Zhe Zhao,Guangke Chen,Tong Liu,Taishan Li,Fu Song,Jingyi Wang,Jun Sun

DOI: https://doi.org/10.1145/3631977

IF: 3.685

2023-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:As a new programming paradigm, deep learning (DL) has achieved impressive performance in areas such as image processing and speech recognition, and has expanded its application to solve many real-world problems. However, neural networks and DL are normally black-box systems; even worse, DL-based software are vulnerable to threats from abnormal examples, such as adversarial and backdoored examples constructed by attackers with malicious intentions as well as unintentionally mislabeled samples. Therefore, it is important and urgent to detect such abnormal examples. Although various detection approaches have been proposed respectively addressing some specific types of abnormal examples, they suffer from some limitations; until today, this problem is still of considerable interest. In this work, we first propose a novel characterization to distinguish abnormal examples from normal ones based on the observation that abnormal examples have significantly different (adversarial) robustness from normal ones. We systemically analyze those three different types of abnormal samples in terms of robustness and find that they have different characteristics from normal ones. As robustness measurement is computationally expensive and hence can be challenging to scale to large networks, we then propose to effectively and efficiently measure robustness of an input sample using the cost of adversarially attacking the input, which was originally proposed to test robustness of neural networks against adversarial examples. Next, we propose a novel detection method, named attack as detection (A 2 D for short), which uses the cost of adversarially attacking an input instead of robustness to check if it is abnormal. Our detection method is generic, and various adversarial attack methods could be leveraged. Extensive experiments show that A 2 D is more effective than recent promising approaches that were proposed to detect only one specific type of abnormal examples. We also thoroughly discuss possible adaptive attack methods to our adversarial example detection method and show that A 2 D is still effective in defending carefully designed adaptive adversarial attack methods—for example, the attack success rate drops to 0% on CIFAR10.

Yuzhe Gu,Na Jiang,Yanjiao Chen,Xueluan Gong

DOI: https://doi.org/10.1007/978-3-031-28990-3_16

2023-01-01

Abstract:Recently, the Internet of Things (IoT) technology has made tremendous progress, and it is beginning to enter many areas of social life, such as autonomous driving, medical care, etc. Due to the massive data in IoT, deep neural networks (DNN) are often involved in helping process and analyzing data, but DNNs still face many security threats. Adversarial example attack is a common attack against DNN models, which interferes with model decisions through processed samples. It will undoubtedly threaten DNN-based IoT systems. This paper presents the possible attack scenarios of adversarial example attacks in IoT systems and extensively studies the defense methods of adversarial example attacks in IoT systems.

Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Xiaoyu Jiang,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2021.3104056

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Data-driven artificial intelligence (AI) models have been widely used in industrial systems helping big data analytic due to its convenience and flexibility. However, adversarial attacks have the ability to mislead AI models to make incorrect predictions just by adding specific perturbation to actual samples. With the high integration of industrial systems and information technology, the reliability and safety of AI models in industrial systems have been seriously threatened. In the article, fault diagnosis models and soft sensing models rely on AI technology are verified to be vulnerable facing adversarial attack. To this end, the concept of information fingerprint for industrial data is introduced to distinguish actual samples from adversarial samples with small perturbation. With fault diagnosis models and soft sensing models as the background, information fingerprint exaction networks based on deep learning is developed to extract the information fingerprint for further analysis. It utilizes supervised contrastive pretraining and unsupervised training to realize parameter learning for the structure of siamese neural network and autoencoder. Finally, the effectiveness and feasibility of the proposed information fingerprint for adversarial sample detection are verified in two industrial benchmark cases.

Shigeng Zhang,Shuxin Chen,Xuan Liu,Chengyao Hua,Weiping Wang,Kai Chen,Jian Zhang,Jianxin Wang

DOI: https://doi.org/10.1109/tnse.2021.3057071

IF: 6.6

2022-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Deep learning techniques such as convolutional neural networks (CNNs) have been used in a wide range of fields due to their superior performance, e.g., image classification, autonomous driving and natural language processing. However, recent progress shows that deep learning models are vulnerable to adversarial samples, which are crafted by adding small perturbations on normal samples that are imperceptible to human beings but can mislead the deep learning models to output incorrect results. Many adversarial attack models are proposed and many adversarial detection methods are developed to detect adversarial samples generated by these attack models. However, the evaluations of these detection methods are fragmented and scatter in separate literature, and the community still lacks a comprehensive understanding of the ability and performance of existing adversarial detection methods when facing different attack models on different datasets. In this paper, by using image classification as the example application scenario, we conduct a comprehensive study on the performance of five mainstream adversarial detection methods against five major attack models on four widely used benchmark datasets. We find that the detection accuracy of different methods interleaves for different attack models and dataset. Moreover, besides detection accuracy, we also evaluate the time efficiency of different detection methods. The findings reported in this paper can provide useful insights when designing systems to detect adversarial samples and act as a guideline to design new methods to detect adversarial samples.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

