in these works from a high-level (Appendix A). This summarized intelligence basically covers the features used in related works, which also helps attackers without detailed knowledge of features used in the targeted system (i.e., PBA) to build the surrogate feature extractor.

Then, we design mutation operators which can affect all summarized features (see Fig. 7) while preserving the functionality. Specifically, they consist of modifying original malicious traffic and injecting/adjusting crafted stealthy traffic:

Original malicious traffic modification. We ensure that the original traffic will not be deleted and the order of packets will not be changed. Hence the only mutation operator is:

  1. [label*=(),leftmargin=1.75em]

  2. Altering the interarrival time of packets in original traffic

Crafted stealthy traffic injection. It is non-trivial to determine packer headers’ content of crafted traffic. Firstly, we can only craft traffic send from the attacker, and some fields (MAC/IP/port) in crafted packets need to be consistent with that of original packets nearby; otherwise the crafted packets cannot affect features extracted from original packets. Secondly, the assignment of other fields in header must meets the following requirements: (1) it will not compromise the maliciousness of the original traffic; (2) it will not cause the protocol semantics or communication violation (such as connection breakdown of TCP traffic); (3) it will not induce responses by the victim (for stealth and consistency of replay). In light of these requirements, we list optional methods for generating crafted traffic in Table II. We note that a previous method used in [33] by modifying TTL requires the knowledge of the victim’s network topology, which is extremely strict. Hence, we extend other methods for different types of traffic without additional knowledge.

Crafted traffic adjustment. There are several adjustments for crafted packets after being injected:

  1. [label*=(b0),leftmargin=2.25em]

  2. Altering the interarrival time of packets in crafted traffic

  3. Altering the protocol (layer) of packets in crafted traffic

  4. Altering the payload size of packets in crafted traffic

Traffic type Generation methods
Subtly assigning the TTL field so that the NIDS can receive
the crafted packet but the victim cannot[33].
Requesting the establishment (i.e., send SYN) of an
established or establishing connection again.
1-2[1.75pt/2pt] TCP (established)
Packets with smaller (already acknowledged) or larger
sequence number than expected.
Packets with smaller or larger acknowledge number than
Padding packets’ payload with semantical-free content (such
as randomly padding).
Packets with deprecated type or code field.
TABLE II: Crafted traffic generation method
Fig. 3: Vectorization and Rebuilding between vectors and traffic.

V-B Meta-information Vectorization

To facilitate numerical operations on structured traffic data, we vectorize traffic into meta-info vectors containing meta-information of original traffic. Note that unlike feature extraction, this vectorization is invertible, which means that it is effortless to rebuild traffic from meta-info vectors. Meanwhile, the aforementioned mutation operators on traffic need to be reflected in the vectors. Details of the meta-info vectors and an illustrative example about vectorization and rebuilding between vectors and traffic are shown in Fig. 3, where denotes the meta-info vectors.

To illustrate the meaning of each dimension in and how they reflect the mutation operators, an is further divided into and used to represent a packet in original malicious traffic and several crafted packets right in front of it in time, respectively. The contains two parts: Timestamp corresponds to Mutation (a), and Number of crafted packets determines the size of the list . Each craft packet denoted with contains three parts: Interarrival time related to Mutation (b1) is the time interval from the previous packet; Number of protocol layers corresponding to Mutation (b2) refers to its layer in the TCP/IP protocol; Payload size directly reflects Mutation (b3).

V-C PSO-based Automatic Traffic Mutation

We now present our algorithm for automatically searching the best traffic mutants based on PSO. The general framework of PSO is shown in Fig. 1(c). Each particle represents a mutant in traffic-space. PSO optimizes a problem by iteratively moving each particle according to its position and velocity vector. Each particle’s movement in an iteration is computed by its velocity, and the velocity is decided by three items: the last state (inertia), its individual best known position (cognitive force) denoted with , and best known position of other particles (social force) denoted with . In this study, particles’ position vectors denoted with are exactly meta-info vectors, and velocity vectors denoted with share the same structure with . Each dimension of represents the difference between the corresponding position vectors.

The proposed algorithm is shown in Algorithm 1, where denotes the number of iterations and number of particles in the swarm. In each iteration, we firstly evaluate each particle’s evasive effectiveness (on line 6) and update individual best and global best positions (on lines 7-8), which are respectively used to compute cognitive force (on line 10) and social force (on line 11). Then, each particle’s is updated by multiplying constant weights , , and with inertia, cognitive, and social items, respectively (on line 14). Each particle’s is then updated according to (on line 15). Some highlights in the algorithm are elaborated as follows:

0.95 Input:Hyperparameters in PSO;
  attacker’s overhead budget ;  the particle swarm ;
  grouped original malicious traffic ;
Output: The grouped mutated malicious traffic .
1 for each in  do
2        Vectorize().  meta-info vectorization Initialize().  initialize population for  to  do
3               for  to  do
                       distance evaluation
4                      Rebuild();
5                      Update individual best referring to . Update global best referring to .
6               end for
7              for  to  do  update each and
                        cognitive force
                        social force
8                      Randomly sample . ;
9                      UpdateX().
10               end for
12        end for
13       Append Rebuild() into .
14 end for
Algorithm 1 PSO-based Traffic Mutation Algorithm

Overhead budget. In this study, we limit the attacker’s overhead budget from two aspects. The first overhead denoted with is the rate of the number of crafted packets to that of original packets. The second overhead denoted with is the rate of time elapsed of mutated traffic to that of original traffic. In other words, the crafted packets number and time elapsed of mutated traffic must no more than and , respectively.

Traffic grouping. We find that malicious traffic in different periods is significantly diverse even for traffic from the same attack. With this in mind, original malicious traffic is divided into groups with the same number of packets for a more meticulous mutation. Hence, the mutation algorithm is executed once for each group (on line 1), and eventually producing a set of grouped mutated malicious traffic denoted with .

