Hangcheng Cao,Wenbin Huang,Guowen Xu,Xianhao Chen,Ziyang He,Jingyang Hu,Hongbo Jiang,Yuguang Fang

2024-04-24

Abstract:Deep learning technologies are pivotal in enhancing the performance of WiFi-based wireless sensing systems. However, they are inherently vulnerable to adversarial perturbation attacks, and regrettably, there is lacking serious attention to this security issue within the WiFi sensing community. In this paper, we elaborate such an attack, called WiIntruder, distinguishing itself with universality, robustness, and stealthiness, which serves as a catalyst to assess the security of existing WiFi-based sensing systems. This attack encompasses the following salient features: (1) Maximizing transferability by differentiating user-state-specific feature spaces across sensing models, leading to a universally effective perturbation attack applicable to common applications; (2) Addressing perturbation signal distortion caused by device synchronization and wireless propagation when critical parameters are optimized through a heuristic particle swarm-driven perturbation generation algorithm; and (3) Enhancing attack pattern diversity and stealthiness through random switching of perturbation surrogates generated by a generative adversarial network. Extensive experimental results confirm the practical threats of perturbation attacks to common WiFi-based services, including user authentication and respiratory monitoring.

Cryptography and Security

Meng Xue,Kuang Peng,Xueluan Gong,Qian Zhang,Yanjiao Chen,Routing Li

DOI: https://doi.org/10.1145/3610874

2023-01-01

Abstract:Intelligent audio systems are ubiquitous in our lives, such as speech command recognition and speaker recognition. However, it is shown that deep learning-based intelligent audio systems are vulnerable to adversarial attacks. In this paper, we propose a physical adversarial attack that exploits reverberation, a natural indoor acoustic effect, to realize imperceptible, fast, and targeted black-box attacks. Unlike existing attacks that constrain the magnitude of adversarial perturbations within a fixed radius, we generate reverberation-alike perturbations that blend naturally with the original voice sample 1. Additionally, we can generate more robust adversarial examples even under over-the-air propagation by considering distortions in the physical environment. Extensive experiments are conducted using two popular intelligent audio systems in various situations, such as different room sizes, distance, and ambient noises. The results show that Echo can invade into intelligent audio systems in both digital and physical over-the-air environment.

Jianwei Liu,Yinghui He,Chaowei Xiao,Jinsong Han,Le Cheng,Kui Ren

DOI: https://doi.org/10.1109/INFOCOM48880.2022.9796920

2022-01-01

Abstract:Behavior recognition plays an essential role in numerous behavior-driven applications (e.g., virtual reality and smart home) and even in the security-critical applications (e.g., security surveillance and elder healthcare). Recently, WiFi-based behavior recognition (WBR) technique stands out among many behavior recognition techniques due to its advantages of being non-intrusive, device-free, and ubiquitous. However, existing WBR research mainly focuses on improving the recognition precision, while neglecting the security aspects. In this paper, we reveal that WBR systems are vulnerable to manipulating physical signals. For instance, our observation shows that WiFi signals can be changed by jamming signals. By exploiting the vulnerability, we propose two approaches to generate physically online adversarial samples to perform untargeted attack and targeted attack, respectively. The effectiveness of these attacks are extensively evaluated over four real-world WBR systems. The experiment results show that our attack approaches can achieve 80% and 60% success rates for untargeted attack and targeted attack in physical world, respectively. We also propose three methods to mitigate the hazard of such attacks.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Yanzi Zhu,Zhujun Xiao,Yuxin Chen,Zhijing Li,Max Liu,Ben Y. Zhao,Haitao Zheng

2018-01-01

Abstract:Our work demonstrates a new set of silent reconnaissance attacks, which leverages the presence of commodity WiFi devices to track users inside private homes and offices, without compromising any WiFi network, data packets, or devices. We show that just by sniffing existing WiFi signals, an adversary can accurately detect and track movements of users inside a building. This is made possible by our new signal model that links together human motion near WiFi transmitters and variance of multipath signal propagation seen by the attacker sniffer outside of the property. The resulting attacks are cheap, highly effective, and yet difficult to detect. We implement the attack using a single commodity smartphone, deploy it in 11 real-world offices and residential apartments, and show it is highly effective. Finally, we evaluate potential defenses, and propose a practical and effective defense based on AP signal obfuscation.

