Model Stealing for Adversarial Attack on Intrusion Detection Systems
Abstract
Machine learning-based network intrusion detection systems can be vulnerable to adversarial attacks. However, executing these attacks requires knowledge of the internal information of the model in use, which may not be available to the attacker. This paper introduces a model stealing method focused on the equivalence of feature contribution between the target and substitute models and a black-box approach of the EBFA technique, named EBFA_BB. Compared to the attacks used as a baseline, the proposed attack was able to create substitute models with at least 10% more equivalence in the most significant features of the target model.References
Alshaikhli, M., Elfouly, T., Elharrouss, O., Mohamed, A., and Ottakath, N. (2022). Evolution of internet of things from blockchain to iota: A survey. IEEE Access, 10:844–866.
Aouini, Z. and Pekar, A. (2022). Nfstream: A flexible network data analysis framework. Computer Networks, 204:108719.
Arslan, M., Guzel, M., Demirci, M., and Ozdemir, S. (2019). Smote and gaussian noise based sensor data augmentation. In 2019 4th International Conference on Computer Science and Engineering (UBMK), pages 1–5.
Biggio, B., Corona, I., Maiorca, D., Nelson, B., Šrndić, N., Laskov, P., Giacinto, G., and Roli, F. (2013). Evasion attacks against machine learning at test time. In Machine Learning and Knowledge Discovery in Databases: European Conference, ECML PKDD 2013, Prague, Czech Republic, September 23-27, 2013, Proceedings, Part III 13, pages 387–402. Springer.
Consult, T. (2022). Isg provider lens internet of things services and solutions brazil 2022. [link]. Accessed: jan. 15, 2024.
Domingues, M., Bertoli, G., de Melo, L., Saotome, O., Santos, A., and Pereira, L. (2022). Avaliação da capacidade de generalização de ids stateful utilizando aprendizado de máquina. In Anais do XXII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 236–249, Porto Alegre, RS, Brasil. SBC.
Getreuer, P. (2011). Linear methods for image interpolation. Image Processing On Line, 1:238–259.
Huang, L., Joseph, A. D., Nelson, B., Rubinstein, B. I., and Tygar, J. D. (2011). Adversarial machine learning. In Proceedings of the 4th ACM workshop on Security and artificial intelligence, pages 43–58.
Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., and Papernot, N. (2020). High accuracy and high fidelity extraction of neural networks. In 29th USENIX security symposium (USENIX Security 20), pages 1345–1362.
Lashkari, A. H., Gil, G. D., Mamun, M. S. I., and Ghorbani, A. A. (2017). Characterization of tor traffic using time based features. In International Conference on Information Systems Security and Privacy, volume 2, pages 253–262. SciTePress.
Lundberg, S. M. and Lee, S.-I. (2017). A unified approach to interpreting model predictions. In Guyon, I., Luxburg, U. V., Bengio, S., Wallach, H., Fergus, R., Vishwanathan, S., and Garnett, R., editors, Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc.
Neto, E. C. P., Dadkhah, S., Ferreira, R., Zohourian, A., Lu, R., and Ghorbani, A. A. (2023). Ciciot2023: A real-time dataset and benchmark for large-scale attacks in iot environment.
Oliynyk, D., Mayer, R., and Rauber, A. (2023). I know what you trained last summer: A survey on stealing machine learning models and defences. ACM Computing Surveys.
Orekondy, T., Schiele, B., and Fritz, M. (2019). Knockoff nets: Stealing functionality of black-box models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4954–4963.
Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z. B., and Swami, A. (2017). Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia conference on computer and communications security, pages 506–519.
Rigaki, M. and Garcia, S. (2023). The power of meme: Adversarial malware creation with model-based reinforcement learning. arXiv preprint arXiv:2308.16562.
Severi, G., Meyer, J., Coull, S., and Oprea, A. (2021). Explanation-Guided backdoor poisoning attacks against malware classifiers. In 30th USENIX Security Symposium (USENIX Security 21), pages 1487–1504. USENIX Association.
Sharafaldin, I., Lashkari, A. H., and Ghorbani, A. A. (2018). Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp, 1:108–116.
Štrumbelj, E. and Kononenko, I. (2014). Explaining prediction models and individual predictions with feature contributions. Knowledge and information systems, 41:647–665.
Tramèr, F., Zhang, F., Juels, A., Reiter, M. K., and Ristenpart, T. (2016). Stealing machine learning models via prediction {APIs}. In 25th USENIX security symposium (USENIX Security 16), pages 601–618.
