Explainable and Transferable Adversarial Attack for ML-Based Network Intrusion Detectors

TL;DR

This paper introduces ETA, a framework for explainable, transferable black-box adversarial attacks on ML-based network intrusion detectors, addressing transferability issues and providing insights into adversarial example existence.

Contribution

The paper presents ETA, a novel transfer-based black-box attack framework that enhances transferability and explains adversarial examples in network intrusion detection systems.

Findings

ETA achieves high attack success rates across models.

The framework provides explanations for adversarial transferability.

ISFS improves the quality and transferability of adversarial examples.

Abstract

espite being widely used in network intrusion detection systems (NIDSs), machine learning (ML) has proven to be highly vulnerable to adversarial attacks. White-box and black-box adversarial attacks of NIDS have been explored in several studies. However, white-box attacks unrealistically assume that the attackers have full knowledge of the target NIDSs. Meanwhile, existing black-box attacks can not achieve high attack success rate due to the weak adversarial transferability between models (e.g., neural networks and tree models). Additionally, neither of them explains why adversarial examples exist and why they can transfer across models. To address these challenges, this paper introduces ETA, an Explainable Transfer-based Black-Box Adversarial Attack framework. ETA aims to achieve two primary objectives: 1) create transferable adversarial examples applicable to various ML models and 2) provide insights into the existence of adversarial examples and their transferability within NIDSs. Specifically, we first provide a general transfer-based adversarial attack method applicable across the entire ML space. Following that, we exploit a unique insight based on cooperative game theory and perturbation interpretations to explain adversarial examples and adversarial transferability. On this basis, we propose an Important-Sensitive Feature Selection (ISFS) method to guide the search for adversarial examples, achieving stronger transferability and ensuring traffic-space constraints.