Maxime Cordy
ABSTRACT
Machine-learning-based anomaly detection systems can be vulnerable to new kinds of deceptions, known as training attacks, which exploit the live learning mechanism of these systems by progressively injecting small portions of abnormal data. The injected data seamlessly swift the learned states to a point where harmful data can pass unnoticed. We focus on the systematic testing of these attacks in the context of intrusion detection systems (IDS). We propose a search-based approach to test IDS by making training attacks. Going a step further, we also propose searching for countermeasures, learning from the successful attacks and thereby increasing the resilience of the tested IDS. We evaluate our approach on a denial-of-service attack detection scenario and a dataset recording the network traffic of a real-world system. Our experiments show that our search-based attack scheme generates successful attacks bypassing the current state-of-the-art defences. We also show that our approach is capable of generating attack patterns for all configuration states of the studied IDS and that it is capable of providing appropriate countermeasures. By co-evolving our attack and defence mechanisms we succeeded at improving the defence of the IDS under test by making it resilient to 49 out of 50 independently generated attacks.
- 4SIC. {n.d.}. 4SICS geek lounge SCADA network capture. Retrieved January 25, 2019 from http://www.netresec.com/?page=PCAP4SICSGoogle Scholar
- F. A. A. Alseiari and Z. Aung. 2015. Real-time anomaly-based distributed intrusion detection systems for advanced Metering Infrastructure utilizing stream data mining. In 2015 International Conference on Smart Grid and Clean Energy Technologies (ICSGCE). 148–153.Google Scholar
- Dennis Appelt, Cu D. Nguyen, Annibale Panichella, and Lionel C. Briand. 2018. A Machine-Learning-Driven Evolutionary Approach for Testing Web Application Firewalls. IEEE Trans. Reliability 67, 3 (2018), 733–757.Google ScholarCross Ref
- Marco Barreno, Blaine Nelson, Russell Sears, Anthony D. Joseph, and J. D. Tygar. 2006. Can Machine Learning Be Secure?. In Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS ’06). ACM, 16–25. Google ScholarDigital Library
- R. Berthier, D. I. Urbina, A. A. Cárdenas, M. Guerrero, U. Herberg, J. G. Jetcheva, D. Mashima, J. H. Huh, and R. B. Bobba. 2014. On the practicality of detecting anomalies with encrypted traffic in AMI. In 2014 IEEE International Conference on Smart Grid Communications (SmartGridComm). 890–895.Google Scholar
- A. L. Buczak and E. Guven. 2016. A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection. IEEE Communications Surveys Tutorials 18, 2 (2016), 1153–1176.Google ScholarDigital Library
- Yixin Chen and Li Tu. 2007. Density-based Clustering for Real-time Stream Data. In Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD ’07). ACM, 133–142. 1281192.1281210 Google ScholarDigital Library
- Gilbert Hendry and Shanchieh Yang. 2008.Google Scholar
- Intrusion signature creation via clustering anomalies. Proceedings of SPIE - The International Society for Optical Engineering 6973 (03 2008).Google Scholar
- Incapsula. 2014.Google Scholar
- What DDoS Attacks Really Cost Business? Retrieved 25 January 2019 from https://lp.incapsula.com/rs/incapsulainc/images/eBook-DDoSImpactSurvey.pdfGoogle Scholar
- Aleksandar Milenkoski, Marco Vieira, Samuel Kounev, Alberto Avritzer, and Bryan Payne. 2015. Evaluating Computer Intrusion Detection Systems: A Survey of Common Practices. Comput. Surveys 48 (09 2015), 12:1–. 1145/2808691 Google ScholarDigital Library
- Steve Muller, Jean Lancrenon, Carlo Harpes, Yves Le Traon, Sylvain Gombault, and Jean-Marie Bonnin. 2018. A training-resistant anomaly detection system. Computers & Security 76 (03 2018).Google Scholar
- Mohammad Sazzadul Hoque. 2012. An Implementation of Intrusion Detection System Using Genetic Algorithm. International Journal of Network Security & Its Applications 4, 2 (Mar 2012), 109–120.Google Scholar
- K. G. Srinivasa, S. Chandra, S. Kajaria, and S. Mukherjee. 2011. IGIDS: Intelligent intrusion detection system using genetic algorithms. In 2011 World Congress on Information and Communication Technologies. 852–857.Google Scholar
- Dusan Stevanovic and Natalija Vlajic. 2014. Next Generation Application-Layer DDoS Defences: Applying the Concepts of Outlier Detection in Data Streams with Concept Drift. In Proceedings of the 2014 13th International Conference on Machine Learning and Applications (ICMLA ’14). IEEE Computer Society, Washington, DC, USA, 456–462. Google ScholarDigital Library
- L. Tomlin, M. R. Farnam, and S. Pan. 2016. A clustering approach to industrial network intrusion detection. In INSuRECon ’16.Google Scholar
- Omer Tripp, Omri Weisman, and Lotem Guy. 2013.Google Scholar
- Finding Your Way in the Testing Jungle: A Learning Approach to Web Security Testing. In ISSTA ’13 (ISSTA 2013). ACM, New York, NY, USA, 347–357. Google ScholarDigital Library
- 2483776Google Scholar
- Komkrit Udommanetanakit, Thanawin Rakthanmanon, and Kitsana Waiyamai. 2007. E-Stream: Evolution-Based Technique for Stream Clustering. In Proceedings of the 3rd International Conference on Advanced Data Mining and Applications (ADMA ’07). Springer-Verlag, 605–615. 3- 540- 73871- 8_58 Google ScholarDigital Library
- David A. Wagner and Paolo Soto. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, November 18-22, 2002. Google ScholarDigital Library
- 255–264.Google Scholar
- Ting-Fang Yen and Michael K. Reiter. 2008.Google Scholar
- Traffic Aggregation for Malware Detection. In Detection of Intrusions and Malware, and Vulnerability Assessment, Diego Zamboni (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 207–227.Google Scholar
- Shi Zhong, Taghi M. Khoshgoftaar, and Shyarn V. Nath. 2005.Google Scholar
Index Terms
- Search-based test and improvement of machine-learning-based anomaly detection systems
Recommendations
Analyzing attack strategies against rule-based intrusion detection systems
Workshops ICDCN '18: Proceedings of the Workshop Program of the 19th International Conference on Distributed Computing and NetworkingIntrusion Detection Systems (IDS) have been widely used to detect cyber attacks in Cyber-Physical Systems (CPS). However, attackers can often adapt their attacking strategies to evade detection. Many commercial IDS are rule-based systems. This paper ...
Anomaly-based network IDS false alarm filter using cluster-based alarm classification approach
Anomaly-based network intrusion detection systems A-NIDS are an important and essential defence mechanism against network attacks. However, they generate a high volume of alarms that can be mixed with false-positive alarms, which poses a major challenge ...
Simulations of Event-Based Cyber Dynamics via Adversarial Machine Learning
Science of Cyber SecurityAbstractIn this paper, we apply cybersecurity dynamics theory into practical scenarios. We use machine learning models as detection tools of intrusion detection systems and consider cyber attacks against node computers as well as adversarial attacks ...
Comments