Truong, J.-B., Maini, P., Walls, R. J., and Papernot, N. (2021). Data-free model extraction. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4771–4780.
Aouini, Z. and Pekar, A. (2022). Nfstream: A flexible network data analysis framework. Computer Networks, 204:108719.
Arslan, M., Guzel, M., Demirci, M., and Ozdemir, S. (2019). Smote and gaussian noise based sensor data augmentation. In 2019 4th International Conference on Computer Science and Engineering (UBMK), pages 1–5.
Biggio, B., Corona, I., Maiorca, D., Nelson, B., Šrndić, N., Laskov, P., Giacinto, G., and Roli, F. (2013). Evasion attacks against machine learning at test time. In Machine Learning and Knowledge Discovery in Databases: European Conference, ECML PKDD 2013, Prague, Czech Republic, September 23-27, 2013, Proceedings, Part III 13, pages 387–402. Springer.
Consult, T. (2022). Isg provider lens internet of things services and solutions brazil 2022. [link]. Accessed: jan. 15, 2024.
Domingues, M., Bertoli, G., de Melo, L., Saotome, O., Santos, A., and Pereira, L. (2022). Avaliação da capacidade de generalização de ids stateful utilizando aprendizado de máquina. In Anais do XXII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 236–249, Porto Alegre, RS, Brasil. SBC.
Getreuer, P. (2011). Linear methods for image interpolation. Image Processing On Line, 1:238–259.
Huang, L., Joseph, A. D., Nelson, B., Rubinstein, B. I., and Tygar, J. D. (2011). Adversarial machine learning. In Proceedings of the 4th ACM workshop on Security and artificial intelligence, pages 43–58.
Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., and Papernot, N. (2020). High accuracy and high fidelity extraction of neural networks. In 29th USENIX security symposium (USENIX Security 20), pages 1345–1362.
Lashkari, A. H., Gil, G. D., Mamun, M. S. I., and Ghorbani, A. A. (2017). Characterization of tor traffic using time based features. In International Conference on Information Systems Security and Privacy, volume 2, pages 253–262. SciTePress.
Lundberg, S. M. and Lee, S.-I. (2017). A unified approach to interpreting model predictions. In Guyon, I., Luxburg, U. V., Bengio, S., Wallach, H., Fergus, R., Vishwanathan, S., and Garnett, R., editors, Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc.
Neto, E. C. P., Dadkhah, S., Ferreira, R., Zohourian, A., Lu, R., and Ghorbani, A. A. (2023). Ciciot2023: A real-time dataset and benchmark for large-scale attacks in iot environment.
Oliynyk, D., Mayer, R., and Rauber, A. (2023). I know what you trained last summer: A survey on stealing machine learning models and defences. ACM Computing Surveys.
Orekondy, T., Schiele, B., and Fritz, M. (2019). Knockoff nets: Stealing functionality of black-box models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4954–4963.
Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z. B., and Swami, A. (2017). Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia conference on computer and communications security, pages 506–519.
Rigaki, M. and Garcia, S. (2023). The power of meme: Adversarial malware creation with model-based reinforcement learning. arXiv preprint arXiv:2308.16562.
Severi, G., Meyer, J., Coull, S., and Oprea, A. (2021). Explanation-Guided backdoor poisoning attacks against malware classifiers. In 30th USENIX Security Symposium (USENIX Security 21), pages 1487–1504. USENIX Association.
Sharafaldin, I., Lashkari, A. H., and Ghorbani, A. A. (2018). Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp, 1:108–116.
Štrumbelj, E. and Kononenko, I. (2014). Explaining prediction models and individual predictions with feature contributions. Knowledge and information systems, 41:647–665.
Tramèr, F., Zhang, F., Juels, A., Reiter, M. K., and Ristenpart, T. (2016). Stealing machine learning models via prediction {APIs}. In 25th USENIX security symposium (USENIX Security 16), pages 601–618.
Truong, J.-B., Maini, P., Walls, R. J., and Papernot, N. (2021). Data-free model extraction. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4771–4780.
Published
2024-05-20
How to Cite
MOREIRA, Rafael Gomes; ROCHA, Rafael Oliveira da; CHAHUD, Leonardo Gonçalves; PEREIRA JUNIOR, Lourenço Alves.
Model Stealing for Adversarial Attack on Intrusion Detection Systems. In: BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 42. , 2024, Niterói/RJ.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 1022-1035.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2024.1527.
