Sneaking Through Security: Mutating Live Network Traffic to Evade Learning-Based NIDS

Tan, S; Zhong, X; Tian, Z; Dong, Q

Sneaking Through Security: Mutating Live Network Traffic to Evade Learning-Based NIDS

Tan, S Zhong, X Tian, Z

Dong, Q

Permalink

Publisher:: Institute of Electrical and Electronics Engineers (IEEE)
Publication Type:: Journal Article
Citation:: IEEE Transactions on Network and Service Management, 2022, 19, (3), pp. 2295-2308
Issue Date:: 2022-05-10

Closed Access

	Filename	Description	Size
	Sneaking_Through_Security_Mutating_Live_Network_Traffic_to_Evade_Learning-Based_NIDS.pdf	Published version	6.53 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Tan, S
dc.contributor.author	Zhong, X
dc.contributor.author	Tian, Z https://orcid.org/0000-0001-8905-0941
dc.contributor.author	Dong, Q
dc.date.accessioned	2023-03-24T00:10:47Z
dc.date.available	2023-03-24T00:10:47Z
dc.date.issued	2022-05-10
dc.identifier.citation	IEEE Transactions on Network and Service Management, 2022, 19, (3), pp. 2295-2308
dc.identifier.issn	1932-4537
dc.identifier.issn	1932-4537
dc.identifier.uri	http://hdl.handle.net/10453/168291
dc.description.abstract	Machine learning based network intrusion system (NIDS) is known to be vulnerable to evasions. Attackers conceal intrusion activities to make them undetected. Researching evasion techniques contributes to evaluating and increasing the robustness of NIDS. Previous evasion approaches modify feature values or packets of an offline network trace as a whole. However, in real scenarios, attackers are constrained to manipulate only outbound packets on the fly. To bridge this assumption gap, we present the first evasion solution for live network traffic against learning based NIDSs. The solution consists of three components: a devised Kalman filter based algorithm to predicate the feature values of live flows, a set of formally constructed atomic packet mutation operators, and a proposed Strength Enhanced Deep Q-learning (SE-DQN) to determine effective mutation operators on outbound packets according to the predicted features. A defense scheme based on adaptive decision threshold adjustment is also provided. Experimental evaluation is presented on various NIDS classifiers and cyber attacks. Results show that SE-DQN achieves an evasion rate of at least 64.2% on most classifiers and even more than 90% on certain ones, and it is three times faster than DQN on learning mutation policy. The defense scheme shows an improvement of at least 76.4% on recall measurement.
dc.language	en
dc.publisher	Institute of Electrical and Electronics Engineers (IEEE)
dc.relation.ispartof	IEEE Transactions on Network and Service Management
dc.relation.isbasedon	10.1109/tnsm.2022.3173933
dc.rights	info:eu-repo/semantics/closedAccess
dc.subject	0805 Distributed Computing, 0906 Electrical and Electronic Engineering, 1005 Communications Technologies
dc.subject.classification	Networking & Telecommunications
dc.title	Sneaking Through Security: Mutating Live Network Traffic to Evade Learning-Based NIDS
dc.type	Journal Article
utslib.citation.volume	19
utslib.for	0805 Distributed Computing
utslib.for	0906 Electrical and Electronic Engineering
utslib.for	1005 Communications Technologies
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	closed_access	*
dc.date.updated	2023-03-24T00:08:36Z
pubs.issue	3
pubs.publication-status	Published
pubs.volume	19
utslib.citation.issue	3

Abstract:

Machine learning based network intrusion system (NIDS) is known to be vulnerable to evasions. Attackers conceal intrusion activities to make them undetected. Researching evasion techniques contributes to evaluating and increasing the robustness of NIDS. Previous evasion approaches modify feature values or packets of an offline network trace as a whole. However, in real scenarios, attackers are constrained to manipulate only outbound packets on the fly. To bridge this assumption gap, we present the first evasion solution for live network traffic against learning based NIDSs. The solution consists of three components: a devised Kalman filter based algorithm to predicate the feature values of live flows, a set of formally constructed atomic packet mutation operators, and a proposed Strength Enhanced Deep Q-learning (SE-DQN) to determine effective mutation operators on outbound packets according to the predicted features. A defense scheme based on adaptive decision threshold adjustment is also provided. Experimental evaluation is presented on various NIDS classifiers and cyber attacks. Results show that SE-DQN achieves an evasion rate of at least 64.2% on most classifiers and even more than 90% on certain ones, and it is three times faster than DQN on learning mutation policy. The defense scheme shows an improvement of at least 76.4% on recall measurement.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/168291