The surge in the internet of things (IoT) devices seriously threatens the current IoT security landscape, which requires a robust network intrusion detection system (NIDS). Despite superior detection accuracy, existing machine learning or deep learning based NIDS are vulnerable to adversarial examples. Recently, generative adversarial networks (GANs) have become a prevailing method in adversarial examples crafting. However, the nature of discrete network traffic at the packet level makes it hard for GAN to craft adversarial traffic as GAN is efficient in generating continuous data like image synthesis. Unlike previous methods that convert discrete network traffic into a grayscale image, this paper gains inspiration from SeqGAN in sequence generation with policy gradient. Based on the structure of SeqGAN, we propose Attack-GAN to generate adversarial network traffic at packet level that complies with domain constraints. Specifically, the adversarial packet generation is formulated into a sequential decision making process. In this case, each byte in a packet is regarded as a token in a sequence. The objective of the generator is to select a token to maximize its expected end reward. To bypass the detection of NIDS, the generated network traffic and benign traffic are classified by a black-box NIDS. The prediction results returned by the NIDS are fed into the discriminator to guide the update of the generator. We generate malicious adversarial traffic based on a real public available dataset with attack functionality unchanged. The experimental results validate that the generated adversarial samples are able to deceive many existing black-box NIDS.

翻译：物联网设备的激增严重威胁着当前物联网安全格局，这需要鲁棒的网络入侵检测系统（NIDS）。尽管具有优越的检测精度，但现有基于机器学习或深度学习的NIDS易受对抗样本攻击。近年来，生成对抗网络（GAN）已成为对抗样本生成的主流方法。然而，数据包层面离散网络流量的特性使得GAN难以生成对抗流量——因其在图像合成等连续数据生成方面效率较高。不同于以往将离散网络流量转化为灰度图像的方法，本文从SeqGAN利用策略梯度进行序列生成中汲取灵感。基于SeqGAN架构，我们提出Attack-GAN来生成符合领域约束的包级别对抗网络流量。具体而言，将对抗性数据包生成建模为序列决策过程：数据包中的每个字节被视为序列中的令牌，生成器的目标是通过选择令牌最大化其期望最终奖励。为规避NIDS检测，生成的网络流量与良性流量由黑盒NIDS进行分类。NIDS返回的预测结果输入判别器以指导生成器的更新。我们基于真实公开数据集生成保持攻击功能的恶意对抗流量。实验结果表明，所生成的对抗样本能有效欺骗多个现有黑盒NIDS。