Effectiveness evaluation (on line 6). Specifically, evasive effectiveness is evaluated in three steps: First, mutated traffic is rebuilt from the position (i.e., meta-info) vector. Original traffic is directly retrieved after a replacement with Timestamp in . As for crafted packets, after determining their protocol type through Number of protocol layers in , they can be rebuilt through the methods mentioned in V-A. Second, mutated traffic is extracted into features through the surrogate extractor. Third, the distance between extracted features and adversarial features is computed and used as the effectiveness.

Population initialization (on line 3). To sufficiently dispersing initial particles in the search-space, fields in and # crafted pkts in are randomly initialized within the valid range. As for Timestamp of , we divide the maximum interarrival time (related to ) between every two original packets into equal parts, and Timestamp is randomly selected from these -section points. And is filled with initially.

Position update (on line 15). The is simply updated by adding with computed on line 14. However, some dimensions of are discrete (e.g., # crafted pkts). We discretize them by approximating them to the nearest discrete values.

Vi Defense Scheme

We introduce three probable mitigations against the proposed attack, including two prior works and our novel scheme:

Adversarial training[17]. This is a promising method widely used to defend against adversarial examples in the image domain by retraining the classifiers with correctly-labeled adversarial examples. However in our traffic-space attack, it can only reduce the attack effectiveness by limiting the generation of adversarial features.

Feature selection[42]. This is an important step in feature engineering to remove redundant/irrelevant dimensions of features used in ML models, which can effectively improve detection performance and robustness.

Adversarial feature reduction

. We propose a novel scheme dedicated to evaluate the robustness and defend against such attacks. In a nutshell, we proactively simulate the proposed attack and then calculate the degree to which the value of each feature dimension in the mutated traffic is close to the adversarial features compared to original value (see Appendix B for details). The proximity rates of each feature dimension can be viewed as the adversarial robustness scores. Our main claim is the high dimensionality of features gives attackers an opportunity to exploit some vulnerable dimensions to evade detection. Hence, we propose a defense scheme by deleting a fraction of feature dimensions with low robustness score.

Vii Experimental Evaluation

In this section, we extensively evaluate the performance of attacks and defenses. We introduce the experimental settings in VII-A. In VII-B and VII-C, several attacks are evaluated using different kinds of malicious traffic and different NIDSs. We extend our attack to PBA and evaluate PBA attacks in VII-D. Execution cost and impact of parameters are measured in VII-E. We verify our attack is functionality-preserve in VII-F. Finally, defense methods are evaluated in VII-G.

Vii-a Experimental Settings

Datasets. Table III summarizes the information of traffic sets used in this study, including six well-known attacks from two up-to-date traffic datasets. Kitsune Dataset[13] was used to evaluate Kitsune by proactively performing a number of attacks in their video surveillance network. CIC-IDS2017 [43] collected traffic for common attacks in a large-scale testbed, which covers all common devices and middleboxes.

Targeted NIDSs. Firstly, the entire Kitsune[13] is evaluated as the state-of-the-art off-the-shelf NIDS. Secondly, NIDSs using different ML classifiers and features are also evaluated:

  • Feature extractors: We evaluate two representative feature extractors: AfterImage[13] is a packet-based extractor in Kitsune. It computes incremental statistics of packet’s size, count and jitter in various damped time windows. CICFlowMeter[36] is a flow-based extractor. It extracts several statistics (e.g., size, count, and duration) of connections.

  • ML classifiers: We apply six classifiers that are widely used in related work to comprehensively cover ML models [44, 45, 46]. KitNET is a deep, unsupervised, and ensemble learning classifier used in Kitsune. We also use classical supervised ML models including Logistics Regression (LR), Decision Tree (DT) and Support Vector Machine (SVM), as well as

    Multi-Layer Perceptron


    ) representing deep learning models. An anomaly detection model

    Isolation Forest (IF) is also used.

Baseline attacks. For one thing, we find that previous attacks against signature-based NIDSs (like [2, 5, 6]) and traditional anomaly-based NIDSs (like [9]) perform nearly no evasive effect. This is because these methods focused more on manipulating the payload. For another, feature-space attacks (e.g.,[26, 30]) including FWA/FGA/FBA cannot participate either. Hence, we employ traffic-space attacks in very few related studies as baselines:

  • Random Mutation. Note that randomly mutating traffic is not a weak attack we imagined, but appears in published works [31, 32]. We use two random mutation methods: Random-ST is randomly spreading interval-time between packets; Random-Dup is randomly duplicating partial original traffic. As for other methods, packet injection is not used since we find it has no effect on all traffic sets; delete/reorder packets compromises functionality of the original traffic.

  • Traffic-space White-box Attack (TWA). The only work of TWA we find is [33], which uses similar mutation operators as ours. Since attackers have full knowledge of the targeted NIDSs in their assumption, the output probability of the classifier can be directly used as the optimization objective.

Metrics. We firstly present four new metrics with their formulations and intuitive descriptions listed in Table V. Notations used in the metrics are listed in Table IV

. According to usage, evaluation metrics used in this work can be divided into three categories:

  • Evasive effectiveness (MER, DER, and PDR). Roughly speaking, original Malicious traffic Evasion Rate (MER) and Detection Evasion Rate (DER) respectively reflects how much original malicious traffic and all mutated traffic (including crafted traffic) become evasive after attack. That is to say, DER additionally considers whether the crafted traffic is classified as malicious, which can reflect whether our attack is stealthy. Since MER and DER are highly dependent on the selection of the anomaly threshold, we propose a more accurate metric by measuring the decline rate of the malicious probabilities outputted by the targeted classifier, namely malicious Probability Decline Rate (PDR).

  • Interpretable indicator (MMR). In order to explain and understand the reason and principle of evasion attacks on learning-based NIDSs, we propose an interpretable indicator Malicious features Mimicry Rate (MMR) which can explicitly show the change of features in the latent space during attacks. Specifically, MMR reflects the degree to which malicious features are close to adversarial features during the mutation.

