Black-box Adversarial Transferability: An Empirical Study in Cybersecurity Perspective

A Novel Deep Learning based Model to Defend Network Intrusion Detection System against Adversarial Attacks

Khushnaseeb Roshan, Aasim Zafar, Shiekh Burhan Ul Haque

Published: 2023.8.1

Network Intrusion Detection System (NIDS) is an essential tool in securing cyberspace from a variety of security risks and unknown cyberattacks. A number of solutions have been implemented for Machine Learning (ML), and Deep Learning (DL) based NIDS. However, all these solutions are vulnerable to adversarial attacks, in which the malicious actor tries to evade or fool the model by injecting adversarial perturbed examples into the system. The main aim of this research work is to study powerful adversarial attack algorithms and their defence method on DL-based NIDS. Fast Gradient Sign Method (FGSM), Jacobian Saliency Map Attack (JSMA), Projected Gradient Descent (PGD) and Carlini & Wagner (C&W) are four powerful adversarial attack methods implemented against the NIDS. As a defence method, Adversarial Training is used to increase the robustness of the NIDS model. The results are summarized in three phases, i.e., 1) before the adversarial attack, 2) after the adversarial attack, and 3) after the adversarial defence. The Canadian Institute for Cybersecurity Intrusion Detection System 2017 (CICIDS-2017) dataset is used for evaluation purposes with various performance measurements like f1-score, accuracy etc.

敵対的攻撃深層学習手法データ前処理

ICLR

Intriguing properties of neural networks

C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, R. Fergus

Published: 2014

ICLR

Explaining and harnessing adversarial examples

Goodfellow, I. J., Shlens, J., Szegedy, C.

Published: 2015

MILCOM 2018-2018 IEEE Military Communications Conference (MILCOM)

Adversarial examples against the deep learning based network intrusion detection systems

K. Yang, J. Liu, C. Zhang, Y. Fang

Published: 2018

Engineering

Adversarial Attacks and Defenses in Deep Learning

K. Ren, T. Zheng, Z. Qin, X. Liu

Published: 2020

Adversarial Machine Learning Attacks and Defense Methods in the Cyber Security Domain

ACM Comput. Surv.

Ihai Rosenberg, Asaf Shabtai, Yuval Elovici, Lior Rokach

Published: 2020.7.6

In recent years machine learning algorithms, and more specifically deep learning algorithms, have been widely used in many fields, including cyber security. However, machine learning systems are vulnerable to adversarial attacks, and this limits the application of machine learning, especially in non-stationary, adversarial environments, such as the cyber security domain, where actual adversaries (e.g., malware developers) exist. This paper comprehensively summarizes the latest research on adversarial attacks against security solutions based on machine learning techniques and illuminates the risks they pose. First, the adversarial attack methods are characterized based on their stage of occurrence, and the attacker's goals and capabilities. Then, we categorize the applications of adversarial attack and defense methods in the cyber security domain. Finally, we highlight some characteristics identified in recent research and discuss the impact of recent advancements in other adversarial learning domains on future research directions in the cyber security domain. This paper is the first to discuss the unique challenges of implementing end-to-end adversarial attacks in the cyber security domain, map them in a unified taxonomy, and use the taxonomy to highlight future research directions.

Adversarial Attacks on Machine Learning Cybersecurity Defences in Industrial Control Systems

Eirini Anthi, Lowri Williams, Matilda Rhode, Pete Burnap, Adam Wedgbury

Published: 2020.4.10

The proliferation and application of machine learning based Intrusion Detection Systems (IDS) have allowed for more flexibility and efficiency in the automated detection of cyber attacks in Industrial Control Systems (ICS). However, the introduction of such IDSs has also created an additional attack vector; the learning models may also be subject to cyber attacks, otherwise referred to as Adversarial Machine Learning (AML). Such attacks may have severe consequences in ICS systems, as adversaries could potentially bypass the IDS. This could lead to delayed attack detection which may result in infrastructure damages, financial loss, and even loss of life. This paper explores how adversarial learning can be used to target supervised models by generating adversarial samples using the Jacobian-based Saliency Map attack and exploring classification behaviours. The analysis also includes the exploration of how such samples can support the robustness of supervised models using adversarial training. An authentic power system dataset was used to support the experiments presented herein. Overall, the classification performance of two widely used classifiers, Random Forest and J48, decreased by 16 and 20 percentage points when adversarial samples were present. Their performances improved following adversarial training, demonstrating their robustness towards such attacks.

