Abstract
In cybersecurity, intrusion detection systems (IDSes) are of vital importance, allowing different companies and their departments to identify malicious attacks from magnanimous network traffic; however, the effectiveness and stability of these artificial intelligence-based systems are challenged when coping with adversarial attacks. This work explores a creative framework based on a generative adversarial network (GAN) with a series of training algorithms that aims to generate instances of adversarial attacks and utilize them to help establish a new IDS based on a neural network that can replace the old IDS without knowledge of any of its parameters. Furthermore, to verify the quality of the generated attacks, a transfer mechanism is proposed for calculating the Frechet inception distance (FID). Experiments show that based on the original CICIDS2017 dataset, the proposed framework can generate four types of adversarial attacks (DDoS, DoS, Bruteforce, and Infiltration), which precipitate four types of classifiers (Decision Tree, Random Forest, Adaboost, and Deep Neural Network), set as black-box old IDSes, with low detection rates; additionally, the IDSes that the proposed framework newly establish have an average detection rate of 98% in coping with both generated adversarial and original attacks.
Keywords
Introduction
With the development of the internet and communication technology, the scale of network traffic has sharply increased, causing rapid growth in the number of network attacks and malware programs. For many institutions and companies, protecting the systems from these potential threats is never trivial; thus, it is necessary to build stable and powerful network intrusion detection systems (IDSes) that can detect and identify these malicious actions [1].
Recently, improvements in computer calculating power and capability have promoted the use of machine learning (ML) and deep learning (DL) techniques in a wide variety of fields, including the field of network attack. By training with a certain scale of normal and attack instances, an ML- or DL-based classifier can surpass the classifying ability of humans and show relatively excellent performance in detecting anomaly in network flow [2]. However, these classifiers are not without their disadvantages, one of the most remarkable of which is their vulnerability to adversarial attacks [3].
The goal of an adversarial attack is to look for flaws in these ML- or DL-based models and ‘trick’ them into report misleading classification reports [4]. Traditionally, adversarial attacks are created by methods such as convex programming, local search and combinatorial optimization. Based on the original attack, these methods can find perturbations that can confuse the target IDS [5]. Generative adversarial networks (GANs), proposed by Goodfellow in 2014, are useful networks for generating such attacks [6]. Attacks generated with GANs can continuously adapt to the target IDS while the target IDS attempts to make predictions regarding the attack; as a result, the attacks more easily expose vulnerabilities in ML- or DL-based classifiers [7].
Although GANs are able to generate adversarial attacks by continuously adapting to the target IDS, these attacks can also be fed into models as training samples, enabling direct enhancement of the original ML- or DL-based IDS [8, 9]. However, many institutions have long-deployed IDSes, and the parameters in these models are usually unavailable, preventing the configuration of the models from being changed; in these cases, there is a need for establishing a new IDS that both prevents adversarial attacks and maintains the classifying ability of the original IDS, whose construction is unknown.
This paper presents a solution to address this need; its main contributions are as follows:
A creative framework based on a GAN and a series of training algorithms are proposed for generating qualified adversarial attacks and developing a new classifier to detect both adversarial attacks and the original dataset. A comprehensive detection experiment is performed to evaluate both the original ML/DL IDSes and the developed classifiers on both adversarial attacks and the original dataset. Another experiment is conducted to evaluate the authenticity of a generated adversarial attack at all training steps.
The remainder of the paper is structured as follows. Sections 2 and 3 discuss the related works and restriction in this domain, respectively. Section 4 explains the construction of the proposed framework and the training algorithms. The experimental setup and results are given in Section 5. Section 6 depicts critical comparisons with related works. Final conclusions and future work are provided in Section 7.