  • Detection performance. We additionally use three typical metrics—Precision, Recall, and F1-score —to measure the detection performance of NIDSs. Note that, these three metrics are measured without any evasion attacks.

Datasets Attacks # Test Pkts (Malicious) # Training Pkts
Kitsune Dataset Mirai Botnet 10,000 (8,079) 100,000
Fuzzing 20,000 (14,898)
SSDP DoS 10,000 (7,987)
CIC IDS2017 Port Scan 10,000 (2,569)
Brute Force 20,000 (6,136)
DDoS 10,000 (9,966)
TABLE III: Attack traffic datasets.
Notation Meaning
predicted positive number in original malicious traffic
predicted positive number in mutated malicious traffic
malicious and crafted pkts’ number in
the set of adversarial features
the set of features extracted from original malicious traffic
the set of features extracted from mutated malicious traffic
mathematical expectation
TABLE IV: Notations in Metrics.
Metric Name Formulation Intuitive Description
Detection Evasion Rate (DER)
% undetected mutated traffic (malicious and crafted) to originally detectable traffic.
original Malicious traffic Evasion Rate (MER)
% undetected mutated malicious traffic (exclude crafted) to originally detectable traffic.
malicious Probability Decline Rate (PDR)
To which extent the malicious probability output declines in the targeted ML classifier.
Malicious features Mimicry Rate (MMR)
To which extent features extracted from mutated traffic are close to the adversarial features.
TABLE V: Experimental Metrics.
Fig. 4: The evasive effectiveness of our attacks compared with baselines (higher is better).

Vii-B Evasive Effectiveness of Different attacks

In this section, we compare the evasive effectiveness of our PGA attacks with three baselines by evading Kitsune under different traffic sets. We also evaluate the effectiveness of adversarial features in our attacks by comparing our PSO-based algorithm with (GAN+PSO) and without (PSO) adversarial features. We also compare the impact of overhead budget in our attacks using a lower () and a higher budget (). Note that, baseline attacks are all with the higher overhead budget. The results are shown in Fig. 4.

Evasive effectiveness comparison. As evident in the results of MER/PDR, our attack GAN+PSO perform very well relative to random mutations at the same budget (). The effectiveness of random mutations is extremely unstable; each mutation only works under specific traffic sets. Moreover, thanks to our two-step attack framework, our gray-box attack surprisingly outperforms the state-of-the-art white-box attack (TWA) in all traffic sets. As for DER, results show that the drop from MER to DER is <3% in most cases, which shows that the crafted traffic in our evasion attack is stealthy and unobservable even with (more crafted packets).

Impact of adversarial features. We observe that using adversarial features indeed increases the evasive effectiveness (by 10-20% usually). Especially in Fuzzing, GAN+PSO increases MER/DER by more than 90% compared with GAN.

Impact of overhead budget. It is easy to understand that a higher overhead budget (namely, looser limitation) performs better results. Specifically, GAN+PSO with larger and have 20-30% higher MER/DER in most cases.

Performance of different traffic sets. As shown in the results, our attack achieves >97% MER/DER on half of the traffic sets, as well as >70% MER/DER on five of six traffic sets. As for reasons of the relatively poor MER/DER in DDoS, we believe this is because malicious features are originally farther from the benign space and beyond the attacker’s ability/budget (recall Scenario 1 in Figure 2b). In fact, we find the anomaly score (i.e, RMSE in Kitsune) of original features in DDoS is many orders of magnitude larger than other scenarios. This is exactly why its PDR is higher than others (over 99.99%) but MER/DER is lower. This finding also shows that it is necessary to consider attacker’s ability/budget on mutating traffic as well as the original intensity of anomaly instead of purely comparing the evasion rate. Unfortunately, most related studies have ignored this.

Feature Extractor AfterImage CIC FlowMeter (a) Botnet ML Classifier Detection Evasive (MER)—higher is better P R F1 R-Dup R-ST TWA Ours KitNET 0.98 0.92 0.95 0.20% 63.28% 94.98% 99.42% LR 0.96 0.90 0.93 0.67% 14.96% 50.17% 54.74% DT 0.79 0.90 0.84 0.61% 14.36% 49.13% 60.36% SVM 0.99 0.90 0.94 0.82% 9.10% 32.59% 40.31% MLP 0.96 0.97 0.97 0.87% 4.72% 10.59% 45.15% IF 0.95 0.93 0.94 0.76% 0.16% 0.52% 33.63% KitNET 0.87 0.98 0.92 0.00% 9.69% 29.31% 38.89% LR 0.79 0.97 0.87 2.48% 1.87% 20.37% 40.74% DT 0.76 0.91 0.83 0.64% 3.70% 17.90% 30.76% SVM 0.78 0.98 0.87 0.00% 22.19% 41.35% 84.62% MLP 0.90 0.88 0.89 0.00% 0.00% 9.10% 38.80% IF 0.97 0.89 0.93 2.46% 0.00% 0.00% 37.31% (a) DDoS ML Classifier Detection Evasive (MER)—higher is better P R F1 R-Dup R-ST TWA Ours KitNET 0.94 0.97 0.95 10.41% 13.74% 52.75% 55.94% LR 0.96 0.91 0.93 27.09% 16.49% 64.90% 70.59% DT 0.76 0.91 0.83 27.43% 17.43% 64.27% 69.86% SVM 0.99 0.90 0.94 29.96% 18.20% 35.19% 79.55% MLP 0.98 0.91 0.94 25.04% 9.58% 43.47% 50.63% IF 0.85 0.89 0.87 0.00% 12.99% 0.0% 17.71% KitNET 0.93 0.90 0.92 0.00% 8.77% 28.59% 32.04% LR 0.70 0.73 0.71 1.25% 0.00% 14.80% 36.82% DT 0.67 0.73 0.70 0.00% 3.01% 16.90% 35.56% SVM 0.75 0.74 0.74 4.13% 2.04% 35.75% 40.92% MLP 0.72 0.71 0.72 5.58% 15.45% 42.89% 50.35% IF 1.00 0.89 0.94 0.00% 0.00% 13.44% 25.98%
TABLE VI: The evasive effectiveness on NIDSs with other feature extractors and ML classifiers.
Attacks (Knowledge on features) Traffic Sets (MER / PDR)—higher is better
Botnet Fuzzing SSDP Port Scan Brute Force DDoS
PBA(0  %) 83.46% / 68.47% 82.68% / 70.04% 53.19% / 57.31% 35.56% / 26.32% 49.50% / 28.07% 33.06% / 99.99%
PBA(50%) 98.77% / 76.16% 98.64% / 82.38% 68.79% / 62.16% 72.72% / 49.78% 52.43% / 30.39% 41.22% / 99.99%
PBA(75%) 99.28% / 77.87% 98.26% / 81.89% 82.62% / 67.06% 76.82% / 52.38% 60.12% / 33.48% 50.45% / 99.99%
1-7[3pt/2pt] PGA(100%) 99.42% / 80.84% 98.69% / 88.67% 78.53% / 65.42% 97.66% / 54.57% 71.81% / 39.86% 55.94% / 99.99%
TABLE VII: The evasive effectiveness on NIDSs with other feature extractors and ML classifiers.

