Recent advancements in artificial intelligence (AI) and machine learning (ML) algorithms, coupled with the availability of faster computing infrastructure, have enhanced the security posture of cybersecurity operations centers (defenders) through the development of ML-aided network intrusion detection systems (NIDS). Concurrently, the abilities of adversaries to evade security have also increased with the support of AI/ML models. Therefore, defenders need to proactively prepare for evasion attacks that exploit the detection mechanisms of NIDS. Recent studies have found that the perturbation of flow-based and packet-based features can deceive ML models, but these approaches have limitations. Perturbations made to the flow-based features are difficult to reverse-engineer, while samples generated with perturbations to the packet-based features are not playable. Our methodological framework, Deep PackGen, employs deep reinforcement learning to generate adversarial packets and aims to overcome the limitations of approaches in the literature. By taking raw malicious network packets as inputs and systematically making perturbations on them, Deep PackGen camouflages them as benign packets while still maintaining their functionality. In our experiments, using publicly available data, Deep PackGen achieved an average adversarial success rate of 66.4\% against various ML models and across different attack types. Our investigation also revealed that more than 45\% of the successful adversarial samples were out-of-distribution packets that evaded the decision boundaries of the classifiers. The knowledge gained from our study on the adversary's ability to make specific evasive perturbations to different types of malicious packets can help defenders enhance the robustness of their NIDS against evolving adversarial attacks.

翻译：近年来，人工智能（AI）与机器学习（ML）算法的进步，加上更快计算基础设施的普及，通过开发基于机器学习的网络入侵检测系统（NIDS），提升了网络安全运营中心（防御方）的安全态势。与此同时，在AI/ML模型的支持下，攻击者规避安全防御的能力也在增强。因此，防御方需要主动准备应对利用NIDS检测机制的逃逸攻击。最新研究发现，对基于流和基于数据包的特征进行扰动可欺骗ML模型，但这些方法存在局限性：对流特征的扰动难以逆向工程，而对数据包特征进行扰动生成的样本则不具备可执行性。我们的方法论框架Deep PackGen采用深度强化学习生成对抗性数据包，旨在克服现有研究方法的局限。该框架以原始恶意网络数据包为输入，对其进行系统性扰动，在保持攻击功能的同时将其伪装成良性数据包。实验结果表明，基于公开数据，Deep PackGen针对多种ML模型及不同攻击类型的平均对抗成功率达到66.4%。研究还发现，超过45%的成功对抗样本属于超出分类器决策边界的分布外数据包。通过探究攻击者对不同恶意数据包实施特定逃逸扰动的能力，本研究成果有助于防御方增强其NIDS对抗不断演进的对抗性攻击的鲁棒性。