Jianwei Liu,Yinghui He,Chaowei Xiao,Jinsong Han,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2023.3261328

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Behavior recognition plays an essential role in numerous behavior-driven applications (e.g., virtual reality and smart home) and even in the security-critical applications (e.g., security surveillance and elder healthcare). Recently, WiFi-based behavior recognition (WBR) technique stands out among many behavior recognition techniques due to its advantages of being non-intrusive, device-free, and ubiquitous. However, existing WBR research mainly focuses on improving the recognition precision, while rarely studying the security aspects. In this article, we reveal that WBR systems are vulnerable to manipulating physical signals. For instance, our observation shows that WiFi signals can be changed by jamming signals. By exploiting the vulnerability, we propose two approaches to generate physically online adversarial samples to perform untargeted attack and targeted attack, respectively. The effectiveness of these attacks are extensively evaluated over four real-world WBR systems. The experiment results show that our attack approaches can achieve 80% and 60% success rates for untargeted attack and targeted attack in physical world, respectively. We also show that our attack approaches can be generalized to other WiFi-based sensing applications, such as user authentication.

Li Lu,Meng Chen,Jiadi Yu,Zhongjie Ba,Feng Lin,Jinsong Han,Yanmin Zhu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2024.3403839

2024-01-01

Abstract:Recent years have witnessed enormous research efforts on WiFi sensing to enable intelligent services of Internet of Things. However, due to the omni-directional broadcasting manner of WiFi signals, the activity semantic underlying the signals can be leaked to adversaries for surveillance, as demonstrated by our previous work. In this paper, we further extend the attack capability of ActListener to impersonation attack, which could eavesdrop on users’ behavioral uniqueness imperceptibly using a WiFi infrastructure in any location of user sensing area. In particular, ActListener detects each human activity and converts the eavesdropped signals to that by legitimate devices based on our proposed signal propagation models. To extract noise-resilient individual behavioral uniqueness from converted CSI of WiFi signals, we further add user identification models into the substitute model set for training the signal pattern calibration generative model. Experimental results demonstrate that ActListener could achieve over 80% accuracy in activity semantics retrieval and impersonation by using the converted signals.

Jianwei Liu,Yinghui He,Weiye Xu,Yifan Xie,Jinsong Han

DOI: https://doi.org/10.1109/iwqos61813.2024.10682897

2024-01-01

Abstract:To break through the transmission rate bottleneck of traditional communication, semantic communication is proposed to support emerging applications with extremely low latency requirements such as remote surgery and autonomous vehicle. Unlike the transmission of verbose symbols in traditional communication, mainstream semantic communications use deep learning technology to extract compact semantic information from data and convey it. However, the application of deep neural networks also poses security concerns, i.e., vulnerabilities to adversarial attacks. In this paper, we perform the first study on the security of semantic communication against both whitebox and black-box attacks by compromising the wireless channel between the transmitter and receiver. To launch practical and effective attacks, a systematic and universal attack framework is designed to craft content-agnostic, undetectable, robust whitebox perturbation signals as well as highly-transferable blackbox ones. Extensive experiments on two open-source datasets demonstrate that our attack framework can achieve over 87%, 99%, and 89% success rates in untargeted white-box, targeted white-box, and untargeted black-box attacks. This means that the proposed attack methods could severely threaten the quality of service of current semantic communications. We also propose two mitigation methods to resist such attacks.