Vii-C Robustness of other Classifiers and Features

We conduct evasion attacks (our PGA and baselines with the higher budget) on different NIDSs described in Section VII-A under Botnet and DDoS traffic. Since DER has been found to be very similar to MER, we use MER to measure the evasive performance, which is also the most concerning indicator for attackers. PDR is not used since it is measured differently among ML models. Table VI lists the results.

Evasive effectiveness comparison. Compared with baseline attacks, our attack has broader generality for evading various ML classifiers using different kinds of features. Specifically, Random-Dup always performs very poor results while Random-Dup only has evasive effectiveness for a few cases. Once again, our attack outperforms TWA in all cases, especially for the Isolation Forest model. We attribute the generality to the feature-level mimicking in our model-agnostic attack.

Robustness of different feature sets. NIDSs with flow-based features are slightly more robust against our attack as well as other attacks than packet-based ones. This is because our mutate operators are packet-based. Since flows consist of packets, per-packet mutation will eventually affect flows, but not vice versa.

Robustness of different classifiers. Based on the results in Botnet, we find that traditional ML methods are more robust than deep neural networks. Specifically, KitNET (in Kitsune) has the (almost) best detection performance but also suffers the highest evasion rate. The probable reason is that KitNET clusters the features into groups, which gives attackers a better chance to influence more feature groups. Through experiments, we find the top 10% dimensions in original features exploited by our attack can eventually cover more than 50% of the features groups. The robustness of the different methods in DDoS is equally poor, while only IF still maintains good robustness. Meanwhile, it can be observed that the evasive performance of different classifiers is diverse significantly. We think this is a normal phenomenon, which is the same as different models with different detection performance. In order to achieve generic a model-agnostic attack, we use Euclidean distance to measure the similarity of features for any models. However, this may not be accurate methods for ML models to understand and measure features. Our goal in this work is to present a method that is as generic as possible to measure the robustness of different ML models to provide NIDS designers with some important insights.

Vii-D Attacks with Limited Knowledge of Features

So far, we have evaluated the effectiveness of our attack under the PGA assumption. We now extend our attack with limited knowledge of features used in targeted NIDSs (i.e., PBA). Specifically, we evaluate three types of attackers, who know the 75%, 50%, and 0% features that are accurately used by NIDSs, respectively. Recall Section III-A, the only difference between PBA and PGA is the surrogate feature extractor used by the attacker. For PBA, besides limited known features, the attacker will also extract commonly used features in Appendix A. Especially for PBA(0%), the attacker without any knowledge about the target system can only simulate the extractor by using other features. We use Kitsune as the targeted NIDS and evaluate the MER and PDR of three PBAs and the PGA in all traffic sets. The results are in Table VII.

As before, we think that PDR can better reflect the evasive effectiveness compared with MER. As shown in the results, PBA(50%) and PBA(75%) perform high PDR that is similar to PGA. Even for attackers without any knowledge, PBA(0%) still has a strong evasive ability (Compared with PGA, the drop of PDR is within 20%). The key insight is that even if we cannot accurately know the features used by NIDSs, the mutation method computed by our attack through simulated features is also effective on real features (that is, it can also effectively transform real malicious features into benign). This finding seems to be very frustrating and frightening for NIDSs like Kitsune, meaning that a weak attacker can easily make a considerable portion of malicious traffic becoming evasive.

Fig. 5: Execution Cost and Impact of Parameters

Vii-E Execution Cost and Impact of Parameters

It is necessary to measure the execution cost for attacks, especially for attackers with limited computing resources. Here, we use TWA as a comparison algorithm to represent the lower bound of execution time. This is because TWA requires the output value of the classifier, so the quality of candidate solutions (i.e., traffic mutants) can be quickly measured, but we do not have this knowledge in our attack. We also compare the impact of three key parameters on the execution time and evasive performance. We denote our attacks using different parameters with (,,): and denotes the number of iterations and particles in PSO, and denotes the number of adversarial features. The results are shown in Fig. 5, where we use Kitsune under two traffic sets since other sets have similar results.

It is shown that our attack with (3,6,100) can approximate the execution time of TWA while performing better evasive performance than TWA. For other parameters, our attacks are acceptable in execution time. Larger parameters have better evasive performance but will consume more time. To balance this trade-off, we think (5,10,1000) is the best combination of parameters, which is also chosen for other parts of experiments.

Vii-F Verification of Malicious Functionality

To be rigorous, although we guarantee the mutation operators in Section V-A will not compromise the malicious functionality of original traffic, we still verify the malicious functionality of the mutated traffic in all six traffic sets.