Xiaoxue Wu Xiaoxue Wu,Shuqi Zuo Xiaoxue Wu,Shiyu Weng Shuqi Zuo,Yongkang Jiang Shiyu Weng,Hao Huang Yongkang Jiang

DOI: https://doi.org/10.53106/160792642024012501012

2024-01-01

網際網路技術學刊

Abstract:With the widespread application of deep neural networks in image detection, adversarial sample attacks have gradually become a hot issue of concern for researchers. In this paper we propose a new adversarial sample detection approach called AdvDetector, which combines image generation through label fusion with image similarity detection. AdvDetector enhances sample quality and effectively identifies adversarial samples. Specifically, the method generates images by selecting seed pixels, the labels of deep neural network classification, and the pixel distribution learned from training data, and detects them using image similarity comparison methods. During the sample generation process, we introduce the AdvDetector method for adversarial sample detection to improve the quality of generated samples. We evaluated the effectiveness of the method on three publicly available image datasets, MNIST, Cifar-10, and GTSR, and the results show that the method is superior to existing baseline methods in terms of adversarial sample detection rate and sample generation quality.  

computer science, information systems,telecommunications

Bin Liang,Hongcheng Li,Miaoqiang Su,Xirong Li,Wenchang Shi,Xiaofeng Wang

DOI: https://doi.org/10.1109/tdsc.2018.2874243

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Recently, many studies have demonstrated deep neural network (DNN) classifiers can be fooled by the adversarial example, which is crafted via introducing some perturbations into an original sample. Accordingly, some powerful defense techniques were proposed. However, existing defense techniques often require modifying the target model or depend on the prior knowledge of attacks. In this paper, we propose a straightforward method for detecting adversarial image examples, which can be directly deployed into unmodified off-the-shelf DNN models. We consider the perturbation to images as a kind of noise and introduce two classic image processing techniques, scalar quantization and smoothing spatial filter, to reduce its effect. The image entropy is employed as a metric to implement an adaptive noise reduction for different kinds of images. Consequently, the adversarial example can be effectively detected by comparing the classification results of a given sample and its denoised version, without referring to any prior knowledge of attacks. More than 20,000 adversarial examples against some state-of-the-art DNN models are used to evaluate the proposed method, which are crafted with different attack techniques. The experiments show that our detection method can achieve a high overall F1 score of 96.39 percent and certainly raises the bar for defense-aware attacks.

Xiangyin Kong,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2021.3093386

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:Neural-network-based soft sensors are widely employed in the industrial process. Such models have great significance to smart manufacturing. Considering the strict requirements of industrial production, it is vital to ensure the safety and robustness of these models in their actual deployment. However, recent research has shown that neural networks are quite vulnerable to adversarial attacks. By imposing tiny perturbation to the original sample, the fabricated adversarial sample can cheat these models to make wrong decisions. Such a phenomenon may bring serious trouble to the practical application of soft sensors. This article focuses on the adversarial attacks on industrial soft sensors. For the first time, we verify and analyze the effectiveness and deficiencies of the existing attack methods in the industrial soft sensor scenario. Based on solving these defects, this article proposes a novel perspective for attacking soft sensors. We analyze the optimization mechanism behind this new idea and then design two algorithms to perform attacks. The proposed methods more conform to the actual situation. Besides, compared with the existing approaches, the proposed methods have potentials to cause severer damages since their attacks are not only more concealed but also more likely to cheat the technicians to execute wrong operations. The research and analyses of the proposed methods lay a solid foundation for more thorough defenses against various attacks, which is quite necessary for making the deployed soft sensors more robust and secure.

