Roubo de Modelo para Ataque Adversarial em Sistemas de Detecção de Intrusão
Resumo
Sistemas de detecção de intrusão em rede baseados em aprendizado de máquina podem ser vulneráveis a ataques adversariais. Porém, a realização desses ataques demanda conhecimento de informações internas do modelo utilizado, que podem estar indisponíveis para o atacante. Este trabalho apresenta um método de roubo de modelo com o foco na equivalência da contribuição das características entre modelo alvo e substituto, bem como uma abordagem caixa-preta da técnica EBFA, chamada EBFA_BB. Em comparação com os ataques utilizados como baseline, o ataque proposto conseguiu criar modelos substitutos com, no mínimo, 10% a mais de equivalência das características mais importantes do modelo alvo.Referências
Alshaikhli, M., Elfouly, T., Elharrouss, O., Mohamed, A., and Ottakath, N. (2022). Evolution of internet of things from blockchain to iota: A survey. IEEE Access, 10:844–866.
Aouini, Z. and Pekar, A. (2022). Nfstream: A flexible network data analysis framework. Computer Networks, 204:108719.
Arslan, M., Guzel, M., Demirci, M., and Ozdemir, S. (2019). Smote and gaussian noise based sensor data augmentation. In 2019 4th International Conference on Computer Science and Engineering (UBMK), pages 1–5.
Biggio, B., Corona, I., Maiorca, D., Nelson, B., Šrndić, N., Laskov, P., Giacinto, G., and Roli, F. (2013). Evasion attacks against machine learning at test time. In Machine Learning and Knowledge Discovery in Databases: European Conference, ECML PKDD 2013, Prague, Czech Republic, September 23-27, 2013, Proceedings, Part III 13, pages 387–402. Springer.
Consult, T. (2022). Isg provider lens internet of things services and solutions brazil 2022. [link]. Accessed: jan. 15, 2024.
Domingues, M., Bertoli, G., de Melo, L., Saotome, O., Santos, A., and Pereira, L. (2022). Avaliação da capacidade de generalização de ids stateful utilizando aprendizado de máquina. In Anais do XXII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 236–249, Porto Alegre, RS, Brasil. SBC.
Getreuer, P. (2011). Linear methods for image interpolation. Image Processing On Line, 1:238–259.
Huang, L., Joseph, A. D., Nelson, B., Rubinstein, B. I., and Tygar, J. D. (2011). Adversarial machine learning. In Proceedings of the 4th ACM workshop on Security and artificial intelligence, pages 43–58.
Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., and Papernot, N. (2020). High accuracy and high fidelity extraction of neural networks. In 29th USENIX security symposium (USENIX Security 20), pages 1345–1362.
Lashkari, A. H., Gil, G. D., Mamun, M. S. I., and Ghorbani, A. A. (2017). Characterization of tor traffic using time based features. In International Conference on Information Systems Security and Privacy, volume 2, pages 253–262. SciTePress.
Lundberg, S. M. and Lee, S.-I. (2017). A unified approach to interpreting model predictions. In Guyon, I., Luxburg, U. V., Bengio, S., Wallach, H., Fergus, R., Vishwanathan, S., and Garnett, R., editors, Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc.
Neto, E. C. P., Dadkhah, S., Ferreira, R., Zohourian, A., Lu, R., and Ghorbani, A. A. (2023). Ciciot2023: A real-time dataset and benchmark for large-scale attacks in iot environment.
Oliynyk, D., Mayer, R., and Rauber, A. (2023). I know what you trained last summer: A survey on stealing machine learning models and defences. ACM Computing Surveys.
Orekondy, T., Schiele, B., and Fritz, M. (2019). Knockoff nets: Stealing functionality of black-box models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4954–4963.
Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z. B., and Swami, A. (2017). Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia conference on computer and communications security, pages 506–519.
Rigaki, M. and Garcia, S. (2023). The power of meme: Adversarial malware creation with model-based reinforcement learning. arXiv preprint arXiv:2308.16562.
Severi, G., Meyer, J., Coull, S., and Oprea, A. (2021). Explanation-Guided backdoor poisoning attacks against malware classifiers. In 30th USENIX Security Symposium (USENIX Security 21), pages 1487–1504. USENIX Association.
Sharafaldin, I., Lashkari, A. H., and Ghorbani, A. A. (2018). Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp, 1:108–116.
Štrumbelj, E. and Kononenko, I. (2014). Explaining prediction models and individual predictions with feature contributions. Knowledge and information systems, 41:647–665.
Tramèr, F., Zhang, F., Juels, A., Reiter, M. K., and Ristenpart, T. (2016). Stealing machine learning models via prediction {APIs}. In 25th USENIX security symposium (USENIX Security 16), pages 601–618.