To measure the malicious functionality, we use three types of indicators: attack effect, malicious behavior and attack efficiency, and compare them in original and mutated traffic. Take Botnet as an example to illustrate the three indicators: In our selected traffic, an attacker used a malware called Mirai to scan IoT devices in the LAN and successfully scanned 8 open devices. In this scenario, attack effect is the final result of the attack, which is that 8 devices were successfully scanned. Malicious behavior contains all offensive behaviors regardless of whether they eventually affect, which is the number of scans. Attack efficiency is related to the elapsed time of the attack. Obviously, attack effect has a greater impact on functionality than malicious behavior, and the change rate of attack efficiency must be within the attacker’s overhead budget .

We use VMs and Dockers to simulate the experimental testbed for each traffic set by referring to their papers [13, 43]. Then we use Tcpreplay and Tcplivereplay to replay original and mutated attack traffic in the testbed and observe the three indicators. Since different attacks have diverse functionalities, the specific meanings of three indicators are case-by-case, making the validation experiment straightforward but tedious, so we put the details in Appendix C and leave the result here: Mutated traffic generated through our evasion attack can preserve the malicious functionality. Specifically, attack effect keeps unchanged in all cases and malicious behavior is reduced only in DoS/DDoS attacks (attack bandwidth is decreased due to increased time interval, but this reduction does not exceed the attacker’s budget (). As for attack efficiency, although our method may slow down some kinds of attack, the change rate of elapsed time is always less than .

Vii-G Performance of Defense Schemes

In this section, we evaluate three mitigations mentioned in Section VI. For adversarial training (AT), we retrain the ML classifiers with 80% relabeled adversarial features and use the remaining 20% for testing. For feature selection (FS

), we use embedded lasso regression model to retain 80% dimensions. As for our adversarial feature reduction (

AFR), we also retain 80% feature dimensions. We use Kitsune in all traffic sets, and use the decline of metrics (MER/PDR/MMR) to evaluate the defense performance. The results are shown in Fig. 6.

Compared with AT and FS, our AFR is very effective in reducing MER/PDR/MMR. We observe that AT has a very limited and unstable defensive effect against the proposed attack. This is because it can limit the generation of adversarial features, but cannot prevent vulnerable feature dimensions from being exploited during traffic mutation. FS can perform better defense effectiveness in some cases. This shows that using fewer feature dimensions can to some extent increase the difficulty for attackers to transform the entire malicious features. We also measure the change of F1-score to evaluate whether the defense methods compromise the original detection performances. We find the change is quite small (within 5%), so they are not depicted in the figure for reasons of spaces.

Fig. 6: The defense performance (higher is better).

Viii Discussions

We discuss limitations and potential improvements of our attacks as follows.

Limitations. As mentioned in Section II, our method is designed for evading NIDSs without payload inspection, so it is invalid for systems additionally using payload-based detection. However, this problem can be easily solved by combining the polymorphic blending attack [9] with ours. And this can be easily implemented: leveraging polymorphic blending attack to encrypt the payload of original malicious traffic and using our method to inject crafted packets. Another limitation is that our attack is off-line at present, but this can be solved by replaying mutated traffic since we have proofed that replayed traffic can conduct the same malicious intent as the original attack.

Background traffic. In the proposed attack, we inject some crafted traffic which can be aggregated with original packets in order to impact features. However, some unpredictable background traffic (i.e., some traffic that is not controlled by the attacker but can also achieve the victim or NIDS) may disrupt our mutated traffic on some features. Nonetheless, we find that only features aggregated by destination information (e.g., dstIP) are affected. Thus, the impact is extremely little (e.g., Kitsune has no features extracted only by destination).

Improving the evasion attack. In this paper, we pay more attention to explore a more practical attack rather than try our best to improve the evasion rate. For one thing, we only use the default settings in the implementation of PSO and GAN in this study. For example, we simply use the set of parameters recommended in [47] (=, ==1.49618) in the PSO algorithm. For another, we use Euclidean distance to measure the similarity of features in this work. We suggest that future work should focus on whether other distance function or careful parameter tuning can perform better results.

Ix Related Work

Adversarial attacks on IDS. Attacks on (N)IDS itself have been extensively studied[2, 3, 4]. Evasion attack, as an important and common form, can be divided into two types: evading signature-based systems [5, 6, 7, 8] and anomaly-based systems [48, 49, 11, 9, 10]. Recently, machine learning, especially deep learning, has been increasingly used in NIDS for anomaly-based detection [1, 37, 13, 45, 46]. In this situation, existing evasion methods on traditional NIDSs are no longer valid. However, more opportunities can be provided due to internal vulnerabilities of ML [50, 14, 15].

Evasion attacks on learning-based systems

. There have been several works on evasion attacks against learning-based systems in other domains. Adversarial example in the domain of computer vision has been widely studied

[17, 18, 19, 51]. Gradient Descent method [23]

and Genetic Programming (GP)

[24] were used for evading PDF malware classifier. MalGAN [25] was proposed to generate adversarial malware examples to evade learning-based malware detection systems using binary vectors. GAN-based method was also used to fool real-time video classification systems [20]

. Text sentiment analysis system was evaded by stochastic optimization method

[21]. However, due to the specificity of network traffic and learning-based NIDS, these methods cannot be directly applied.

Feature-space attacks on learning-based NIDSs. Most prior studies on evading learning-based NIDSs assume that attackers can directly modify the feature vectors. According to the attacker’s knowledge of the targeted NIDS, feature-space attacks can be divided into three categories (recall Table I):

  • Feature-space White-box Attack (FWA). FWA requires full knowledge of the targeted NIDS. In [26], four gradient-based adversarial example attacks were directly used to evade an MLP classifier. Likewise, adversarial examples were leveraged in [30] to evade Kitsune. Similar gradient-based methods were also used in [52] to attack NIDSs for IoT networks, and in [53] to attack GAN-based NIDSs.

  • Feature-space White-box Attack (FGA). FGA requires the feedbacks of targeted classifier (without other knowledge of the classifier compared with FWA). In [29], a GAN-based architecture IDS-GAN was proposed to generate evasive features. In [54], a boundary-based methods was proposed to evade DoS intrusion detection systems by perturbing continuous and discrete features.

