GAN-based black-box evasion attack against a machine learning botnet detection system

Botnets have become an important issue in the domain of computer and network security as they serve as platform of many threats such as spam, denial of service attacks, phishing, data thefts, and online frauds and so on. Most of the popular botnet detection methods consist of monitoring the network, capturing packets and processing them in a format suitable for botnet detection, the traffic flows. Traffic flows are then inspected to detect malicious traffic. State of the art Botnet Detectors exploit machine learning techniques to detect malicious traffic flows. Usually, the structure and the internal parameters of these models are not observable from the outside and, therefore, they are considered black-box models. Recently, a Generative Adversarial Network (GAN) based frameworks, which can successfully generate adversarial malicious traffic flows examples to fool Intrusion Detection Systems (IDSs), has been proposed (IDSGAN). To generate adversarial malicious examples, the proposed method is to perturb only the features that do not invalidate the type of attack. Previous works on the generation of adversarial examples focused on perturbing only the numerical features of the examples. We present a GAN architecture which can handle the perturbation of both numerical and categorical features to expand the dimensional space of the perturbations that can be applied to each example. The purpose of the work is to successfully train a GAN to significantly reduce the probability that the generated adversarial malicious traffic flow examples are detected as effective botnet attacks from any of the proposed black-box botnet detector using an architecture that can handle the generation of both numerical and categorical variables. The aim is to validate the feasibility of the attack and to evaluate the improvement that the perturbation of categorical feature can bring. The proposed attack frameworks are based on Wasserstein GAN (WGAN) and Wasserstein GAN with Gradient Penalty (WGAN-GP), due to their improved stability during training over the original GAN designed by Goodfellow et al. In general, the architecture consists of a Generator which transforms the original malicious traffic flow examples into adversarial malicious ones, and a Critic which tries to learn the black-box botnet detector decision boundaries. In another version of the attack, the Critic behaves as a standard WGAN-GP critic to analyse the behaviour of such an attack. In order to ensure the validity of the generated malicious examples, only the non-functional features of the attack examples are modified. Using the CTU-13 dataset, successful attacks have been performed on several types of black-box botnet classifiers and the effectiveness of the perturbation of categorical features has been proved to be a potential threat in the domain of machine learning security.