Truong, J.-B., Maini, P., Walls, R. J., and Papernot, N. (2021). Data-free model extraction. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4771–4780.
Aouini, Z. and Pekar, A. (2022). Nfstream: A flexible network data analysis framework. Computer Networks, 204:108719.
Arslan, M., Guzel, M., Demirci, M., and Ozdemir, S. (2019). Smote and gaussian noise based sensor data augmentation. In 2019 4th International Conference on Computer Science and Engineering (UBMK), pages 1–5.
Biggio, B., Corona, I., Maiorca, D., Nelson, B., Šrndić, N., Laskov, P., Giacinto, G., and Roli, F. (2013). Evasion attacks against machine learning at test time. In Machine Learning and Knowledge Discovery in Databases: European Conference, ECML PKDD 2013, Prague, Czech Republic, September 23-27, 2013, Proceedings, Part III 13, pages 387–402. Springer.
Consult, T. (2022). Isg provider lens internet of things services and solutions brazil 2022. [link]. Accessed: jan. 15, 2024.
Domingues, M., Bertoli, G., de Melo, L., Saotome, O., Santos, A., and Pereira, L. (2022). Avaliação da capacidade de generalização de ids stateful utilizando aprendizado de máquina. In Anais do XXII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 236–249, Porto Alegre, RS, Brasil. SBC.
Getreuer, P. (2011). Linear methods for image interpolation. Image Processing On Line, 1:238–259.
Huang, L., Joseph, A. D., Nelson, B., Rubinstein, B. I., and Tygar, J. D. (2011). Adversarial machine learning. In Proceedings of the 4th ACM workshop on Security and artificial intelligence, pages 43–58.
Jagielski, M., Carlini, N., Berthelot, D., Kurakin, A., and Papernot, N. (2020). High accuracy and high fidelity extraction of neural networks. In 29th USENIX security symposium (USENIX Security 20), pages 1345–1362.
Lashkari, A. H., Gil, G. D., Mamun, M. S. I., and Ghorbani, A. A. (2017). Characterization of tor traffic using time based features. In International Conference on Information Systems Security and Privacy, volume 2, pages 253–262. SciTePress.
Lundberg, S. M. and Lee, S.-I. (2017). A unified approach to interpreting model predictions. In Guyon, I., Luxburg, U. V., Bengio, S., Wallach, H., Fergus, R., Vishwanathan, S., and Garnett, R., editors, Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc.
Neto, E. C. P., Dadkhah, S., Ferreira, R., Zohourian, A., Lu, R., and Ghorbani, A. A. (2023). Ciciot2023: A real-time dataset and benchmark for large-scale attacks in iot environment.
Oliynyk, D., Mayer, R., and Rauber, A. (2023). I know what you trained last summer: A survey on stealing machine learning models and defences. ACM Computing Surveys.
Orekondy, T., Schiele, B., and Fritz, M. (2019). Knockoff nets: Stealing functionality of black-box models. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4954–4963.
Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z. B., and Swami, A. (2017). Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia conference on computer and communications security, pages 506–519.
Rigaki, M. and Garcia, S. (2023). The power of meme: Adversarial malware creation with model-based reinforcement learning. arXiv preprint arXiv:2308.16562.
Severi, G., Meyer, J., Coull, S., and Oprea, A. (2021). Explanation-Guided backdoor poisoning attacks against malware classifiers. In 30th USENIX Security Symposium (USENIX Security 21), pages 1487–1504. USENIX Association.
Sharafaldin, I., Lashkari, A. H., and Ghorbani, A. A. (2018). Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp, 1:108–116.
Štrumbelj, E. and Kononenko, I. (2014). Explaining prediction models and individual predictions with feature contributions. Knowledge and information systems, 41:647–665.
Tramèr, F., Zhang, F., Juels, A., Reiter, M. K., and Ristenpart, T. (2016). Stealing machine learning models via prediction {APIs}. In 25th USENIX security symposium (USENIX Security 16), pages 601–618.
Truong, J.-B., Maini, P., Walls, R. J., and Papernot, N. (2021). Data-free model extraction. In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 4771–4780.
Publicado
20/05/2024
Como Citar
MOREIRA, Rafael Gomes; ROCHA, Rafael Oliveira da; CHAHUD, Leonardo Gonçalves; PEREIRA JUNIOR, Lourenço Alves.
Roubo de Modelo para Ataque Adversarial em Sistemas de Detecção de Intrusão. In: SIMPÓSIO BRASILEIRO DE REDES DE COMPUTADORES E SISTEMAS DISTRIBUÍDOS (SBRC), 42. , 2024, Niterói/RJ.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 1022-1035.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2024.1527.