Intrusion detection system
To enhance defensive capabilities in cybersecurity, IDSes, virtual protection mechanisms that monitor data traffic on the internet or local networks for malicious activity or policy violations, were created [1]. With advancements in the fields of ML and DL, families of algorithms developed to recognize and simulate patterns of data features based on chunks of datasets or continuous data streams and to predict unknown and upcoming features, researchers and developers today typically use popular methods such as Decision Trees (DTs), Random Forests (RFs), and Deep Neural Networks (DNNs) to create IDSes based on a number of specific datasets [2]. One example benchmark dataset is KDDCup99, which is currently widely applied to create effective models by many academic researchers and companies [10]; other alternative datasets include UNSW-NB15, Kyoto, WSN-DS, and CICIDS2017 [11].
Adversarial attacks
In 2014, Christian Szegedy found that DNNs learn input-output mappings that are fairly discontinuous to a significant extent [12]; this indicates that certain, almost imperceptible perturbations may cause the DNN to misclassify testing samples. For example, when a perturbation is added to a set of images, and these images are applied to a typical DNN for sex classification, these images are falsely classified as male despite the ground truth, according to human eyes, of female. Following Szegedy’s work, the concept of an adversarial attack, which can confuse a neural network with slight perturbations, was developed. Currently, scientists have proposed numerous methods to generate this perturbation: the fast gradient sign method (FGSM), one-pixel attack, and so on [13]. In addition to image attacks, adversarial attacks can be applied in other domains, such as video attacks and reinforcement learning.
Adversarial training
Adversarial training is the process of training a model to correctly classify both original and adversarial attack instances [14], which can improve not only the robustness of the model to modified attacks but also its generalization performance for unmodified instances. A common way to perform adversarial training is to utilize adversarial attacks as training samples; thus, adversarial training is usually integrated with the generation of adversarial attacks.
Generative adversarial networks
In 2014, Google researcher Ian Goodfellow proposed GANs, whose main structure consists of two neural networks named generator and discriminator [6]; the basic architecture of a GAN is shown in Fig. 1. The generator receives a noise vector generated from Gaussian sampling and converts it into an instance in such a way that the instance can bypass the discriminator, injecting noise in the input to the generator is used for data augmentation, preventing overfitting and improving model generalization. The discriminator is indeed a binary classifier, with a sigmoid activation function in its last layer that outputs a value from 0 to 1; if the vector is assigned a value more than 0.5 by the discriminator, it is treated as an authentic instance and as a false instance otherwise. The purpose of this discriminator is to distinguish instances originated from a real dataset or the generator. In the training phase, the generator and discriminator compete steadily with each other to achieve their purposes. After a certain number of training epochs, ideally, the generator is able to create authentic samples that the discriminator has difficulty distinguishing from real samples.
GAN architecture.
Shortly after their creation, GANs became a popular topic, and currently, many researchers are attempting to optimize them on stability of the generation, higher resolutions or the greater authenticity of the generated vectors, such as WGAN [15], CycleGAN [16], SEGAN [17], and styleGAN [18]. Meanwhile, GANs have been applied in all kinds of fields: in image processing, GANs are used to generate unseen but realistic pictures [19], while domains such as video generation [20] and medical care [21] have also made use of this technology.
Lin et al. [22] proposed a framework named IDSGAN for generating adversarial attacks and bypassing target IDSes by using NSL-KDD; the discriminator in this framework steadily simulates the target IDS, and as a result, rather than the target IDS, this discriminator is the target that the generator must bypass. Yan et al. [7] applied a WGAN to generate attack traffic to bypass an IDS automatically, using the standardized Euclidean distance and information entropy to access the model; implementing the KDDCup99 dataset, the authors achieved a reduction in the accuracy of the IDS from 97.34% to 47.62%. Lee et al. [23] designed autoencoder-conditional GAN to improve the performance of an RF model; in experiments, the proposed GAN-RF obtained an F1-score of nearly 0.95 F1 with the CICIDS2017 dataset after data augmentation. Usama et al. [5] proposed a GAN-based architecture to generate adversarial attacks by feeding the content features from KDDCup99 to the model; the generated attacks successfully evaded ML- and DL-based IDSes and reduced the average accuracy of these IDSes to approximately 50%. The generator in this architecture was then selected to perform adversarial training to strengthen these IDSes, after which their average accuracy reached nearly 80%. Msika et al. [9] proposed a framework named SIGMA by using a GAN, metaheuristics, and local search to leverage attacks. SIGMA then applied these attacks to strengthen the IDS and finally improved the performance of an existing IDS to up to a 100% detection rate on these generated attacks. To detect adversarial attacks in network traffic, Ye et al. [24] designed an adversarial sample detector (ASD) based on the bidirectional GAN. The generator was trained to reflect the normal data distribution and then calculated the reconstruction error and the discriminator matching error from the samples. In experiments, the ASD helped a network IDS defend against adversarial attacks generated via three typical methods (e.g., FGSM). The framework proposed in this paper aims to perform both attack adversarial generation and IDS building.