Yalin E. Sagduyu,Yi Shi,Tugba Erpek

DOI: https://doi.org/10.48550/arXiv.1906.00076

2019-06-01

Abstract:Machine learning finds rich applications in Internet of Things (IoT) networks such as information retrieval, traffic management, spectrum sensing, and signal authentication. While there is a surge of interest to understand the security issues of machine learning, their implications have not been understood yet for wireless applications such as those in IoT systems that are susceptible to various attacks due the open and broadcast nature of wireless communications. To support IoT systems with heterogeneous devices of different priorities, we present new techniques built upon adversarial machine learning and apply them to three types of over-the-air (OTA) wireless attacks, namely jamming, spectrum poisoning, and priority violation attacks. By observing the spectrum, the adversary starts with an exploratory attack to infer the channel access algorithm of an IoT transmitter by building a deep neural network classifier that predicts the transmission outcomes. Based on these prediction results, the wireless attack continues to either jam data transmissions or manipulate sensing results over the air (by transmitting during the sensing phase) to fool the transmitter into making wrong transmit decisions in the test phase (corresponding to an evasion attack). When the IoT transmitter collects sensing results as training data to retrain its channel access algorithm, the adversary launches a causative attack to manipulate the input data to the transmitter over the air. We show that these attacks with different levels of energy consumption and stealthiness lead to significant loss in throughput and success ratio in wireless communications for IoT systems. Then we introduce a defense mechanism that systematically increases the uncertainty of the adversary at the inference stage and improves the performance. Results provide new insights on how to attack and defend IoT networks using deep learning.

Networking and Internet Architecture,Cryptography and Security,Machine Learning

Yi Shi,Tugba Erpek,Yalin E. Sagduyu,Jason H. Li

DOI: https://doi.org/10.48550/arXiv.1901.09247

2019-01-26

Networking and Internet Architecture

Abstract:Machine learning has been widely applied in wireless communications. However, the security aspects of machine learning in wireless applications have not been well understood yet. We consider the case that a cognitive transmitter senses the spectrum and transmits on idle channels determined by a machine learning algorithm. We present an adversarial machine learning approach to launch a spectrum data poisoning attack by inferring the transmitter's behavior and attempting to falsify the spectrum sensing data over the air. For that purpose, the adversary transmits for a short period of time when the channel is idle to manipulate the input for the decision mechanism of the transmitter. The cognitive engine at the transmitter is a deep neural network model that predicts idle channels with minimum sensing error for data transmissions. The transmitter collects spectrum sensing data and uses it as the input to its machine learning algorithm. In the meantime, the adversary builds a cognitive engine using another deep neural network model to predict when the transmitter will have a successful transmission based on its spectrum sensing data. The adversary then performs the over-the-air spectrum data poisoning attack, which aims to change the channel occupancy status from idle to busy when the transmitter is sensing, so that the transmitter is fooled into making incorrect transmit decisions. This attack is more energy efficient and harder to detect compared to jamming of data transmissions. We show that this attack is very effective and reduces the throughput of the transmitter substantially.

Li Lu,Zhongjie Ba,Feng Lin,Jinsong Han,Kui Ren

DOI: https://doi.org/10.1109/icdcs54860.2022.00080

2022-01-01

Abstract:Recent years have witnessed enormous research efforts on WiFi sensing to enable intelligent services of Internet of Things. However, due to the omni-directional broadcasting manner of WiFi signals, the activity semantic underlying the signals is leaked to adversaries for surveillance in all probability. To reveal the threat, this paper demonstrates ActListener, which could eavesdrop on user activities imperceptibly using a WiFi infrastructure in any location of user sensing area. The proposed attack requires no direct physical access to the victim user’s devices and prior knowledge of activity recognition model details and device locations. In particular, ActListener first detects the signal segment induced by each human activity, and estimates the locations of legitimate devices and the victim users relative to the adversary’s device for further signal modeling. Then, ActListener models propagating WiFi signals to construct the relationship between physical locations and received signals, and converts the eavesdropped signals to that by legitimate devices based on the models. Furthermore, a neural network-based generative model is designed to calibrate the converted signals for resisting noises in over-the-air WiFi signals. Experiments show ActListener achieves 88.4% average α-similarity on recovering originally signals from eavesdropped ones, and over 90% accuracy in activity recognition.

