Core Concepts
Continuous retraining of machine learning models, even without adversarial training, can significantly reduce the effectiveness of adversarial attacks against network intrusion detection systems.
Abstract
The paper explores the practicality of adversarial evasion attacks against machine learning-based network intrusion detection systems (ML-NIDS). It makes three key contributions:
Identifying numerous practicality issues for evasion adversarial attacks on ML-NIDS using an attack tree threat model. The attack tree highlights leaf nodes with questionable feasibility, indicating the significant challenges attackers face in executing these attacks in real-world scenarios.
Introducing a taxonomy of practicality issues associated with adversarial attacks against ML-based NIDS, including challenges related to attackers' knowledge, attack space, and the dynamic nature of ML models.
Investigating the impact of continuous retraining on the effectiveness of adversarial attacks against NIDS. The experiments show that continuous retraining, even without adversarial training, can significantly reduce the impact of FGSM, PGD, and BIM adversarial attacks on the accuracy, precision, recall, and F1-score of ANN, SVM, and CNN-based NIDS models.
The results suggest that the dynamic nature of ML models can introduce an additional hurdle for attackers, as they would constantly need to obtain the updated gradients of the model, which is a complex task, especially in the NIDS domain. The recovery of the model's performance metrics occurred after just one or two retraining sessions, demonstrating the effectiveness of continuous training in mitigating the impact of adversarial attacks.
Stats
The accuracy of the ANN NIDS model decreased from 0.997 to 0.756 after the FGSM attack on Day n.
The accuracy of the SVM NIDS model decreased from 0.998 to 0.150 after the FGSM attack on Day n.
The accuracy of the CNN NIDS model decreased from 0.997 to 0.842 after the FGSM attack on Day n.
The F1-score of the ANN NIDS model decreased from 0.997 to 0.677 after the FGSM attack on Day n.
The F1-score of the SVM NIDS model decreased from 0.998 to 0 after the FGSM attack on Day n.
The F1-score of the CNN NIDS model decreased from 0.997 to 0.863 after the FGSM attack on Day n.
Quotes
"Continuous retraining, even without adversarial training, can reduce the effectiveness of adversarial attacks."
"The dynamic nature of ML models can introduce an additional hurdle for attackers, as they would constantly need to obtain the updated gradients of the model, which is a complex task, especially in the NIDS domain."