攻撃検出防御手法攻撃の評価

IEEE Access

Deep learning-based intrusion detection with adversaries

Z. Wang

Published: 2018

2021 5th International Conference on Information Systems and Computer Networks (ISCON)

An Optimized Auto-Encoder based Approach for Detecting Zero-Day Cyber-Attacks in Computer Network

K. Roshan, A. Zafar

Published: 2021

IEEE Access

Privacy and Security Issues in Deep Learning: A Survey

X. Liu, et al.

Published: 2021

Adversarial Machine Learning In Network Intrusion Detection Domain: A Systematic Review

Huda Ali Alatwi, Charles Morisset

Published: 2021.12.7

Due to their massive success in various domains, deep learning techniques are increasingly used to design network intrusion detection solutions that detect and mitigate unknown and known attacks with high accuracy detection rates and minimal feature engineering. However, it has been found that deep learning models are vulnerable to data instances that can mislead the model to make incorrect classification decisions so-called (adversarial examples). Such vulnerability allows attackers to target NIDSs by adding small crafty perturbations to the malicious traffic to evade detection and disrupt the system's critical functionalities. The problem of deep adversarial learning has been extensively studied in the computer vision domain; however, it is still an area of open research in network security applications. Therefore, this survey explores the researches that employ different aspects of adversarial machine learning in the area of network intrusion detection in order to provide directions for potential solutions. First, the surveyed studies are categorized based on their contribution to generating adversarial examples, evaluating the robustness of ML-based NIDs towards adversarial examples, and defending these models against such attacks. Second, we highlight the characteristics identified in the surveyed research. Furthermore, we discuss the applicability of the existing generic adversarial attacks for the NIDS domain, the feasibility of launching the proposed attacks in real-world scenarios, and the limitations of the existing mitigation solutions.

敵対的サンプル敵対的攻撃検出ポイズニング

Adversarial Examples - A Complete Characterisation of the Phenomenon

Alexandru Constantin Serban, Erik Poll, Joost Visser

Published: 2018.10.2

We provide a complete characterisation of the phenomenon of adversarial examples - inputs intentionally crafted to fool machine learning models. We aim to cover all the important concerns in this field of study: (1) the conjectures on the existence of adversarial examples, (2) the security, safety and robustness implications, (3) the methods used to generate and (4) protect against adversarial examples and (5) the ability of adversarial examples to transfer between different machine learning models. We provide ample background information in an effort to make this document self-contained. Therefore, this document can be used as survey, tutorial or as a catalog of attacks and defences using adversarial examples.

敵対的サンプル敵対的攻撃手法ロバスト性向上手法

Inf. Sci. (Ny)

Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues

I. Corona, G. Giacinto, F. Roli

Published: 2013

KDD-2004 - Proceedings of the Tenth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining

Adversarial classification

N. Dalvi, P. Domingos, Mausam, S. Sanghai, D. Verma

Published: 2004

Mach. Learn.

The security of machine learning

M. Barreno, B. Nelson, A. D. Joseph, J. D. Tygar

Published: 2010

Neurocomputing

Adversarial attacks and defenses in deep learning for image recognition: A survey

J. Wang, C. Wang, Q. Lin, C. Luo, C. Wu, J. Li

Published: 2022

Ieee Access

Threat of adversarial attacks on deep learning in computer vision: A survey

N. Akhtar, A. Mian

Published: 2018

IEEE Access

A survey on security threats and defensive techniques of machine learning: A data driven view