Xuyang Ding,Shuai Zhang,Mengkai Song,Xiaocong Ding,Fagen Li

DOI: https://doi.org/10.1109/jiot.2020.3008232

IF: 10.6

2021-01-15

IEEE Internet of Things Journal

Abstract:Deep neural networks (DNNs) can be utilized maliciously for compromising the privacy stored in electronic devices, e.g., identifying the images stored in a mobile phone connected to the Internet of Things (IoT). However, recent studies demonstrated that DNNs are vulnerable to adversarial examples, which are artificially designed perturbations in the original samples for misleading DNNs. Adversarial examples can be used to protect the DNN-based privacy leakage in mobile phones by replacing the photos with adversarial examples. To avoid affecting the normal use of photos, the adversarial examples need to be highly similar to original images. To handle a large number of photos stored in the devices at a proper time, the time efficiency of a method needs to be high enough. Previous methods cannot do well on both sides. In this article, we propose a broad class of selective gradient sign iterative algorithms to make adversarial examples useful in protecting the privacy of photos in IoT devices. By neglecting the unimportant image pixels in the iterative process of attacks according to the sort of first-order partial derivative, we control the optimization direction meticulously to reduce image distortions of adversarial examples without leveraging high time-consuming tricks. Extensive experimental results show that the proposed methods successfully fool the neural network classifiers for the image classification task with a small change in the visual effects and consume little calculating time simultaneously.

computer science, information systems,telecommunications,engineering, electrical & electronic

Han Qiu,Tian Dong,Tianwei Zhang,Jialiang Lu,Gerard Memmi,Meikang Qiu

DOI: https://doi.org/10.1109/jiot.2020.3048038

IF: 10.6

2021-07-01

IEEE Internet of Things Journal

Abstract:Deep learning (DL) has gained popularity in network intrusion detection, due to its strong capability of recognizing subtle differences between normal and malicious network activities. Although a variety of methods have been designed to leverage DL models for security protection, whether these systems are vulnerable to adversarial examples (AEs) is unknown. In this article, we design a novel adversarial attack against DL-based network intrusion detection systems (NIDSs) in the Internet-of-Things environment, with only black-box accesses to the DL model in such NIDS. We introduce two techniques: 1) model extraction is adopted to replicate the black-box model with a small amount of training data and 2) a saliency map is then used to disclose the impact of each packet attribute on the detection results, and the most critical features. This enables us to efficiently generate AEs using conventional methods. With these tehniques, we successfully compromise one state-of-the-art NIDS, Kitsune: the adversary only needs to modify less than 0.005% of bytes in the malicious packets to achieve an average 94.31% attack success rate.

computer science, information systems,telecommunications,engineering, electrical & electronic

Song Gao,Ruxin Wang,Xiaoxuan Wang,Shui Yu,Yunyun Dong,Shaowen Yao,Wei Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3241428

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Despite achieving exceptional performance, deep neural networks (DNNs) suffer from the harassment caused by adversarial examples, which are produced by corrupting clean examples with tiny perturbations. Many powerful defense methods have been presented such as training data augmentation and input reconstruction which, however, usually rely on the prior knowledge of the targeted models or attacks. In this paper, we propose a novel approach for detecting adversarial images, which can protect any pre-trained DNN classifiers and resist an endless stream of new attacks. Specifically, we first adopt a dual autoencoder to project images to a latent space. The dual autoencoder uses the self-supervised learning to ensure that small modifications to samples do not significantly alter their latent representations. Next, the mutual information neural estimation is utilized to enhance the discrimination of the latent representations. We then leverage the prior distribution matching to regularize the latent representations. To easily compare the representations of examples in the two spaces, and not rely on the prior knowledge of the targeted model, a simple fully connected neural network is used to embed the learned representations into an eigenspace, which is consistent with the output eigenspace of the targeted model. Through the distribution similarity of an input example in the two eigenspaces, we can judge whether the input example is adversarial or not. Extensive experiments on MNIST, CIFAR-10, and ImageNet show that the proposed method has superior defense performance and transferability than state-of-the-arts.

Yazhu Lan,Qingli Guo,Guohe Zhang,Yuanchao Xu,Kent W. Nixon,Hai Helen Li,Yiran Chen

DOI: https://doi.org/10.1145/3289602.3293975

2019-01-01

Abstract:Deep Neural Networks (DNNs) have shown phenomenal success in a wide range of real-world applications. However, a concerning weakness of DNNs is that they are vulnerable to adversarial attacks. Although there exist methods to detect adversarial attacks, they often suffer constraints on specific attack types and provide limited information to downstream systems. We specifically note that existing adversarial detectors are often binary classifiers, which differentiate clean or adversarial examples. However, detection of adversarial examples is much more complicated than such a scenario. Our key insight is that the confidence probability of detecting an input sample as an adversarial example will be more useful for the system to properly take action to resist potential attacks. In this work, we propose an innovative method for fast confidence detection of adversarial attacks based on integrity of sensor pattern noise embedded in input examples. Experimental results show that our proposed method is capable of providing a confidence distribution model of most of popular adversarial attacks. Furthermore, our presented method can provide early attack warning with even the attack types based on different properties of the confidence distribution models. Since fast confidence detection is a computationally heavy task, we propose an FPGA-Based hardware architecture based on a series of optimization techniques, such as incremental multi-level quantization and etc. We realize our proposed method on an FPGA platform and achieve a high efficiency of 29.740 IPS/W with a power consumption of only 0.7626W.