  • Feature-space Black-box Attack (FBA). FBA neither requires feedbacks nor any knowledges on the classifier. In [55], four feature dimensions were randomly modified to attack learing-based botnet detectors.

However, feature-space attacks are impractical since feature extraction in learning-based NIDSs is always irreversible.

Traffic-space attacks on learning-based NIDSs. There were also a few studies directly change network traffic, which can be divided into two categories:

  • Traffic-space White-box Attack (TWA). In [33], a white-box attack using similar mutation operators as ours was proposed. However, their assumption that the attacker has full knowledge of the NIDS is hard to achieve in practice.

  • Random mutations. Several mutations were proposed in [31] to evade botnet detectors. Random obfuscations on traffic were proposed in [32]. However, these methods are purely stochastic and lack of theoretical guidance.

X Conclusion

This paper describes the first step toward developing a systematic study on practical traffic-space evasion attacks on learning-based NIDSs. Experimental results show our attack is effective (>97% evasion rate in half cases) and the proposed defense method can effectively mitigate such attacks. Surprisingly, our attack outperforms the state-of-the-art white-box attack while using approximate execution cost, and is effective even without any knowledge of the targeted systems. We extensively measure the robustness of various learning-based NIDSs and provide important findings. Our finding demonstrates that the paradigm of feature engineering should be shifted; we deem the detection performance together with anti-evasion robustness both need to be taken into consideration while designing features used in systems. We firmly believe that our work provides important insights for improving the robustness of learning-based NIDSs and inspires more attention to the robust feature engineering in learning-based systems.

Appendix A Summarization of Feature Extraction Methods

As mentioned in Section V-A, we summarize the feature types widely used in related work [34, 13, 35, 36, 37, 38, 39] from a high-level. This summarized intelligence basically helps to conduct a generic attack and build the surrogate feature extractor for PBA. Specifically, feature extraction methods can be described in the following three aspects:

  • The data form of network traffic. This is also referred to as basic units for further process, which generally involves packet-based and session-based (including flow-based and connection-based) methods in a majority of cases. Specifically, a packet-based method inspects headers of all packets going through a network link, while session-based methods look at aggregated information of related packets of network traffic in the form of flow or connection.

  • Basic measurements. There are three network measurements extensively used in current research, which are size-related, count-related, and time-related. Take the packet-based extraction for illustration, size-related and count-related measurements are packets’ length (in bytes) and number of packets, respectively. And time-related measurements are inter-arrival time between packets.

  • Methods for processing measurements. Given the data form and measurements, we need to determine that measurements are collected from which packets or sessions as well as how to compute feature values from them. Specifically, these two phases can be summarized as follows: (i) Aggregate collection: Some work collects measurements with same traffic direction (inbound or outbound) or fields in the packet header such as IP address and port number. Other maintaining a window with a fixed time interval or packet length/bytes. (ii) Computing statistics

    : Besides using measurements directly, statistics are computed such as the mean, variance, and standard deviation of a single measurement or the covariance and distance between different measurements. Some other methods in mathematical statistics such as frequency distribution are also employed.

Based on the summarization, Fig. 7 describes two extractors used in this work. Besides, we also illustrate how our mutation operators can influence different features in the figure.

Fig. 7: Illustration of summarized features, description of two extractors, and how the proposed mutation operators affect all features.

Appendix B Adversarial Feature Evaluation Algorithm

Algorithm 2 shows the specific robustness evaluation method mentioned in Section VI. we proactively simulate the evasion attack and measure the MMR (on line 7). Then by considering whether this feature vector can evade the classifier, a penalty or reward is added to adversarial robustness score (on lines 8-9). Finally, the adversarial robustness of a feature set is quantized into the score between to (on line 12) of each feature.

0.95 Input: , , , , anomaly threshold ;
Output: Adversarial feature score of each dimension.
1 the dimensionality of a feature vector;
2 Number of features in or ;
3 Initialize with zeros. for each , in , to  do
4        Initialize an with zeros. for  to  do  each dimension
5               MMR();
                add a penalty if successfully evading
6               if  and  then  ;
7               else  ;
8                 add a reward
9        end for
11 end for
Normalize through dividing each dimension by . return
Algorithm 2 Adversarial Feature Evaluation Algorithm

Appendix C Verifying the malicious functionality

Detailed results of verifying malicious functionality of all six attack traffic sets are listed in Table VIII. Note that, although the attack effect cannot be measured in some cases, in fact the results of attack effect are generally the same as malicious behavior. For example, in Brute Force, we do not know the true password of the victim server, but if we guarantee that all the original password attempts exist in the mutated traffic, then obviously the final result is the same.

(a) Botnet Indicators Original Mutated Comparison Number of open devices scanned 8 8 1-4[1.75pt/2pt] Total number of scans 8500 8500 1-4[1.75pt/2pt] Time elapsed 0.795s 2.364s (197%) (b) Fuzzing Indicators Original Mutated Comparison Impact of fuzzing on target systems This cannot be simulated because we have no specific information about the targeted system 1-4[1.75pt/2pt] # pkts containing fuzzing payload 5353 5353 1-4[1.75pt/2pt] Time elapsed 3.81s 2.90s (24%) (c) SSDP DoS Indicators Original Mutated Comparison Impact of DoS attack on targeted systems This cannot be simulated because we have no specific information about the targeted system 1-4[1.75pt/2pt] Attack bandwidth 35Mbps 20Mbps (39%) 1-4[1.75pt/2pt] Time elapsed This can be reflected by the prevent indicator (bandwidth) (d) Brute Force Indicators Original Mutated Comparison Whether the targeted FTP server is cracked This cannot be simulated because we do not know the true password of the targeted system 1-4[1.75pt/2pt] Total number of password attempts 60 60 1-4[1.75pt/2pt] Time elapsed 2.83s 11.26s (298%) (e) Port Scan Indicators Original Mutated Comparison Number of open ports scanned 3 3 1-4[1.75pt/2pt] Total number of scans 4810 4810 1-4[1.75pt/2pt] Time elapsed 6.55s 26.89s (310%) (f) DDoS Indicators Original Mutated Comparison Impact of DDoS attack on targeted systems This cannot be simulated because we have no specific information about the targeted system 1-4[1.75pt/2pt] Attack bandwidth 107Mbps 68Mbps (36%) 1-4[1.75pt/2pt] Time elapsed This can be reflected by the prevent indicator (bandwidth)
TABLE VIII: Comparison of the malicious functionality


