Generating Traffic-Level Adversarial Examples from Feature-Level Specifications

Robert Flood; Marco Casadio; David Aspinall; Ekaterina Komendantskaya

doi:10.1007/978-3-031-82362-6_8

Generating Traffic-Level Adversarial Examples from Feature-Level Specifications

Robert Flood^*, Marco Casadio, David Aspinall, Ekaterina Komendantskaya

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Machine learning-based network intrusion detection methods often rely on statistical summaries of traffic, causing a disconnect between the traffic space and the feature space that is difficult to bridge [13]. Realistic adversarial attacks are hard to generate because natural well-formedness constraints at the traffic level aren’t respected at the feature level with usual adversarial attack generation methods. We use a novel attack generation method combining two tools: (1) a bespoke synthetic traffic generation suite, PackGen, and (2) a formal verification tool for neural networks, Vehicle [7]. PackGen produces aggregated Markov chain representations of network traffic which allows us to reconstruct valid packet sequences that are modified by realistic perturbations on an input specification. Vehicle’s formal specification language lets us represent granular threat models such as adversaries who can only manipulate packet timings. Unlike other methods, Vehicle’s formal verification is guaranteed to find counterexamples if they exist, which correspond with evasive adversarial examples. We feed these feature-level counterexamples into modified PackGen representations to generate PCAP files containing reconstructed, evasive network flows, generating adversarial examples that cross the gap between the traffic and feature spaces. We evaluate PackGen by replicating DoS traffic using a variety of timing distributions, before testing our full pipeline by producing evasive counterexamples, outperforming projected gradient descent.

Original language	English
Title of host publication	Computer Security. ESORICS 2024 International Workshops
Publisher	Springer
Pages	118-127
Number of pages	10
ISBN (Electronic)	9783031823626
ISBN (Print)	9783031823619
DOIs	https://doi.org/10.1007/978-3-031-82362-6_8
Publication status	Published - 1 Apr 2025
Event	29th European Symposium on Research in Computer Security 2024 - Bydgoszcz, Poland Duration: 16 Sept 2024 → 20 Sept 2024

Publication series

Name	Lecture Notes in Computer Science
Volume	15264
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	29th European Symposium on Research in Computer Security 2024
Abbreviated title	ESORICS 2024
Country/Territory	Poland
City	Bydgoszcz
Period	16/09/24 → 20/09/24

Keywords

Adversarial Attacks
Formal Verification
Network Intrusion Detection

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-82362-6_8

Cite this

@inproceedings{c1edd738d31b4b20a465dce966c74a1e,

title = "Generating Traffic-Level Adversarial Examples from Feature-Level Specifications",

abstract = "Machine learning-based network intrusion detection methods often rely on statistical summaries of traffic, causing a disconnect between the traffic space and the feature space that is difficult to bridge [13]. Realistic adversarial attacks are hard to generate because natural well-formedness constraints at the traffic level aren{\textquoteright}t respected at the feature level with usual adversarial attack generation methods. We use a novel attack generation method combining two tools: (1) a bespoke synthetic traffic generation suite, PackGen, and (2) a formal verification tool for neural networks, Vehicle [7]. PackGen produces aggregated Markov chain representations of network traffic which allows us to reconstruct valid packet sequences that are modified by realistic perturbations on an input specification. Vehicle{\textquoteright}s formal specification language lets us represent granular threat models such as adversaries who can only manipulate packet timings. Unlike other methods, Vehicle{\textquoteright}s formal verification is guaranteed to find counterexamples if they exist, which correspond with evasive adversarial examples. We feed these feature-level counterexamples into modified PackGen representations to generate PCAP files containing reconstructed, evasive network flows, generating adversarial examples that cross the gap between the traffic and feature spaces. We evaluate PackGen by replicating DoS traffic using a variety of timing distributions, before testing our full pipeline by producing evasive counterexamples, outperforming projected gradient descent.",

keywords = "Adversarial Attacks, Formal Verification, Network Intrusion Detection",

author = "Robert Flood and Marco Casadio and David Aspinall and Ekaterina Komendantskaya",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; 29th European Symposium on Research in Computer Security 2024, ESORICS 2024 ; Conference date: 16-09-2024 Through 20-09-2024",

