TEAM: Temporal Adversarial Examples Attack Model against Network Intrusion Detection System Applied to RNN

TL;DR

A novel RNN adversarial attack model based on feature reconstruction called TEAM, which applied to time series data and reveals the potential connection between adversarial and time steps in RNN, and leverages Time Dilation to effectively mitigates the effect of temporal among adversarial examples within the same time steps.

Abstract

With the development of artificial intelligence, neural networks play a key role in network intrusion detection systems (NIDS). Despite the tremendous advantages, neural networks are susceptible to adversarial attacks. To improve the reliability of NIDS, many research has been conducted and plenty of solutions have been proposed. However, the existing solutions rarely consider the adversarial attacks against recurrent neural networks (RNN) with time steps, which would greatly affect the application of NIDS in real world. Therefore, we first propose a novel RNN adversarial attack model based on feature reconstruction called \textbf{T}emporal adversarial \textbf{E}xamples \textbf{A}ttack \textbf{M}odel \textbf{(TEAM)}, which applied to time series data and reveals the potential connection between adversarial and time steps in RNN. That is, the past adversarial examples within the same time steps can trigger further attacks on current or future original examples. Moreover, TEAM leverages Time Dilation (TD) to effectively mitigates the effect of temporal among adversarial examples within the same time steps. Experimental results show that in most attack categories, TEAM improves the misjudgment rate of NIDS on both black and white boxes, making the misjudgment rate reach more than 96.68%. Meanwhile, the maximum increase in the misjudgment rate of the NIDS for subsequent original samples exceeds 95.57%.

Figures (3)

• Figure 1: llustration of the TEAM attack scenario. The red part in the figure represents the use of TEAM to generate AEs to implement adversarial attacks and next moment attacks on NIDS. The blue part represents normal traffic attacks on NIDS. $AE_t$ represents the AE at time $t$ and $OE_t$ represents the OE at time $t$. It can be seen that the traditional OE attack traffic (blue) can be effectively defended by the NIDS system. However, when the attacker uses the AE traffic (red) generated by TEAM to carry out the adversarial attack, it can easily cause the NIDS to misjudge. Meanwhile, the AE traffic generated by TEAM uses the nature of the attack at the next moment to make the model misjudge the OE traffic (red) at the next moment, achieving the adversarial attack at the current moment and the adversarial attack at the next moment.
• Figure 2: Illustration of the TEAM, the blue in the figure represents the unaltered OEs, and the red represents the reconstructed AEs. The process first inputs $x^{adv-n}_{no-fun}$ into AutoEncoder for data reconstruction. The reconstructed data $x^{adv-n}_{adv}$ will be spliced with the functional features $x^{adv-n}_{fun}$ to generate a new adversarial sample $x^{adv-n}_{all-adv}$. Subsequently, the $x^{adv-n}_{all-adv}$ and the normal data $x^{org-n}_{org}$ are spliced. Then, input the spliced data into the pre-trained Time Dilation RNN (TDRNN), and use the cross-entropy loss with the label to guide AutoEncoder to reconstruct the data.
• Figure 3: Illustration of Time Dilation (TD): (a) Differences in weight distribution between the PD-RNN model (without TDRNN) and the AD-RNN model. (b) Differences in weight distribution between the PD-RNN model (using TDRNN) and the AD-RNN model.