  • [1] R. Sommer and V. Paxson, “Outside the closed world: On using machine learning for network intrusion detection,” in IEEE Symposium on Security and Privacy (S&P), pp. 305–316, IEEE, 2010.
  • [2] T. H. Ptacek and T. N. Newsham, “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection,” tech. rep., SECURE NETWORKS INC CALGARY ALBERTA, Jan. 1998.
  • [3] I. Corona, G. Giacinto, and F. Roli, “Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues,” Information Sciences, vol. 239, pp. 201–225, Aug. 2013.
  • [4] D. J. Chaboya, R. A. Raines, R. O. Baldwin, and B. E. Mullins, “Network intrusion detection: Automated and manual methods prone to attack and evasion,” IEEE Symposium on Security and Privacy (S&P), vol. 4, no. 6, pp. 36–43, 2006.
  • [5] M. Handley, V. Paxson, and C. Kreibich, “Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics,” in USENIX Security Symposium, 2001.
  • [6] T.-H. Cheng, Y.-D. Lin, Y.-C. Lai, and P.-C. Lin, “Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems,” IEEE Communications Surveys & Tutorials, vol. 14, pp. 1011–1020, 2012.
  • [7] G. Vigna, W. Robertson, and D. Balzarotti, “Testing network-based intrusion detection signatures using mutant exploits,” in ACM Conference on Computer and Communications Security (CCS), pp. 21–30, ACM, 2004.
  • [8] D. Mutz, G. Vigna, and R. Kemmerer, “An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems,” in 19th Annual Computer Security Applications Conference, 2003. Proceedings., pp. 374–383, IEEE, 2003.
  • [9] P. Fogla, M. I. Sharif, R. Perdisci, O. M. Kolesnikov, and W. Lee, “Polymorphic Blending Attacks,” in USENIX Security Symposium, 2006.
  • [10] P. Fogla and W. Lee, “Evading network anomaly detection systems: formal reasoning and practical techniques,” in ACM Conference on Computer and Communications Security (CCS), 2006.
  • [11] H. G. Kayacik, A. N. Zincir-Heywood, M. I. Heywood, and S. Burschka, “Generating mimicry attacks using genetic programming: a benchmarking study,” in 2009 IEEE Symposium on Computational Intelligence in Cyber Security, pp. 136–143, IEEE, 2009.
  • [12] K. Wang and S. J. Stolfo, “Anomalous Payload-Based Network Intrusion Detection,” in International Symposium on Recent Advances in Intrusion Detection (RAID), 2004.
  • [13] Y. Mirsky, T. Doitshman, Y. Elovici, and A. Shabtai, “Kitsune: an ensemble of autoencoders for online network intrusion detection,” Network and Distributed System Security Symposium (NDSS), 2018.
  • [14] M. Barreno, B. Nelson, A. D. Joseph, and J. D. Tygar, “The security of machine learning,” Machine Learning, vol. 81, pp. 121–148, 2010.
  • [15] J. D. Tygar, “Adversarial Machine Learning,” IEEE Internet Computing, vol. 15, pp. 4–6, 2011.
  • [16] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” International Conference on Learning Representations (ICLR), 2014.
  • [17] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and Harnessing Adversarial Examples,” in International Conference on Learning Representations (ICLR), 2015.
  • [18] S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks,”

    2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR)

    , pp. 2574–2582, 2016.
  • [19] N. Carlini and D. A. Wagner, “Towards Evaluating the Robustness of Neural Networks,” IEEE Symposium on Security and Privacy (S&P), pp. 39–57, 2017.
  • [20] S. Li, A. Neupane, S. Paul, C. Song, S. V. Krishnamurthy, A. K. R. Chowdhury, and A. Swami, “Stealthy Adversarial Perturbations Against Real-Time Video Classification Systems,” in Network and Distributed System Security Symposium (NDSS), 2019.
  • [21] J. Li, S. Ji, T. Du, B. Li, and T. Wang, “TextBugger: Generating Adversarial Text Against Real-world Applications,” in Network and Distributed System Security Symposium (NDSS), 2019.
  • [22] D. Maiorca, I. Corona, and G. Giacinto, “Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious pdf files detection,” in Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security (ASIACCS), pp. 119–130, ACM, 2013.
  • [23] P. Laskov and others, “Practical evasion of a learning-based classifier: A case study,” in IEEE Symposium on Security and Privacy (S&P), pp. 197–211, IEEE, 2014.
  • [24] W. Xu, Y. Qi, and D. Evans, “Automatically evading classifiers,” in Network and Distributed System Security Symposium (NDSS), 2016.
  • [25] W. Hu and Y. Tan, “Generating adversarial malware examples for black-box attacks based on GAN,” arXiv preprint arXiv:1702.05983, 2017.
  • [26] Z. Wang, “Deep Learning-Based Intrusion Detection With Adversaries,” IEEE Access, vol. 6, pp. 38367–38384, 2018.
  • [27] D. L. Marino, C. S. Wickramasinghe, and M. Manic, “An Adversarial Approach for Explainable AI in Intrusion Detection Systems,” IECON 2018 - 44th Annual Conference of the IEEE Industrial Electronics Society, pp. 3237–3243, 2018.
  • [28] K. Yang, J. Liu, V. C. Zhang, and Y. Fang, “Adversarial Examples Against the Deep Learning Based Network Intrusion Detection Systems,” MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM), pp. 559–564, 2018.
  • [29] Z. Lin, Y. Shi, and Z. Xue, “Idsgan: Generative adversarial networks for attack generation against intrusion detection,” arXiv preprint arXiv:1809.02077, 2018.
  • [30] J. H. Clements, Y. Yang, A. Sharma, H. Hu, and Y. Lao, “Rallying Adversarial Techniques against Deep Learning for Network Security,” CoRR, vol. abs/1903.11688, 2019.
  • [31] E. Stinson and J. C. Mitchell, “Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods.,” WOOT, vol. 8, pp. 1–9, 2008.
  • [32] I. Homoliak, M. Teknos, M. Ochoa, D. Breitenbacher, S. Hosseini, and P. Hanacek, “Improving Network Intrusion Detection Classifiers by Non-payload-Based Exploit-Independent Obfuscations: An Adversarial Approach,” arXiv preprint arXiv:1805.02684, 2018.
  • [33] M. J. Hashemi, G. Cusack, and E. Keller, “Towards evaluation of nidss in adversarial setting,” in