Restriction on attack generation
To preserve the functional behavior of modified attacks, constraints are imposed on adversarial attack generation [5]; for example, for computer vision, the visual appearance of generated instances should be the same as that of the original instances. In language processing, the semantic meaning cannot be changed when generating adversarial text instances.
In the network intrusion detection, the generated network traffic should not invalidate specific network traffic features, such as intrinsic features in NSL-KDD [22] and flow duration in CICIDS2017 [9]. These features are named functional features and related to the feasibility of network traffic, while the remaining features are named nonfunctional features and are allowed to be modified. As a result, when performing attack generation, only nonfunctional features can be generated in a network vector.
Due to this restriction, typical methods such as the Fast Gradient Signed Method (FGSM) in image attack generation are not suitable in network traffic generation because they do not distinguish functional and nonfunctional features, instead attempting to modify every feature. GANs thus serve as an alternative method to generate network traffic instances given the condition that the features fed into GAN are nonfunctional features only.
Proposed methods
GANCIDS framework
To establish a new IDS to both prevent adversarial attacks and maintain the classifying ability of the original IDS, the authors propose a Generative Adversarial Network with Classifier for Intrusion Detection System (GANCIDS) to both generate adversarial attacks and perform adversarial training. This framework contains three trainable models, named Generator (G), Discriminator (D), and Classifier (C), as well as a pretrained model named Feature Extractor (FE), all of which are based on neural networks. The details of GANCIDS are shown in Fig. 2. In addition to the four mentioned models, the figure also shows IDS, which refers to the old IDS and is deployed as a target model (i.e., target IDS) for G to bypass and C to replace.
Structure of GANCIDS.
Due to the restriction in Section 3, features in every instance must be separated into functional and nonfunctional features, only the latter of which can be modified. The resulting process for generating an adversarial attack is illustrated based on the Generating Part in Fig. 2. First, nonfunctional features are separated from the original attack and transformed into a latent vector by FE; second, if the dimension of this latent vector is
After attack generation, using different training algorithms, features are passed to C and the target IDS to determine the corresponding losses, which help train G and C.
Structure of feature extractor.
T-SNE before and after feature extractor.
In this framework, nonfunctional features are not supposed to be input to G directly because they are usually complicated and high dimensional. To gain the most useful information and simultaneously reduce the complexity in these features, FE is designed as a feature extractor based on transfer learning [25, 26], it is constructed from a pre-trained model via a two-step process: first, nonfunctional features and labels from the original attacks and normal examples are fed into a multilayer neural network to train a binary classifier; second, the last layer of this neural network is discarded. The construction of FE is illustrated in Fig. 3.
For mathematical interpretation, some symbols and equations are introduced in advance:
Using these symbols and equations, the following paragraph introduces the training strategies used for GANCIDS. For each attack label and target model, GANCIDS is trained in a fixed order: first, G and D are trained to generate attack instances with high authenticity; second, based on the original dataset, C is trained to simulate the classifying ability of the target IDS; third, G is trained to generate attacks to bypass both C and the target IDS; finally, by using these generative attack instances and the original dataset, C is trained to improve its classifying ability on adversarial attacks. These four steps are named Training G and D, Simulation, Bypassing, and Surpassing.
