IDSGAN: Generative Adversarial Networks for Attack Generation against Intrusion Detection

TL;DR

This paper introduces IDSGAN, a generative adversarial network framework designed to create adversarial malicious traffic to deceive intrusion detection systems, highlighting vulnerabilities and testing robustness against various detection algorithms.

Contribution

IDSGAN is a novel black-box attack framework that generates adversarial traffic while preserving attack functionality, improving attack success over existing methods.

Findings

IDSGAN effectively deceives multiple detection models.

The attack success rate remains high despite limited feature modifications.

IDSGAN outperforms baseline adversarial attack methods.

Abstract

As an essential tool in security, the intrusion detection system bears the responsibility of the defense to network attacks performed by malicious traffic. Nowadays, with the help of machine learning algorithms, intrusion detection systems develop rapidly. However, the robustness of this system is questionable when it faces adversarial attacks. For the robustness of detection systems, more potential attack approaches are under research. In this paper, a framework of the generative adversarial networks, called IDSGAN, is proposed to generate the adversarial malicious traffic records aiming to attack intrusion detection systems by deceiving and evading the detection. Given that the internal structure and parameters of the detection system are unknown to attackers, the adversarial attack examples perform the black-box attacks against the detection system. IDSGAN leverages a generator to transform original malicious traffic records into adversarial malicious ones. A discriminator classifies traffic examples and dynamically learns the real-time black-box detection system. More significantly, the restricted modification mechanism is designed for the adversarial generation to preserve original attack functionalities of adversarial traffic records. The effectiveness of the model is indicated by attacking multiple algorithm-based detection models with different attack categories. The robustness is verified by changing the number of the modified features. A comparative experiment with adversarial attack baselines demonstrates the superiority of our model.