Da Ke,Xiang Wang,Zhitao Huang

DOI: https://doi.org/10.1109/tifs.2024.3352423

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Although Deep learning (DL) provides state-of-art results for most spectrum sensing tasks, it is vulnerable to adversarial examples. Based on this phenomenon, we consider a non-cooperative communication scenario where an intruder tries to recognize the modulation type of the intercepted signal. Specifically, this paper aims to minimize the intruder’s accuracy while guaranteeing that the intended receiver can still recover the underlying message with the highest reliability. This process is implemented by adding adversarial perturbations to the channel input symbols at the encoder. In image classification, the perturbation is limited to be imperceptible to a human observer by minimizing the ℓp norm, while in this work, we enriched the connotation of adversarial examples, and first proposed that the imperceptibility of adversarial examples in the field of wireless signals is the imperceptibility of filters. Based on this perspective, we optimized the model of adversarial examples and constrained the adversarial perturbation to a narrow frequency band so that filters cannot filter it out. We also define a new set of metrics to describe the imperceptibility of the wireless signal adversarial example. The simulation results demonstrate the viability of our approach in securing wireless communication against state-of-the-art DL-based intruders while minimizing communication performance reduction.

computer science, theory & methods,engineering, electrical & electronic

Pengfei Liu,Panlong Yang,Wen-Zhan Song,Yubo Yan,Xiang-Yang Li

DOI: https://doi.org/10.1109/infocom.2019.8737455

2019-01-01

Abstract:WiFi has become a pervasive communication medium in connecting various devices of WLAN and IoT. However, WiFi connections are vulnerable to the impersonation attack from rogue access points (AP) or devices, whose SSID and/or MAC/IP address are identical to the legitimate devices. This kind of attack is difficult to countermeasure with traditional network security mechanisms. In this paper, we present a novel security mechanism to detect and identify rogue WiFi devices or AP using environment-independent characteristics extracted from channel state information (CSI), and refuse their connections. We find that nonlinear phase errors of different subcarriers change with WiFi network interface cards (NIC), due to the I/Q imbalance and imperfect oscillator of each WiFi NIC. Validated by our experiments, this phase feature across subcarriers is consistent and invariant to location and external environment, and can be extracted to build an essential signature of the NIC itself. Such signature of the transmitter can be calculated in real-time by the receiver and cannot be forged by rogue devices. Extensive experiments with dozens of WiFi devices demonstrate that the proposed mechanism can reliably detect the rogue WiFi connections and prevent impersonation in various scenarios. The speed of identification is 8$\times$ faster than that of the state-of-the-art solution. Moreover, the accuracy of rogue connection detection is up to 96% and false alarm rate is shown below 2%.

Han Qiu,Tian Dong,Tianwei Zhang,Jialiang Lu,Gerard Memmi,Meikang Qiu

DOI: https://doi.org/10.1109/jiot.2020.3048038

IF: 10.6

2021-07-01

IEEE Internet of Things Journal

Abstract:Deep learning (DL) has gained popularity in network intrusion detection, due to its strong capability of recognizing subtle differences between normal and malicious network activities. Although a variety of methods have been designed to leverage DL models for security protection, whether these systems are vulnerable to adversarial examples (AEs) is unknown. In this article, we design a novel adversarial attack against DL-based network intrusion detection systems (NIDSs) in the Internet-of-Things environment, with only black-box accesses to the DL model in such NIDS. We introduce two techniques: 1) model extraction is adopted to replicate the black-box model with a small amount of training data and 2) a saliency map is then used to disclose the impact of each packet attribute on the detection results, and the most critical features. This enables us to efficiently generate AEs using conventional methods. With these tehniques, we successfully compromise one state-of-the-art NIDS, Kitsune: the adversary only needs to modify less than 0.005% of bytes in the malicious packets to achieve an average 94.31% attack success rate.

computer science, information systems,telecommunications,engineering, electrical & electronic