    Proceedings of the 3rd ACM CoNEXT Workshop on Big DAta, Machine Learning and Artificial Intelligence for Data Communication Networks

    , pp. 14–21, 2019.
  • [34] J. J. Davis and A. J. Clark, “Data preprocessing for anomaly based network intrusion detection: A review,” computers & security, vol. 30, no. 6-7, pp. 353–375, 2011.
  • [35] A. H. Lashkari, G. Draper-Gil, M. S. I. Mamun, and A. A. Ghorbani, “Characterization of Tor Traffic using Time based Features.,” in Proceedings of the 2nd international conference on information systems security and privacy (ICISSP), pp. 253–262, 2017.
  • [36] G. Draper-Gil, A. H. Lashkari, M. S. I. Mamun, and A. A. Ghorbani, “Characterization of encrypted and vpn traffic using time-related,” in Proceedings of the 2nd international conference on information systems security and privacy (ICISSP), pp. 407–414, 2016.
  • [37] B. Anderson and D. McGrew, “Machine learning for encrypted malware traffic classification: accounting for noisy labels and non-stationarity,” in Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1723–1732, ACM, 2017.
  • [38] N. Rajasinghe, J. Samarabandu, and X. Wang, “INSecS-DCS: a highly customizable network intrusion dataset creation framework,” in 2018 IEEE Canadian Conference on Electrical & Computer Engineering (CCECE), pp. 1–4, IEEE, 2018.
  • [39] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed analysis of the KDD CUP 99 data set,” in 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, pp. 1–6, July 2009.
  • [40] I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial nets,” in Advances in Neural Information Processing Systems (NIPS), pp. 2672–2680, 2014.
  • [41] J. Kennedy, “Particle swarm optimization,” Encyclopedia of machine learning, pp. 760–766, 2010.
  • [42] I. Guyon and A. Elisseeff, “An introduction to variable and feature selection,” Journal of machine learning research, vol. 3, no. Mar, pp. 1157–1182, 2003.
  • [43] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization.,” in Proceedings of the 2nd international conference on information systems security and privacy (ICISSP), pp. 108–116, 2018.
  • [44] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, “Network anomaly detection: methods, systems and tools,” IEEE Communications Surveys & Tutorials, vol. 16, no. 1, pp. 303–336, 2013.
  • [45] A. L. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Communications Surveys & Tutorials, vol. 18, no. 2, pp. 1153–1176, 2015.
  • [46] E. Hodo, X. Bellekens, A. Hamilton, C. Tachtatzis, and R. Atkinson, “Shallow and deep networks intrusion detection system: A taxonomy and survey,” arXiv preprint arXiv:1701.02145, 2017.
  • [47] R. C. Eberhart and Y. Shi, “Comparing inertia weights and constriction factors in particle swarm optimization,” in

    Proceedings of the 2000 congress on evolutionary computation (CEC)

    , vol. 1, pp. 84–88, IEEE, 2000.
  • [48] K. M. Tan, K. S. Killourhy, and R. A. Maxion, “Undermining an anomaly-based intrusion detection system using common exploits,” in International Symposium on Recent Advances in Intrusion Detection (RAID), pp. 54–73, Springer, 2002.
  • [49] H. G. Kayacik and A. N. Zincir-Heywood, “Mimicry attacks demystified: What can attackers do to evade detection?,” in 2008 Sixth Annual Conference on Privacy, Security and Trust, pp. 213–223, IEEE, 2008.
  • [50] M. Barreno, B. Nelson, R. Sears, A. D. Joseph, and J. D. Tygar, “Can machine learning be secure?,” in ACM ASIA Conference on Computer and Communications Security (AsiaCCS), ACM, 2006.
  • [51] X. Yuan, P. He, Q. Zhu, and X. Li, “Adversarial examples: Attacks and defenses for deep learning,” IEEE transactions on neural networks and learning systems, 2019.
  • [52] O. Ibitoye, O. Shafiq, and A. Matrawy, “Analyzing adversarial attacks against deep learning for intrusion detection in iot networks,” arXiv preprint arXiv:1905.05137, 2019.
  • [53] A. Piplai, S. S. L. Chukkapalli, and A. Joshi, “Nattack! adversarial attacks to bypass a gan based classifier trained to detect network intrusion,” arXiv preprint arXiv:2002.08527, 2020.
  • [54] X. Peng, W. Huang, and Z. Shi, “Adversarial attack against dos intrusion detection: An improved boundary-based method,” in 2019 IEEE 31st International Conference on Tools with Artificial Intelligence (ICTAI), pp. 1288–1295, IEEE, 2019.
  • [55] G. Apruzzese, M. Colajanni, and M. Marchetti, “Evaluating the effectiveness of adversarial attacks against botnet detectors,” in 2019 IEEE 18th International Symposium on Network Computing and Applications (NCA), pp. 1–8, IEEE, 2019.