Jianpeng Ke,Wenqi Wang,Kang Yang,Lina Wang,Aoshuang Ye,Run Wang

DOI: https://doi.org/10.23919/jcc.ea.2021-0454.202401

2024-01-01

China Communications

Abstract:Deep neural networks (DNNs) are potentially susceptible to adversarial examples that are maliciously manipulated by adding imperceptible perturbations to legitimate inputs, leading to abnormal behavior of models. Plenty of methods have been proposed to defend against adversarial examples. However, the majority of them are suffering the following weaknesses: 1) lack of generalization and practicality. 2) fail to deal with unknown attacks. To address the above issues, we design the adversarial nature eraser (ANE) and feature map detector (FMD) to detect fragile and high-intensity adversarial examples, respectively. Then, we apply the ensemble learning method to compose our detector, dealing with adversarial examples with diverse magnitudes in a divide-and-conquer manner. Experimental results show that our approach achieves 99.30% and 99.62% Area under Curve (AUC) scores on average when tested with various L p norm-based attacks on CIFAR-10 and ImageNet, respectively. Furthermore, our approach also shows its potential in detecting unknown attacks.

Jiming Chen,Xiangshan Gao,Ruilong Deng,Yang He,Chongrong Fang,Peng Cheng

DOI: https://doi.org/10.1109/tdsc.2020.3037500

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Deploying machine learning (ML)-based intrusion detection systems (IDS) is an effective way to improve the security of industrial control systems (ICS). However, ML models themselves are vulnerable to adversarial examples, generated by deliberately adding subtle perturbation to the input sample that some people are not aware of, causing the model to give a false output with high confidence. In this article, our goal is to investigate the possibility of stealthy cyber attacks towards IDS, including injection attack, function code attack and reconnaissance attack, and enhance its robustness to adversarial attack. However, adversarial algorithms are subject to communication protocol and legal range of data in ICS, unlike only limited by the distance between original samples and newly generated samples in image domain. We propose two strategies - optimal solution attack and GAN attack - oriented to flexibility and volume of data, formulating an optimization problem to find stealthy attacks, where the former is appropriate for not too large and more flexible samples while the latter provides a more efficient solution for larger and not too flexible samples. Finally, we conduct experiments on a semi-physical ICS testbed with a high detection performance ensemble ML-based detector to show the effectiveness of our attacks. The results indicate that new samples of reconnaissance and function code attack produced by both optimal solution and GAN algorithm possess 80 percent higher probability to evade the detector, still maintaining the same attack effect. In the meantime, we adopt adversarial training as a method to defend against adversarial attack. After training on the mixture of orginal dataset and newly generated samples, the detector becomes more robust to adversarial examples.

Xiaoyong Yuan,Pan He,Qile Zhu,Xiaolin Li

DOI: https://doi.org/10.1109/tnnls.2018.2886017

IF: 14.255

2019-09-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks (DNNs) have been recently found vulnerable to well-designed input samples called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool DNNs in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying DNNs in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for DNNs, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Yulong Wang,Tianxiang Li,Shenghong Li,Xin Yuan,Wei Ni

2023-05-03

Abstract:Deep Neural Networks (DNNs) are vulnerable to adversarial examples, while adversarial attack models, e.g., DeepFool, are on the rise and outrunning adversarial example detection techniques. This paper presents a new adversarial example detector that outperforms state-of-the-art detectors in identifying the latest adversarial attacks on image datasets. Specifically, we propose to use sentiment analysis for adversarial example detection, qualified by the progressively manifesting impact of an adversarial perturbation on the hidden-layer feature maps of a DNN under attack. Accordingly, we design a modularized embedding layer with the minimum learnable parameters to embed the hidden-layer feature maps into word vectors and assemble sentences ready for sentiment analysis. Extensive experiments demonstrate that the new detector consistently surpasses the state-of-the-art detection algorithms in detecting the latest attacks launched against ResNet and Inception neutral networks on the CIFAR-10, CIFAR-100 and SVHN datasets. The detector only has about 2 million parameters, and takes shorter than 4.6 milliseconds to detect an adversarial example generated by the latest attack models using a Tesla K80 GPU card.