year = "2025",

month = apr,

day = "1",

doi = "10.1007/978-3-031-82362-6\_8",

language = "English",

isbn = "9783031823619",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "118--127",

booktitle = "Computer Security. ESORICS 2024 International Workshops",

}

Flood, R, Casadio, M, Aspinall, D & Komendantskaya, E 2025, Generating Traffic-Level Adversarial Examples from Feature-Level Specifications. in Computer Security. ESORICS 2024 International Workshops. Lecture Notes in Computer Science, vol. 15264, Springer, pp. 118-127, 29th European Symposium on Research in Computer Security 2024, Bydgoszcz, Poland, 16/09/24. https://doi.org/10.1007/978-3-031-82362-6_8

TY - GEN

T1 - Generating Traffic-Level Adversarial Examples from Feature-Level Specifications

AU - Flood, Robert

AU - Casadio, Marco

AU - Aspinall, David

AU - Komendantskaya, Ekaterina

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025/4/1

Y1 - 2025/4/1

N2 - Machine learning-based network intrusion detection methods often rely on statistical summaries of traffic, causing a disconnect between the traffic space and the feature space that is difficult to bridge [13]. Realistic adversarial attacks are hard to generate because natural well-formedness constraints at the traffic level aren’t respected at the feature level with usual adversarial attack generation methods. We use a novel attack generation method combining two tools: (1) a bespoke synthetic traffic generation suite, PackGen, and (2) a formal verification tool for neural networks, Vehicle [7]. PackGen produces aggregated Markov chain representations of network traffic which allows us to reconstruct valid packet sequences that are modified by realistic perturbations on an input specification. Vehicle’s formal specification language lets us represent granular threat models such as adversaries who can only manipulate packet timings. Unlike other methods, Vehicle’s formal verification is guaranteed to find counterexamples if they exist, which correspond with evasive adversarial examples. We feed these feature-level counterexamples into modified PackGen representations to generate PCAP files containing reconstructed, evasive network flows, generating adversarial examples that cross the gap between the traffic and feature spaces. We evaluate PackGen by replicating DoS traffic using a variety of timing distributions, before testing our full pipeline by producing evasive counterexamples, outperforming projected gradient descent.

AB - Machine learning-based network intrusion detection methods often rely on statistical summaries of traffic, causing a disconnect between the traffic space and the feature space that is difficult to bridge [13]. Realistic adversarial attacks are hard to generate because natural well-formedness constraints at the traffic level aren’t respected at the feature level with usual adversarial attack generation methods. We use a novel attack generation method combining two tools: (1) a bespoke synthetic traffic generation suite, PackGen, and (2) a formal verification tool for neural networks, Vehicle [7]. PackGen produces aggregated Markov chain representations of network traffic which allows us to reconstruct valid packet sequences that are modified by realistic perturbations on an input specification. Vehicle’s formal specification language lets us represent granular threat models such as adversaries who can only manipulate packet timings. Unlike other methods, Vehicle’s formal verification is guaranteed to find counterexamples if they exist, which correspond with evasive adversarial examples. We feed these feature-level counterexamples into modified PackGen representations to generate PCAP files containing reconstructed, evasive network flows, generating adversarial examples that cross the gap between the traffic and feature spaces. We evaluate PackGen by replicating DoS traffic using a variety of timing distributions, before testing our full pipeline by producing evasive counterexamples, outperforming projected gradient descent.

KW - Adversarial Attacks

KW - Formal Verification

KW - Network Intrusion Detection

UR - https://www.scopus.com/pages/publications/105002716057

U2 - 10.1007/978-3-031-82362-6_8

DO - 10.1007/978-3-031-82362-6_8

M3 - Conference contribution

AN - SCOPUS:105002716057

SN - 9783031823619

T3 - Lecture Notes in Computer Science

SP - 118

EP - 127

BT - Computer Security. ESORICS 2024 International Workshops

PB - Springer

T2 - 29th European Symposium on Research in Computer Security 2024

Y2 - 16 September 2024 through 20 September 2024

ER -