Fooling ML-based NIDS

Fooling ML-based NIDS
David Bogdan-Nicoale


Nowadays, there are many things you might want to include in your corporate network. However, botnets and the associated traffic is not one of them. To help detect botnets companies have employed the usage of NIDS (Network Intrusion Detection Systems).

Many NIDS make use of AI technology and use ML algorithms so that they can not only detect known botnet attacks but also respond quickly and efficiently to zero-day attacks. This makes them vulnerable to adversarial attacks.

The most common type of attack executed against a ML-based NIDS is an evasion attack. In this scenario, the attacker attempts to avoid detection by inserting traffic engineered specifically to fool the target system into believing that the traffic is legitimate.

Performing evasion attacks

Such an attack is performed in multiple steps:
    1. Capture
    2. Mimicry
    3. Testing
    4. Analysis
    5. Deployment

During the Capture phase of the attack, the black hat sniffs the network traffic to determine the traits of traffic that are considered legit and those of the traffic detected by the NIDS.

Next up is the Mimicry phase of the attack, where the adversary constructs a NIDS which mimics that of the target. Afterwards, the attacker engineers network traffic that can fool the mimicked NIDS. This step is known as the testing phase. During the analysis step, the traffic that managed to fool the mock system is then analyzed and then adapted to fool the target system.

The last step is the deployment, where the engineered traffic is deployed in the target system. Now that we know how an evasion attack is performed, we must ask ourselves: is it worth it? Is it worth for the attacker to devote the time and resources to generate such an attack? The answer is yes. According to the table below, evasion attacks reduce the performance of NIDS by roughly 66%.

Algorithm        Before attack        After attack
MLP                        97%                        0%
RF                        100%                        33%
KNN                        97%                        34%

Tab. 1 NIDS Accuracy before and after attack

Defending against evasion attacks

Now that we have seen how devastating evasion attacks are to ML-based NIDS, we must know how to defend them against such attacks. The proposed mechanism is made of three different models.
    1. The first model analyses the modifiable traits of the network (such as traffic size)
    2. The second model analyses the dependent characteristics.
    3. The third model analyses independent traits.

The output of all the models is then combined to produce the final verdict. The messages which are allowed by the filter above are fed into the NIDS, and those considered evasion attacks are discarded.

This way, we have a defense mechanism which doesn’t impact the performance of the NIDS and acts more as a reactive defense. But how effective is it?

Algorithm        State-of-the-art                Proposed mechanism
MLP                        97%                                        98%
RF                            89%                                        89%
KNN                        92%                                        93%

Tab. 2 NIDS Accuracy after applying defensive measures.

As can be observed, the defensive mechanism boosts the accuracy of the NIDS back to its former glory.

Source: https://arxiv.org/pdf/2303.06664.pdf