Dawei Yan,Yubo Yan,Panlong Yang,Wen-Zhan Song,Xiang-Yang Li,Pengfei Liu

DOI: https://doi.org/10.1109/jiot.2022.3223682

IF: 10.6

2023-03-25

IEEE Internet of Things Journal

Abstract:WiFi connections are vulnerable to simulated attacks from rogue access points (AP) or devices whose SSID and/or MAC/IP address are the same as legitimate devices. This kind of attack is difficult to counter with traditional network security mechanisms. In this paper, we propose a new security mechanism that uses environment-independent features extracted from channel state information (CSI) to detect and identify rogue WiFi devices or APs, and reject their connections. We find that due to the I/Q imbalance and imperfect oscillator of each WiFi network card (NIC), the nonlinear phase error of different subcarriers will vary with the NIC. Through our experimental verification, this cross-subcarrier phase feature is invariant to the location and the environment. We deploy systems on two platforms that can extract constant phase errors from the constantly changing CSI in less than one second, which is at least 8× faster than that of the state-of-the-art solution. Extensive experiments on commercial routers and end devices in different scenarios show that based on the Industral Platform Computer (IPC) platform, where only non-encrypted rogue connections can be detected, the detection accuracy rate reaches 96%, and the false alarm rate is less than 2%. Based on the ASUS router platform (a commercial WiFi router), WiFi channels and smart device types are not restricted, which greatly improved universality, and the accuracy of device connection detection can even reach more than 99%. We improve a device-type identification method based on the communication traffic features of the device when connected to WiFi. Experiments show that even if there are multiple similar devices from the same manufacturer, the accuracy of device type detection exceeds 99%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhaowei Wang,Weicheng Liu,Hui-Ming Wang

DOI: https://doi.org/10.1109/lcomm.2024.3355156

IF: 3.5529

2024-03-13

IEEE Communications Letters

Abstract:Adversarial attacks on deep learning based modulation classification have received considerable attention recently. However, existing works mainly focus on the idealized white-box adversarial attacks and ignore the impact of the wireless channel. In this letter, we present a black-box Universal Adversarial Perturbation (UAP) attack scheme considering the wireless channel and propose the corresponding defense method. We first propose a conditional generative adversarial Nets (cGAN) approach to enlarge the training set of the channel state information (CSI) of wireless channel. Then, we introduce a cGAN aided black-box UAP attack scheme to disable the modulation classification capability of the deep neural network over the air. At last, we present a defense method that utilizes UAPs for adversarial training (AT). Simulation results show that the cGAN aided black-box UAP attack can decrease the accuracy of the modulation classifier by 19.3% when the perturbation power reaches the same level as the noise power, while the proposed defense method can improve it by 11.2%.

telecommunications

Menglin Wei,Hanting Zhao,Vincenzo Galdi,Lianlin Li,Tie Jun Cui

DOI: https://doi.org/10.21203/rs.3.rs-1857836/v1

2022-01-01

Abstract:Abstract Information security is of paramount importance in the modern society, and it is crucial that communication systems are conceived and implemented in order to be inherently resilient in this respect. In current wireless communication systems, some of the most sophisticated attack strategies aim at the physical layer, i.e., at the electromagnetic wave signal carrying the information, but the implied physical interaction with the target inherently leaves traces in the physical environment, which render these attacks typically detectable. However, this may not be the case for future (the 6th generation and beyond) wireless networks, whose current vision relies on the concept of “smart radio environment”, empowered by suitably engineering reflecting devices (also called as metasurfaces) that can manipulate the wave signals in unconventional fashions (e.g., non-specular reflections) and that can be reconfigured at will. These metasurface elements, which should be pervasively deployed and suitably disguised in the indoor and outdoor environment, potentially introduce new vulnerabilities to the physical-layer attacks that should be fully understood and addressed. To this aim, here, we put forward the concept of smart wireless attacks at the physical layer by exploiting the unique capabilities of programmable metasurfaces in the joint manipulations of radio waves and digital information in a wireless scenario. Specifically, we illustrate both passive and active operational modes. In the passive mode, an attacker is capable of eavesdropping and breaking the target wireless information transfer by controlling the programmable metasurface, without radiating any signal actively. In the active mode, an attacker can not only eavesdrop but also furtively falsify the target wireless communications by sending some deceptive information to the target. In both operational modes, the detectability of the attacker can be minimized. As a proof of concept, we design and realize an attacker prototype working in the Wi-Fi band around 2.4GHz, and demonstrate experimentally its ability to hack wireless data streams. Our results raise awareness on the new types of security threats and challenges that the next-generation wireless networks will likely have to face, and indicate that suitable mitigation strategies and specific security protocols need to be conceived and developed at the present stage, while the smart-radio-environment concept is still in its infancy.