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Fuxun Yu,Qide Dong,Xiang Chen

DOI: https://doi.org/10.48550/arXiv.1802.05763

2018-02-15

Computer Vision and Pattern Recognition

Abstract:With the excellent accuracy and feasibility, the Neural Networks have been widely applied into the novel intelligent applications and systems. However, with the appearance of the Adversarial Attack, the NN based system performance becomes extremely vulnerable:the image classification results can be arbitrarily misled by the adversarial examples, which are crafted images with human unperceivable pixel-level perturbation. As this raised a significant system security issue, we implemented a series of investigations on the adversarial attack in this work: We first identify an image's pixel vulnerability to the adversarial attack based on the adversarial saliency analysis. By comparing the analyzed saliency map and the adversarial perturbation distribution, we proposed a new evaluation scheme to comprehensively assess the adversarial attack precision and efficiency. Then, with a novel adversarial saliency prediction method, a fast adversarial example generation framework, namely "ASP", is proposed with significant attack efficiency improvement and dramatic computation cost reduction. Compared to the previous methods, experiments show that ASP has at most 12 times speed-up for adversarial example generation, 2 times lower perturbation rate, and high attack success rate of 87% on both MNIST and Cifar10. ASP can be also well utilized to support the data-hungry NN adversarial training. By reducing the attack success rate as much as 90%, ASP can quickly and effectively enhance the defense capability of NN based system to the adversarial attacks.

Lin Jing,Njilla Laurent L.,Xiong Kaiqi

DOI: https://doi.org/10.1186/s13635-021-00125-2

2022-01-01

EURASIP Journal on Information Security

Abstract:Deep neural networks (DNNs) are widely used to handle many difficult tasks, such as image classification and malware detection, and achieve outstanding performance. However, recent studies on adversarial examples, which have maliciously undetectable perturbations added to their original samples that are indistinguishable by human eyes but mislead the machine learning approaches, show that machine learning models are vulnerable to security attacks. Though various adversarial retraining techniques have been developed in the past few years, none of them is scalable. In this paper, we propose a new iterative adversarial retraining approach to robustify the model and to reduce the effectiveness of adversarial inputs on DNN models. The proposed method retrains the model with both Gaussian noise augmentation and adversarial generation techniques for better generalization. Furthermore, the ensemble model is utilized during the testing phase in order to increase the robust test accuracy. The results from our extensive experiments demonstrate that the proposed approach increases the robustness of the DNN model against various adversarial attacks, specifically, fast gradient sign attack, Carlini and Wagner (C&W) attack, Projected Gradient Descent (PGD) attack, and DeepFool attack. To be precise, the robust classifier obtained by our proposed approach can maintain a performance accuracy of 99% on average on the standard test set. Moreover, we empirically evaluate the runtime of two of the most effective adversarial attacks, i.e., C&W attack and BIM attack, to find that the C&W attack can utilize GPU for faster adversarial example generation than the BIM attack can. For this reason, we further develop a parallel implementation of the proposed approach. This parallel implementation makes the proposed approach scalable for large datasets and complex models.

Chaoyun Zhang,Paul Patras,Xavier Costa-Perez

DOI: https://doi.org/10.1109/tnet.2021.3137084

2022-01-01

IEEE/ACM Transactions on Networking

Abstract:Neural networks (NNs) are increasingly popular in developing NIDS, yet can prove vulnerable to adversarial examples. Through these, attackers that may be oblivious to the precise mechanics of the targeted NIDS add subtle perturbations to malicious traffic features, with the aim of evading detection and disrupting critical systems. Defending against such adversarial attacks is of high importance, but requires to address daunting challenges. Here, we introduce TIKI- TAKA, a general framework for (i) assessing the robustness of state-of-the-art deep learning-based NIDS against adversarial manipulations, and which (ii) incorporates defense mechanisms that we propose to increase resistance to attacks employing such evasion techniques. Specifically, we select five cutting-edge adversarial attack types to subvert three popular malicious traffic detectors that employ NNs. We experiment with publicly available datasets and consider both one-to-all and one-to-one classification scenarios, i.e., discriminating illicit vs benign traffic and respectively identifying specific types of anomalous traffic among many observed. The results obtained reveal that attackers can evade NIDS with up to 35.7% success rates, by only altering time-based features of the traffic generated. To counteract these weaknesses, we propose three defense mechanisms: model voting ensembling, ensembling adversarial training, and query detection. We demonstrate that these methods can restore intrusion detection rates to nearly 100% against most types of malicious traffic, and attacks with potentially catastrophic consequences (e.g., botnet) can be thwarted. This confirms the effectiveness of our solutions and makes the case for their adoption when designing robust and reliable deep anomaly detectors.