Q. Liu, P. Li, W. Zhao, W. Cai, S. Yu, V. C. M. Leung

Published: 2018

Adversarial Examples - A Complete Characterisation of the Phenomenon

Alexandru Constantin Serban, Erik Poll, Joost Visser

Published: 2018.10.2

敵対的サンプル敵対的攻撃手法ロバスト性向上手法

Rallying Adversarial Techniques against Deep Learning for Network Security

Joseph Clements, Yuzhe Yang, Ankur Sharma, Hongxin Hu, Yingjie Lao

Published: 2019.3.28

Recent advances in artificial intelligence and the increasing need for powerful defensive measures in the domain of network security, have led to the adoption of deep learning approaches for use in network intrusion detection systems. These methods have achieved superior performance against conventional network attacks, which enable the deployment of practical security systems to unique and dynamic sectors. Adversarial machine learning, unfortunately, has recently shown that deep learning models are inherently vulnerable to adversarial modifications on their input data. Because of this susceptibility, the deep learning models deployed to power a network defense could in fact be the weakest entry point for compromising a network system. In this paper, we show that by modifying on average as little as 1.38 of the input features, an adversary can generate malicious inputs which effectively fool a deep learning based NIDS. Therefore, when designing such systems, it is crucial to consider the performance from not only the conventional network security perspective but also the adversarial machine learning domain.

敵対的学習敵対的攻撃検出効果的な摂動手法

ArXiv

Kitsune: An ensemble of autoencoders for online network intrusion detection

Y. Mirsky, T. Doitshman, Y. Elovici, A. Shabtai

Published: 2018

2019 15th International Wireless Communications & Mobile Computing Conference (IWCMC)

Generative Adversarial Networks For Launching and Thwarting Adversarial Attacks on Network Intrusion Detection Systems

M. Usama, M. Asim, S. Latif, J. Qadir, Ala-Al-Fuqaha

Published: 2019

Futur. Gener. Comput. Syst.

Defending network intrusion detection systems against adversarial evasion attacks

M. Pawlicki, M. Choraś, R. Kozik

Published: 2020

Secur. Commun. Networks

A Black-Box Attack Method against Machine-Learning-Based Anomaly Network Flow Detection Models

S. Guo, J. Zhao, X. Li, J. Duan, D. Mu, X. Jing

Published: 2021

Expert Systems with Applications

Adversarial machine learning in network intrusion detection systems

E. Alhajjar, P. Maxwell, N. Bastian

Published: 2021

Int. J. Inf. Secur.

A context-aware robust intrusion detection system: a reinforcement learning-based approach

K. Sethi, E Sai Rupesh, R. Kumar, P. Bera, Y Venu Madhav

Published: 2020

IEEE/ACM Trans. Netw.

Adversarial Attacks Against Deep Learning-Based Network Intrusion Detection Systems and Defense Mechanisms

C. Zhang, X. Costa-Perez, P. Patras

Published: 2022

IEEE Journal on Selected Areas in Communications

Evaluating and improving adversarial robustness of machine learning-based network intrusion detectors

D. Han, G. Wang, X. Zhong, J. Chen, H. Yang, Y. Lu, Y. Shi, H. Yin

Published: 2021

International Symposium on Computers and Communications (ISCC)

Evaluating Resilience of Encrypted Traffic Classification Against Adversarial Evasion Attacks

Ramy Maarouf, Danish Sattar, Ashraf Matrawy

Published: 2021.5.31

Machine learning and deep learning algorithms can be used to classify encrypted Internet traffic. Classification of encrypted traffic can become more challenging in the presence of adversarial attacks that target the learning algorithms. In this paper, we focus on investigating the effectiveness of different evasion attacks and see how resilient machine and deep learning algorithms are. Namely, we test C4.5 Decision Tree, K-Nearest Neighbor (KNN), Artificial Neural Network (ANN), Convolutional Neural Networks (CNN) and Recurrent Neural Networks (RNN). In most of our experimental results, deep learning shows better resilience against the adversarial samples in comparison to machine learning. Whereas, the impact of the attack varies depending on the type of attack.

敵対的攻撃ポイズニング脆弱性評価手法

Comput. Secur.

RAIDS: Robust autoencoder-based intrusion detection system model against adversarial attacks

A. Sarıkaya, B. G. Kılıç, M. Demirci

Published: 2023

Comput. Secur.

Adv-Bot: Realistic adversarial botnet attacks against network intrusion detection systems

I. Debicha, B. Cochez, T. Kenaza, T. Debatty, J. M. Dricot, W. Mees

Published: 2023

Futur. Gener. Comput. Syst.

