As machine learning (ML) classifiers increasingly oversee the automated monitoring of network traffic, studying their resilience against adversarial attacks becomes critical. This paper focuses on poisoning attacks, specifically backdoor attacks, against network traffic flow classifiers. We investigate the challenging scenario of clean-label poisoning where the adversary's capabilities are constrained to tampering only with the training data - without the ability to arbitrarily modify the training labels or any other component of the training process. We describe a trigger crafting strategy that leverages model interpretability techniques to generate trigger patterns that are effective even at very low poisoning rates. Finally, we design novel strategies to generate stealthy triggers, including an approach based on generative Bayesian network models, with the goal of minimizing the conspicuousness of the trigger, and thus making detection of an ongoing poisoning campaign more challenging. Our findings provide significant insights into the feasibility of poisoning attacks on network traffic classifiers used in multiple scenarios, including detecting malicious communication and application classification.

翻译：随着机器学习分类器越来越多地用于网络流量的自动化监控，研究其对抗性攻击的鲁棒性变得至关重要。本文聚焦于针对网络流量分类器的毒化攻击，尤其是后门攻击。我们研究了具有挑战性的干净标签毒化场景，其中攻击者的能力仅限于篡改训练数据——无法任意修改训练标签或训练过程中的其他任何组件。我们描述了一种利用模型可解释性技术的触发器构造策略，该策略能生成即使毒化率极低也依然有效的触发模式。最后，我们设计了生成隐蔽触发器的创新策略，其中包括一种基于生成式贝叶斯网络模型的方法，旨在最小化触发器的显著性，从而使正在进行的毒化活动更难被检测。我们的研究结果为毒化攻击在多种场景下（包括恶意通信检测和应用程序分类）对网络流量分类器的可行性提供了重要见解。