Robustness Evaluation of Network Intrusion Detection Systems based on Sequential Machine Learning

The rise of sequential Machine Learning (ML) methods has paved the way for a new generation of Network Intrusion Detection Systems (NIDS) which base their classification on the temporal patterns exhibited by malicious traffic. Previous work presents successful algorithms in this field, but just a few attempts try to assess their robustness in real-world contexts. In this paper, we aim to fill this gap by presenting a novel evaluation methodology. In particular, we propose a new time-based adversarial attack in which we simulate a delay in the malicious communications that changes the arrangement of the samples in the test set. Moreover, we design an innovative evaluation technique simulating a worst-case training scenario in which the last portion of the training set does not include any malicious flow. Through them, we can evaluate how much sequential ML-based NIDS are sensible to modifications that an adaptive attacker might apply at temporal level, and we can verify their robustness to the unpredictable traffic produced by modern networks. Our experimental campaign validates our proposal against a recent NIDS trained on a public dataset for botnet detection. The results demonstrate its high resistance to temporal adversarial attacks, but also a drastic performance drop when even just 1% of benign flows are injected at the end of the training set. Our findings raise questions about the reliable deployment of sequential ML-NIDS in practice, and at the same time can guide researchers to develop more robust defensive tools in the future.

[1]  V. Platonov,et al.  Adversarial Attacks on Intrusion Detection Systems Using the LSTM Classifier , 2021, Automatic Control and Computer Sciences.

[2]  A. Venturi,et al.  On the feasibility of adversarial machine learning in malware and network intrusion detection , 2021, 2021 IEEE 20th International Symposium on Network Computing and Applications (NCA).

[3]  Shanchieh Jay Yang,et al.  On the Evaluation of Sequential Machine Learning for Network Intrusion Detection , 2021, ARES.

[4]  Jianwu Zhang,et al.  The robust deep learning–based schemes for intrusion detection in Internet of Things environments , 2021, Annals of Telecommunications.

[5]  Michele Colajanni,et al.  Deep Reinforcement Adversarial Learning Against Botnet Evasion Attacks , 2020, IEEE Transactions on Network and Service Management.

[6]  Xueying Han,et al.  STIDM: A Spatial and Temporal Aware Intrusion Detection Model , 2020, 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom).

[7]  Weiqing Huang,et al.  Adversarial Attack against LSTM-based DDoS Intrusion Detection System , 2020, 2020 IEEE 32nd International Conference on Tools with Artificial Intelligence (ICTAI).

[8]  K. Rieck,et al.  Dos and Don'ts of Machine Learning in Computer Security , 2020, USENIX Security Symposium.

[9]  Adnan Shahid Khan,et al.  Network intrusion detection system: A systematic study of machine learning and deep learning approaches , 2020, Trans. Emerg. Telecommun. Technol..

[10]  Kesheng Wu,et al.  Botnet Detection Using Recurrent Variational Autoencoder , 2020, GLOBECOM 2020 - 2020 IEEE Global Communications Conference.

[11]  Joachim Fabini,et al.  Explainability and Adversarial Robustness for RNNs , 2019, 2020 IEEE Sixth International Conference on Big Data Computing Service and Applications (BigDataService).

[12]  Heeyoul Choi,et al.  Network Intrusion Detection based on LSTM and Feature Embedding , 2019, ArXiv.

[13]  Julian Bunn,et al.  Tracking Temporal Evolution of Network Activity for Botnet Detection , 2019, ArXiv.

[14]  Xu Chen,et al.  Network Intrusion Detection: Based on Deep Hierarchical Network and Original Flow Data , 2019, IEEE Access.

[15]  Michele Colajanni,et al.  Evading Botnet Detectors Based on Flows and Random Forest with Adversarial Samples , 2018, 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA).

[16]  Tankut Acarman,et al.  Deep learning to detect botnet via network flow summaries , 2018, Neural Computing and Applications.

[17]  Bartley D. Richardson,et al.  Sequence Aggregation Rules for Anomaly Detection in Computer Network Traffic , 2018, ArXiv.

[18]  Jim A. Simpson,et al.  Network Traffic Anomaly Detection Using Recurrent Neural Networks , 2018, ArXiv.

[19]  Fabio Roli,et al.  Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning , 2017, Pattern Recognit..

[20]  Muhammad Sher,et al.  Flow-based intrusion detection: Techniques and challenges , 2017, Comput. Secur..

[21]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[22]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[23]  Pablo Torres,et al.  An analysis of Recurrent Neural Networks for Botnet detection behavior , 2016, 2016 IEEE Biennial Congress of Argentina (ARGENCON).

[24]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[25]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[26]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[27]  S. Hochreiter,et al.  Long Short-Term Memory , 1997, Neural Computation.