Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Problem space structural adversarial attacks for Network Intrusion Detection Systems based on Graph Neural Networks

Andrea Venturi, Dario Stabili, Mirco Marchetti

TL;DR

This work tackles the vulnerability of Graph Neural Network (GNN)–based Network Intrusion Detection Systems (NIDS) to adversarial manipulation by formalizing structural attacks that perturb the graph representation of network traffic at test time. It defines a realistic threat model and problem-space constraints, and proposes four practical attack variants (C2x_B, C2x_M, U2x, and Add Node) that add edges or nodes to the flow graph, thus altering neighborhood embeddings used by GNNs. Extensive experiments on CTU-13 and ToN-IoT with two inductive GNNs (flow-graph E-GraphSAGE and line-graph LineGraphSAGE) show that feature-based attacks have limited impact on GNN-based NIDS, while structure-based perturbations drastically degrade detection performance, especially for the E-GraphSAGE model. The results underscore a critical vulnerability in GNN-based NIDS to topology-level attacks and motivate future defenses, with code released for reproducibility.

Abstract

Machine Learning (ML) algorithms have become increasingly popular for supporting Network Intrusion Detection Systems (NIDS). Nevertheless, extensive research has shown their vulnerability to adversarial attacks, which involve subtle perturbations to the inputs of the models aimed at compromising their performance. Recent proposals have effectively leveraged Graph Neural Networks (GNN) to produce predictions based also on the structural patterns exhibited by intrusions to enhance the detection robustness. However, the adoption of GNN-based NIDS introduces new types of risks. In this paper, we propose the first formalization of adversarial attacks specifically tailored for GNN in network intrusion detection. Moreover, we outline and model the problem space constraints that attackers need to consider to carry out feasible structural attacks in real-world scenarios. As a final contribution, we conduct an extensive experimental campaign in which we launch the proposed attacks against state-of-the-art GNN-based NIDS. Our findings demonstrate the increased robustness of the models against classical feature-based adversarial attacks, while highlighting their susceptibility to structure-based attacks.

Problem space structural adversarial attacks for Network Intrusion Detection Systems based on Graph Neural Networks

TL;DR

This work tackles the vulnerability of Graph Neural Network (GNN)–based Network Intrusion Detection Systems (NIDS) to adversarial manipulation by formalizing structural attacks that perturb the graph representation of network traffic at test time. It defines a realistic threat model and problem-space constraints, and proposes four practical attack variants (C2x_B, C2x_M, U2x, and Add Node) that add edges or nodes to the flow graph, thus altering neighborhood embeddings used by GNNs. Extensive experiments on CTU-13 and ToN-IoT with two inductive GNNs (flow-graph E-GraphSAGE and line-graph LineGraphSAGE) show that feature-based attacks have limited impact on GNN-based NIDS, while structure-based perturbations drastically degrade detection performance, especially for the E-GraphSAGE model. The results underscore a critical vulnerability in GNN-based NIDS to topology-level attacks and motivate future defenses, with code released for reproducibility.

Abstract

Machine Learning (ML) algorithms have become increasingly popular for supporting Network Intrusion Detection Systems (NIDS). Nevertheless, extensive research has shown their vulnerability to adversarial attacks, which involve subtle perturbations to the inputs of the models aimed at compromising their performance. Recent proposals have effectively leveraged Graph Neural Networks (GNN) to produce predictions based also on the structural patterns exhibited by intrusions to enhance the detection robustness. However, the adoption of GNN-based NIDS introduces new types of risks. In this paper, we propose the first formalization of adversarial attacks specifically tailored for GNN in network intrusion detection. Moreover, we outline and model the problem space constraints that attackers need to consider to carry out feasible structural attacks in real-world scenarios. As a final contribution, we conduct an extensive experimental campaign in which we launch the proposed attacks against state-of-the-art GNN-based NIDS. Our findings demonstrate the increased robustness of the models against classical feature-based adversarial attacks, while highlighting their susceptibility to structure-based attacks.
Paper Structure (30 sections, 7 figures, 5 tables)

This paper contains 30 sections, 7 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. GNN-based NIDS
  4. Adversarial attacks
  5. Adversarial attacks for GNN-based NIDS
  6. Threat model
  7. Feature Attacks
  8. Structural attacks
  9. Structural attacks in problem space
  10. Available transformations
  11. Preserved semantics
  12. Plausibility
  13. Robustness to preprocessing
  14. Proposed attacks
  15. C2x attack
  16. ...and 15 more sections

Figures (7)

  • Figure 1: Threat model.
  • Figure 2: Flow graph example for a network scanning attack.
  • Figure 3: Feasible structural adversarial attacks in practice.
  • Figure 4: Feature attack against RF, E-GraphSAGE, and LineGraphSAGE.
  • Figure 5: $\text{C2x}_\mathbf{\mathcal{B}}$ attack against E-GraphSAGE and LineGraphSAGE.
  • ...and 2 more figures