Yalin E. Sagduyu,Yi Shi,Tugba Erpek

DOI: https://doi.org/10.1109/tmc.2019.2950398

IF: 6.075

2021-02-01

IEEE Transactions on Mobile Computing

Abstract:An adversarial deep learning approach is presented to launch over-the-air spectrum poisoning attacks. A transmitter applies deep learning on its spectrum sensing results to predict idle time slots for data transmission. In the meantime, an adversary learns the transmitter's behavior (exploratory attack) by building another deep neural network to predict when transmissions will succeed. The adversary falsifies (poisons) the transmitter's spectrum sensing data over the air by transmitting during the short spectrum sensing period of the transmitter. Depending on whether the transmitter uses the sensing results as test data to make transmit decisions or as training data to retrain its deep neural network, either it is fooled into making incorrect decisions (evasion attack) or the transmitter's algorithm is retrained incorrectly for future decisions (causative attack). Both attacks are energy efficient and hard to detect (stealth) compared to jamming the long data transmission period, and substantially reduce the throughput. A dynamic defense is designed for the transmitter that deliberately makes a small number of incorrect transmissions (selected by the confidence score on channel classification) to manipulate the adversary's training data. This defense effectively fools the adversary (if any) and helps the transmitter sustain its throughput with or without an adversary present.

computer science, information systems,telecommunications

Kunze Wu,Weiheng Jiang,Dusit Niyato,Yinghuan Li,Chuang Luo

2024-09-23

Abstract:Recently, the design of wireless receivers using deep neural networks (DNNs), known as deep receivers, has attracted extensive attention for ensuring reliable communication in complex channel environments. To adapt quickly to dynamic channels, online learning has been adopted to update the weights of deep receivers with over-the-air data (e.g., pilots). However, the fragility of neural models and the openness of wireless channels expose these systems to malicious attacks. To this end, understanding these attack methods is essential for robust receiver design. In this paper, we propose a transfer-based adversarial poisoning attack method for online receivers. Without knowledge of the attack target, adversarial perturbations are injected to the pilots, poisoning the online deep receiver and impairing its ability to adapt to dynamic channels and nonlinear effects. In particular, our attack method targets Deep Soft Interference Cancellation (DeepSIC)[1] using online meta-learning. As a classical model-driven deep receiver, DeepSIC incorporates wireless domain knowledge into its architecture. This integration allows it to adapt efficiently to time-varying channels with only a small number of pilots, achieving optimal performance in a multi-input and multi-output (MIMO) scenario. The deep receiver in this scenario has a number of applications in the field of wireless communication, which motivates our study of the attack methods targeting it. Specifically, we demonstrate the effectiveness of our attack in simulations on synthetic linear, synthetic nonlinear, static, and COST 2100 channels. Simulation results indicate that the proposed poisoning attack significantly reduces the performance of online receivers in rapidly changing scenarios.

Signal Processing,Cryptography and Security,Machine Learning

Dongqi Han,Zhiliang Wang,Ying Zhong,Wenqi Chen,Jiahai Yang,Shuqiang Lu,Xingang Shi,Xia Yin

DOI: https://doi.org/10.1109/jsac.2021.3087242

2020-01-01

Abstract:Machine learning (ML) techniques have been increasingly used in anomaly-based network intrusion detection systems (NIDS) to detect unknown attacks. However, ML has shown to be extremely vulnerable to adversarial attacks, aggravating the potential risk of evasion attacks against learning-based NIDSs. In this situation, prior studies on evading traditional anomaly-based or signature-based NIDSs are no longer valid. Existing attacks on learning-based NIDSs mostly focused on feature-space and/or white-box attacks, leaving the study on practical gray/black-box attacks largely unexplored. To bridge this gap, we conduct the first systematic study of the practical traffic-space evasion attack on learning-based NIDSs. We outperform the previous work in the following aspects: (1) practical---instead of directly modifying features, we provide a novel framework to automatically mutate malicious traffic with extremely limited knowledge while preserving its functionality; (2) generic---the proposed attack is effective for any ML classifiers (i.e., model-agnostic) and most non-payload-based features; (3) explainable---we propose a feature-based interpretation method to measure the robustness of targeted systems against such attacks. We extensively evaluate our attack and defense scheme on Kitsune, a state-of-the-art learning-based NIDS, as well as measuring the robustness of various NIDSs using diverse features and ML classifiers. Experimental results show promising results and intriguing findings.