For this part, only original attack instances are applied to train G and D. From the beginning, every instance is separated into a functional part and a nonfunctional part; then, FE extracts the nonfunctional part into a latent vector, a noise vector is sampled from a Gaussian distribution, and these two vectors are combined as the input of G. G then outputs a generative, nonfunctional feature vector, which is combined with the functional part from the original attack, forming a generative attack that is fed into D. As a consequence, the loss function for G and D in this step is firstly defined as follow:
The objective of D is to distinguish generator attack instances from original dataset attack instances (i.e. to increase the probabilities of original attacks being detected as true and generated attacks being detected as false), thus it maximizes
Totally, the whole process is outlined in Algorithm 4.2.1. Indeed, the objective of this step is to choose suitable
[H] : Training G and D
each training epoch each batch size in
Before attacking C and the target IDS, C is trained to gain the basic classifying ability of the target IDS on the original dataset. The objective of C in this step is to minimize the binary cross-entropy loss function, where the output from the target IDS is treated as the ground truth for training C. Then, the loss function
[H] : Simulation
Mix
After the simulation step, C is a suitable attack target, then G is enhanced to generate attacks to both bypass D and confuse C: bypassing D means that an instance should obtain a value larger than 0.5 from D; confusing C means that its loss function should be a combination of its original adversarial loss function with a new loss function opposited to the one of C; the loss function
There are three terms in this formula: the first term illustrates the objective of G to bypass D; the remaining two terms are the opposite of the binary cross-entropy to Eq. (6), in which the output from the target IDS is treated as the ground false to guide G to confuse the target IDS. Simultaneously, C is still trained to encourage it to approach the classification ability of the target IDS; thus, the loss function of C is the same as Eq. (6) in the Simulation step. The entire process of this step is presented in Algorithm 4.2.3: for each outer epoch, G uses the original attacks to generate attack instances until the number of generated attacks reaches a certain number
[H] : Bypassing
each training outer epoch Create
By inputting C with these generative attacks, C can perform better than the target IDS in terms of classification ability. Different from the steps in Bypassing, the real labels of the related instances are used as training targets. In this step, original instances and generative attacks are mixed to train C. The objective of C is to classify all instances correctly, and its loss function
G is still trained to strengthen itself, but not in the same way as C. Instead, G is trained only by generative attack instances; thus, the label is always equal to 1 when training G. As a result, the loss function of G is simplified as follows:
The entire process is illustrated in Algorithm 4.2.4. Although there are many similarities between the Bypassing and Surpassing algorithms, there are two key differences: the Surpassing algorithm uses real labels instead of the outputs from the target IDS and trains C with all types of instances instead of only with generative attacks. After this step, C should be trained to distinguish these generative attacks.
: Surpassing
each training outer epoch Create
In conclusion, our framework can be a role for this domain knowledge, it is functionally complete and obey the restriction in this domain. More importantly, its training method is arranged in a suitable order and the loss functions are deduced from original GAN, the deduction is scientific and easy to understand.
The experiments in this paper are implemented for three purposes: to train the proposed GANCIDS, to test the capability and quality of the generative attacks, and to compare the classifying ability of the developed classifier C with that of the target IDS. The experiments were conducted on a 3.60 GHz Intel Core i9-9900K processor, 32 GB DDR3, and GeForce RTX 2080Ti graphics card using the Python programming language and a Jupyter notebook as the running platform.
Dataset preparation and preprocessing
CICIDS2017 is chosen as the experimental dataset because it contains data on modern network traffic and the most up-to-date and common attacks [28]. Although original CICIDS2017 consists of 3,119,345 instances, 288,602 instances have missing class label and 203 instances have missing information [29]. After removing these instances, basic information on the dataset is shown in Table 1. In this dataset, benign instances represent normal network traffic, whereas instances with other labels are attacks.
