Stealthy Adversarial Attacks on Intrusion Detection Systems: A Functionality-Preserving Approach

Intrusion Detection Systems (IDS) are essential tools in network security, which aims to identify malicious traffic to safeguard computers. In recent years, with the application and advancement of machine learning in fields such as image recognition, autonomous driving, and natural language processing (NLP), machine learning-based intrusion detection systems have also rapidly developed. Unfortunately, such IDSs exhibit poor defensive capabilities when facing carefully crafted and imperceptible adversarial attacks. Adversarial attacks manipulate adversarial samples, causing malicious traffic to be misclassified as normal traffic, thereby bypassing intrusion detection systems. Given that adversarial attacks on IDSs in the real world largely operate under the premise of model agnosticism, this paper proposes a black-box attack based on Generative Adversarial Networks (GANs) and active learning. During the iterative training of GANs, the discriminator is covertly constructed as a shadow model of the target IDS, and a generator capable of generating adversarial malicious traffic is trained. Finally, leveraging the transferability of adversarial attacks to DNN, the attack implemented on the shadow model is transferred to the target model, thereby attacking the intrusion detector. Unlike adversarial attacks against image classifiers, adversarial attacks against IDSs must also consider whether the added adversarial perturbations will affect the semantics and functionality of the original malicious traffic. Therefore, the constraint mechanism for modifying feature values is also an important consideration in this paper.