TAD: Transfer Learning-based Multi-Adversarial Detection of Evasion Attacks against Network Intrusion Detection Systems

I. Debicha, R. Bauwens, T. Debatty, J.-M. Dricot, T. Kenaza, W. Mees

Published: 2022

Proceedings - International Carnahan Conference on Security Technology

Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy

I. Sharafaldin, A. H. Lashkari, S. Hakak, A. A. Ghorbani

Published: 2019

CICIDS 2017 | Datasets | Research | Canadian Institute for Cybersecurity | UNB

GitHub repository

Adversarial Robustness Toolbox- Postprocessor Defence-High Confidence

European Symposium on Security and Privacy (EuroS&P)

The Limitations of Deep Learning in Adversarial Settings

Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, Ananthram Swami

Published: 2015.11.24

Deep learning takes advantage of large datasets and computationally efficient training algorithms to outperform other approaches at various machine learning tasks. However, imperfections in the training phase of deep neural networks make them vulnerable to adversarial samples: inputs crafted by adversaries with the intent of causing deep neural networks to misclassify. In this work, we formalize the space of adversaries against deep neural networks (DNNs) and introduce a novel class of algorithms to craft adversarial samples based on a precise understanding of the mapping between inputs and outputs of DNNs. In an application to computer vision, we show that our algorithms can reliably produce samples correctly classified by human subjects but misclassified in specific targets by a DNN with a 97% adversarial success rate while only modifying on average 4.02% of the input features per sample. We then evaluate the vulnerability of different sample classes to adversarial perturbations by defining a hardness measure. Finally, we describe preliminary work outlining defenses against adversarial samples by defining a predictive measure of distance between a benign input and a target classification.

敵対的サンプル深層学習モデル敵対的サンプルの検知

Towards Deep Learning Models Resistant to Adversarial Attacks

被引用数 45

Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, Adrian Vladu

Published: 2017.6.20

Recent work has demonstrated that deep neural networks are vulnerable to adversarial examples---inputs that are almost indistinguishable from natural data and yet classified incorrectly by the network. In fact, some of the latest findings suggest that the existence of adversarial attacks may be an inherent weakness of deep learning models. To address this problem, we study the adversarial robustness of neural networks through the lens of robust optimization. This approach provides us with a broad and unifying view on much of the prior work on this topic. Its principled nature also enables us to identify methods for both training and attacking neural networks that are reliable and, in a certain sense, universal. In particular, they specify a concrete security guarantee that would protect against any adversary. These methods let us train networks with significantly improved resistance to a wide range of adversarial attacks. They also suggest the notion of security against a first-order adversary as a natural and broad security guarantee. We believe that robustness against such well-defined classes of adversaries is an important stepping stone towards fully resistant deep learning models. Code and pre-trained models are available at https://github.com/MadryLab/mnist_challenge and https://github.com/MadryLab/cifar10_challenge.

モデルの頑健性保証敵対的サンプルロバスト性に関する評価

IEEE Symposium on Security and Privacy

Towards Evaluating the Robustness of Neural Networks

Nicholas Carlini, David Wagner

Published: 2016.8.17

Neural networks provide state-of-the-art results for most machine learning tasks. Unfortunately, neural networks are vulnerable to adversarial examples: given an input $x$ and any target classification $t$, it is possible to find a new input $x'$ that is similar to $x$ but classified as $t$. This makes it difficult to apply neural networks in security-critical areas. Defensive distillation is a recently proposed approach that can take an arbitrary neural network, and increase its robustness, reducing the success rate of current attacks' ability to find adversarial examples from $95\%$ to $0.5\%$. In this paper, we demonstrate that defensive distillation does not significantly increase the robustness of neural networks by introducing three new attack algorithms that are successful on both distilled and undistilled neural networks with $100\%$ probability. Our attacks are tailored to three distance metrics used previously in the literature, and when compared to previous adversarial example generation algorithms, our attacks are often much more effective (and never worse). Furthermore, we propose using high-confidence adversarial examples in a simple transferability test we show can also be used to break defensive distillation. We hope our attacks will be used as a benchmark in future defense attempts to create neural networks that resist adversarial examples.

モデルの堅牢性敵対的サンプルモデルの頑健性保証

被引用数 2