Overall characteristics of CICIDS2017
Overall characteristics of CICIDS2017
Sublabels of each attack group
Functional features of each attack group
The functional and nonfunctional features in CICIDS2017 were divided based on Simon’s work [9]: first, four attack groups – DDoS, DoS, Bruteforce, and Infiltration – were selected, with details on the formations of these attack groups shown in Table 2; second, based on the results of feature selection by the dataset creators [28], the functional features for each attack group were selected (Table 3). In the experiments, for every attack group, the corresponding functional features never change; only the other features in CICIDS2017 are fed into FE and G in the training step.
Next, CICIDS2017 was divided into a training set and a testing set at an 80% to 20% ratio, respectively. Then, to extract basic information from these instances, the data were normalized: all feature values were mapped to a corresponding positive number less than 1 by the following formula:
Certain performance metrics tend to be used by researchers to estimate the functionality of their models. In this paper, the following metrics are utilized in the binary classification of an instance when labeled as attack or normal:
True positive (TP): the total number of correctly predicted normal samples. True negative (TN): the total number of correctly predicted attack samples. False positive (FP): the total number of normal samples predicted as attacks. False negative (FN): the total number of attack samples predicted as normal. Detection rate (DR), true positive rate (TPR) or recall: the ratio of the number of correctly detected attack samples to the total number of attack samples, that is, the total number of correctly classified positive samples to the total number of actually positive samples.
False positive rate (FPR): the ratio of the number of normal samples incorrectly classified as attack samples over the total number of normal samples.
DR is selected as a metric to assess the detecting capability of a model with attack samples, and FPR is selected to assess the stability of the model with normal samples. A model is said to have good performance on a specific type of attack when it possesses a high DR and a low FPR.
DR (%)/FPR (%) from 16 target IDSes for different attack groups and structures
For the original ML-based or DL-based IDS, 16 binary classifying models were chosen, derived from 4 attack groups and four structures each. For each attack group, anomaly detection IDSes with the original CICIDS2017 training dataset based on DT, RF, Adaboost (ADA) and DNN were pretrained, and their performances were measured by DR for the corresponding attack group and FPRs with the original CICIDS2017 testing dataset. The results are collected in Table 4, which shows that these IDSes have good performance on the original CICIDS2017 dataset. In the following experiments, these IDSes were set as the black-box target IDSes in GANCIDS; only feedback information was available, while the parameters were hidden.
GANCIDS training process and analysis
Regarding the configuration of GANCIDS, the models in this framework are all based on a DNN (i.e., a neural network with at least one hidden layer); the activation function of the hidden layers for all models is LeakyReLU, the activation function of the last layer for FE, D, and C is the sigmoid function, and the activation function of the last layer of G is the tanh function. All layers in all models are linear; in addition, for each hidden layer of FE and D, BatchNorm1d and dropout, respectively, is applied.
For training the hyperparameters, the Adam optimizer was selected; FE, G, and D were trained with a learning rate of 0.001, and C was trained with a learning rate of 0.0002. N was set to 10,000, the size of latent space was set to 16, and the size of the Gaussian vector was set to 16. To find the optimal structure of GANCIDS (i.e. FE, G, D, and C), a grid search with 5-fold cross-validation was used to select the structure that possessed the highest DR for an adversarial attack. All hyperparameters configured for constructing and training GANCIDS obtained after the grid search are presented in Table 5. In this table,
Hyperparameters configured for constructing and training GANCIDS after grid search
Hyperparameters configured for constructing and training GANCIDS after grid search
For each attack group, first, FE was constructed by pretraining a binary model with the CICIDS2017 training dataset and deleting its last layer, as shown in Fig. 3. Then, the training methodology was applied to G, D and C step by step.
To analyze the training process, the losses of the models in GANCIDS per 100 batches under each training step are collected in Fig. 5; although only the models based on the RF target model designed to detect DDoS attacks are shown, they nevertheless serve as representatives to show the variation in the loss for other types of target models and for the detection of other types of attacks.
In Fig. 5a, the loss of G and D are shown for the Training G and D step, which is identical to the training step for a vanilla GAN. These two pictures show that, in this step, the losses of G and D are both noisy because the two models were constructed to fool each other steadily; consequently, the two losses were still unstable after this step, similar to what the losses for a vanilla GAN.
