Research On Black Box Attack And Defense Of Network Intrusion Detection Algorithm Based On Reversible Adversative Feature

In recent years,security incidents have emerged in an endless stream due to attackers using more covert methods to bypass traditional network security defenses.In order to improve detection accuracy and generalization ability,network intrusion detection systems(NIDS)use machine learning(ML)techniques increasingly.However,machine learning-based systems are vulnerable to adversarial attacks.To evaluate the security of ML-NIDS,adversarial attacks on it are required.In the blackbox situation,ML-NIDS cannot use traditional adversarial attack methods based on gradient or Jacobian matrix.This is because feature extraction methods in traffic models are irreversible and non-differentiable.The attack using Generative Adversarial Network(GAN)to generate adversarial features tries to solve the problem of irreversible features,but the adversarial features generated by such attacks are also irreversible and unreal,resulting in poor effect of generated adversarial traffic attacks.In addition,the accuracy and robustness of ML-NIDS models can be improved through adversarial defense,but existing adversarial defense methods have weak detection capabilities and robustness against adversarial traffic.To address the above deficiencies,this paper proposes a solution from two dimensions of adversarial attack and adversarial defense.The main work is as follows:(1)To solve the problem of feature irreversibility,this paper proposes a black-box attack algorithm based on mutation-generated reversible adversarial features.The algorithm is based on a mutated generative adversarial network(Mu GAN),which generates reversible adversarial features through a mutator.Then use a mutation method based on kernel density estimation(KDE)to generate real adversarial traffic.This paper conducts experimental evaluations on four attack datasets: Mirai,SSDPFlood,DDOS and Brute-Force;and four machine learning-based NIDSs: Kit NET,IF,SVM and MLP.Compared with previous black-box attack methods,this paper’s attack method has a higher evasion rate in 94% of cases,indicating that generating adversarial traffic using reversible adversarial features has more advantages for attacking ML-NIDS.(2)To solve the problem that existing adversarial defense methods have weak detection ability and robustness against adversarial traffic,this paper proposes a KDE and game theory defense method using reversible adversarial features.First,use the reversible adversarial features obtained by previous adversarial attacks to analyze the characteristics of reversible features through KDE method to improve the recognition ability of adversarial traffic.Secondly,considering that attackers can use the fixed threshold of unsupervised model classifiers for attacks.This paper uses game theory to simulate attackers and defenders to determine the optimal dynamic threshold for defenders.The experimental results show that the method based on KDE is better than adversarial training in 63% of cases.However,the detection rate of the KDE-based method is unstable on different datasets and its robustness is insufficient;while the game theory-based method has good robustness but insufficient detection rate.When these two methods are combined together,they achieve the highest detection rate on all datasets.This indicates that combining these two methods can balance robustness and accuracy.