Evaluating the Potential Threat of Generative Adversarial Models to Intrusion Detection Systems

Conrad Tucker

Signature-based Intrusion Detection Systems (IDS) use pre-defined signatures of malware activity to identify malware, and are therefore limited to detecting known malware. To overcome this limitation, anomaly detection-based IDS characterizes the behavior of network traffic, and monitors the computer network for activities that exceed a pre-defined range of normal behaviors. To characterize the network traffic behavior, a set of features is defined by an anomaly detection model. Commonly used features for network traffic at the packet level include header length, packet size, source and destination ports, source and destination IP addresses, etc. At the flow level, average packet length and number of packets in a flow can be used as features. Although the exact anomaly detection model of an IDS is usually kept confidential in order to minimize the vulnerability to potential intrusions, it is possible for a malware developer to use machine learning approaches to characterize a black-box anomaly detection model, such that an attacking surface can be revealed. Considering the advantage of deep neural networks in approximating complicated abstract models, deep learning approaches could potentially be used by malware developers to attack anomaly detection-based IDS.

Among the various deep learning models that could be used to hide malware from anomaly detection-based IDS, Generative Adversarial Networks (GANs) are getting increasing attention from network security researchers. A GAN model consists of a generator neural network and a discriminator neural network. The generator is trained to generate synthesized data that resembles the training data, while the discriminator is trained to distinguish the synthesized data from the training data. The introduction of a discriminator creates an adversarial learning process which helps to increase the generator’s performance in generating data similar to the training data. In the application of hiding malware from anomaly detection-based IDS, a set of feature values of benign network traffic or undetected malicious network traffic can be collected by the malware developer as the initial training data. Then, a generator is trained to generate feature values similar to the training data, and the discriminator which simulates an IDS is trained to approximate the anomaly detection model. When the training is complete, the generated feature values are used to modify the malware behavior. The malware with modified behavior is evaluated by a testing IDS, where the generated features resulting in successful malware hiding are collected to update the initial training dataset. Thus, an iterative process of GAN training to hide malware from IDS is formed.

For intrusion efficiency, we study how different choices of initial training data and GAN models will affect the success rate of malware hiding, and whether or how fast the rate increases as the iterative GAN training process continues. For the knowledge transferability, we evaluate how the success rate of malware hiding changes when the malware trained on one testing IDS is used to attack a new IDS.