Training losses of models in GANCIDS per 100 batches based on the RF target model and DDoS attack detection.
Epochs for 
Figure 5b presents the loss of C during training to simulate the target IDS; the loss of C drops dramatically at the beginning and remains relatively low with slight variability, indicating that the classifying capability of the target IDS had been transferred to C to a certain extent.
Figure 5c shows the losses of G and C in the Bypassing step; the loss of G drops and remains near 1.9 with slight variability, whereas the loss of C is almost 0. These two losses indicate that G was trying to generate attacks to confuse C while C was still simulating the target IDS in this step.
Figure 5d shows the losses of G and C in the Surpassing step; the loss of G increases gradually with some variability, finally exceeding 25 after 100,000 batches, while the loss of C remains at nearly 0 with slight variation. These two losses indicate that it became increasingly difficult for G to generate attacks to confuse C while C was constantly learning from the correct labels in this step.
In Fig. 6, for every attack group, the number of epochs for
For each attack group and each structure, the target IDS was trained 5 times, and DR was used to assess the detection capability of C on adversarial attacks and original attacks from the test dataset. As a reference, the DR of the target IDS was also tested. Figure 7 shows the corresponding average DRs of C and the target IDS on DDoS, DoS, Bruteforce, and Infiltration attacks.
From these four plots, many similarities between the attack groups can be found: first, all target models show great performance on original attacks, but the detection capabilities decrease sharply when facing adversarial attacks generated by GANCIDS, as shown by the drop in the DRs of the target models on adversarial attacks to 3.7%–55.5%; second, C produced by GANCIDS performs excellently in classifying both generative attacks and original attacks, with average DRs of 99.2% and 97.9%, respectively.
In addition to attack detection, the performance of the developed C on normal examples was also tested; the average FPRs of each developed C were measured and are collected in Table 6, which shows that the developed C models still possess low FPRs and have good performances on normal instances.
Average FPR (%) of generated classifiers for different attack groups and IDS target bases
Average FPR (%) of generated classifiers for different attack groups and IDS target bases
Average detection rates of the target IDS and classifier on each attack group.
Construction of the FID calculating mechanism.
FIDs of generated instances in training steps.
Integrating the information from Table 4 and the four DR figures, two interesting comparisons can be found: the DR of C on original attacks is lower than that of the target IDS, and the FPR of C is higher than that of the target IDS. From these two comparisons, it can be seen that the detectability of C on the original CICIDS2017 (i.e., the original attack and benign instances) is slightly weaker than that of the target IDS, indicating that C trades off the ability to perfectly detect the original dataset in order to be able to powerfully detect adversarial attacks.
The Frechet inception distance (FID) is a metric for evaluating the quality of generated sets and was specifically developed to evaluate the performance of GANs. In image processing, before using FID, scientists applied a pretrained feature extractor, such as Inception V3 [30], to determine useful, condensed features from a set of generative and real images. For addressing datasets in the IDS domain, however, direct application of Inception V3 as a pretrained feature extractor is unsuitable; instead, another transfer model, the Frechet inception distance feature extractor (FIDFE), is utilized. The construction of the FIDFE is almost the same as FE, but the FIDFE originates from a multiple classifier pretrained by CICIDS2017. The construction of the whole FID calculation mechanism is shown in Fig. 8.
In the experiments, to verify the quality of the generated attacks, this mechanism was used to record the FIDs of the attacks generated by G for each attack group for all training steps related to G: Training G and D, Bypassing and Surpassing. Figure 9 shows the FID of generated attacks in these training steps.
In this chart, for all attack groups, the FIDs start at nearly 500. When G is trained to bypass D in Algorithm 4.2.1, the FIDs drop dramatically and reach lower values. After 15 epochs, the FIDs are all under 100; specifically, the DDoS, DoS and BruteForce attack scores are under 20. Finally, the DDoS, DoS and BruteForce FIDs have approached 0, whereas the Infiltration score converges to approximately 50. This chart can also be explained as follows: the features generated by G are random and disordered at first; then, under the Training G and D step, the distribution of the nonfunctional features produced by G gradually approaches that of the original attacks, and G is ultimately able to generate attacks of high quality; in the Bypassing and Surpassing steps, G maintains the quality of its generated and strengthened attacks to bypass the target IDS and simultaneously allow C to catch up with the target IDS.
