Researchers develop technique to bypass AI intrusion detection

Researchers managed to trick deep learning model trained to recognise malicious packets that DDoS traffic was legitimate

Researchers have demonstrated an attack technique that can fool a machine learning assisted network intrusion detection system (NIDS) into allowing malicious DDoS messages to pass as legitimate traffic.

The researchers, based at the Citadel, a military college in South Carolina, USA, used adversarial perturbation techniques to trick a deep learning model trained for intrusion detection into miscategorising the malicious traffic.

The latest NIDS use neural networking models to categorise attacks and detect new ones. In this way, they reduce the burden on incident response teams.

Adversarial perturbation describes a small change that tips an item from one category to another; for example, a tiny alteration of a few pixels may see a picture of a dog recategorised as a cat. It is most commonly used as a technique for training image recognition and natural language processing (NLP) models, and has only been used to a limited extent so far to categorise network traffic.

The researchers first created a deep learning model to detect DNS amplification traffic and trained it on a publicly available DDoS dataset until it detected malicious traffic at a rate of better than 98%.

DNS amplification is a common type of DDoS attack in which the attacker spoofs the victim's IP address and sends multiple lookup requests to a DNS server. The returning traffic has a greater volume than the initial requests, turning small queries into much larger payloads which ultimately overwhelm the victim's systems.

The researchers then altered two existing perturbation attack algorithms called Elastic-Net Attack on Deep Neural Networks (EAD) and TextAttack and turned them on their own intrusion detection model.

Both attack techniques proved highly effective, causing the NIDS to misclassify traffic, and generating large volumes of false positives and false negatives.

"Results show that it is possible and relatively easy to deceive a machine learning NIDS, reaffirming the notion that these deep learning algorithms are quite susceptible to adversarial learning," the researchers conclude in a paper (PDF) presented to a MSIE event.

Specialised adversarial attacks could be dangerous for AI/ML detection systems, although the researchers say they haven't tested the attack on commercial systems yet, noting that the unrealistic packets created by their experimental models might be detected by those systems.

As well as testing commercial deep learning NIDS, they also plan to turn their attention to IoT DDoS attacks, in particular, focusing on DDoS attacks against the constrained application protocol (CoAP) used by many IoT devices.