Machine learning (ML), especially deep learning (DL) techniques have been increasingly used in anomaly-based network intrusion detection systems (NIDS). However, ML/DL has shown to be extremely vulnerable to adversarial attacks, especially in such security-sensitive systems. Many adversarial attacks have been proposed to evaluate the robustness of ML-based NIDSs. Unfortunately, existing attacks mostly focused on feature-space and/or white-box attacks, which make impractical assumptions in real-world scenarios, leaving the study on practical gray/black-box attacks largely unexplored. To bridge this gap, we conduct the first systematic study of the gray/black-box traffic-space adversarial attacks to evaluate the robustness of ML-based NIDSs. Our work outperforms previous ones in the following aspects: (i) practical —the proposed attack can automatically mutate original traffic with extremely limited knowledge and affordable overhead while preserving its functionality; (ii) generic —the proposed attack is effective for evaluating the robustness of various NIDSs using diverse ML/DL models and non-payload-based features; (iii) explainable —we propose an explanation method for the fragile robustness of ML-based NIDSs. Based on this, we also propose a defense scheme against adversarial attacks to improve system robustness. We extensively evaluate the robustness of various NIDSs using diverse feature sets and ML/DL models. Experimental results show our attack is effective (e.g., >97% evasion rate in half cases for Kitsune , a state-of-the-art NIDS) with affordable execution cost and the proposed defense method can effectively mitigate such attacks (evasion rate is reduced by >50% in most cases).

中文翻译：

---

评估和改进基于机器学习的网络入侵检测器的对抗鲁棒性

机器学习 (ML)，尤其是深度学习 (DL) 技术已越来越多地用于基于异常的网络入侵检测系统 (NIDS)。然而，ML/DL 已被证明极易受到对抗性攻击，尤其是在此类安全敏感系统中。已经提出了许多对抗性攻击来评估基于 ML 的 NIDS 的稳健性。不幸的是，现有的攻击主要集中在特征空间和/或白盒攻击，在现实世界场景中做出不切实际的假设，使得对实际灰/黑盒攻击的研究在很大程度上未被探索。为了弥补这一差距，我们对灰/黑盒进行了首次系统研究用于评估基于 ML 的 NIDS 的稳健性的流量空间对抗性攻击。我们的工作在以下方面优于以前的工作：(i)实用——提议的攻击可以在保留其功能的同时，以极其有限的知识和可负担的开销自动改变原始流量；(二)通用——所提出的攻击对于使用不同的 ML/DL 模型和非基于有效载荷的特征评估各种 NIDS 的鲁棒性是有效的；(三)可解释——我们为基于 ML 的 NIDS 的脆弱鲁棒性提出了一种解释方法。基于此，我们还提出了一种对抗对抗性攻击的防御方案，以提高系统的鲁棒性。我们使用不同的特征集和 ML/DL 模型广泛评估各种 NIDS 的稳健性。实验结果表明我们的攻击是有效的（例如，在一半的情况下，> 97％的逃避率对于风筝 ，一种最先进的 NIDS）具有负担得起的执行成本和所提出的防御方法可以有效地减轻此类攻击（在大多数情况下，规避率降低 >50%）。