Overall, all FIDs remain low after training; compared with other FID experiments [19, 20], the Infiltration score remains acceptable; thus, the quality of the generative attacks is basically guaranteed.
Comparison with related works
The works in [7, 22] concentrate on attack generation only, with the objective of bypassing the IDS by using a GAN; in other words, these works only played the role of attackers. By comparison, GANCIDS is designed for not only adversarial attack generation but also improved IDS establishment, which includes concrete and systematic strategies for cybersecurity defenders.
Based on Section 3, feasibility-related features cannot be modified; however, the work in [23] did not mention any information regarding this aspect and fed the GANs with all features, which may lead the generated instances to lose feasibility. Meanwhile, in Ye’s research [24], the adversarial attacks detected by the ASD were generated by typical attack models such as the FGSM, and the restriction in Section 3 is also violated. In this work, functional and nonfunctional features are divided clearly.
Usama et al. [5] only applied the generator model and did not filter the generated traffic by setting the discriminator in the adversarial training phase, which may cause fake traffic to be fed into classifier and affect the strengthening of the IDSes, and no information about the authenticity of the generated traffic was provided. By comparison, to guarantee the authenticity of the generated attacks, the discriminator in this work was always utilized to filter the generated attacks from the generator; furthermore, the FIDs of the generated attacks in this work were also measured after filtration.
In addition, the works in [5, 22, 24] utilized NSL-KDD or KDDCup99; these two datasets are in fact too old to be applied because of their inability to reflect modern network traffic and attacks [31, 32]. Instead, this work uses CICIDS2017, a relatively suitable dataset for the current network environment.
Yin et al. [8] focused on botnet detection, whereas this work focuses on the detection of four other attack groups: DoS, DDoS, BruteForce, and Infiltration. SIGMA [9] focused on ways to strengthen the model from an existing IDS; however, sometimes the existing IDS was not trainable. Compared with SIGMA, GANCIDS establishes an improved IDS from the beginning. In addition, although reinforced models can achieve nearly 100% detection rates on generated attacks, no information about how they perform on the original datasets was given. By comparison, this work measured the detection capability of the models on the original dataset and found that C sacrificed the ability to perfectly detect the original dataset after adversarial training.
Conclusion and future work
In this paper, GANCIDS was proposed to both bypass target models selected from traditional ML- and DL-based classifiers, and produce improved classifiers to replace these traditional classifiers. Experiments showed that the traditional models, including DT, ADA, RF, and DNN, had average DRs ranging from 3.7% to 55.5% with adversarial attacks generated by GANCIDS; furthermore, classifiers developed by GANCIDS demonstrated strong performances in detecting both generated and original attacks, with an average DR 98.4% and low FPRs and stability when coping with normal instances. In addition, FIDs were utilized to verify the quality of the generated adversarial attacks; the quality of the generated DDoS, DoS, and BruteForce was found to be good, whereas that of the Infiltration was acceptable.
A number of changeable structures and researchable angles can yet be addressed with regard to GANCIDS. Future studies should consider the following points. First, only the original GAN was used in this work, and other widely used versions, such as the WGAN, are planned as future research objects. Second, only binary classifiers were used as the target models in this paper, and other versions of GANCIDS should be capable of bypassing multiclass or regression models. Third, other up-to-date datasets for generating adversarial attacks and corresponding improved classifiers are planned to be utilized.
Footnotes
Acknowledgments
This work is supported by the Major Science and Technology Special Project of Sichuan Province (No. 2018GZDZX0009) and the Introducing Program of Dongguan for Leading Talents in Innovation and Entrepreneur (Dongren Han [2018], No. 738).
