A Critique on the (Mis)Use of Feature-Space Attacks for Adversarial Machine Learning in NIDS

Machine and deep learning are extensively used to obtain network intrusion detection system (NIDS) models for recognizing malicious classes of traffic; however, it is a fact that NIDS models are vulnerable to adversarial attacks. Feature-space attacks apply perturbations to the input data and can induce major forms of misclassifications on a victim NIDS. This practical experience report puts forward the intuition that the misclassifications observed might be due to mere distortions of the underlying classes of traffic, rather than genuine vulnerabilities of the NIDS model under test. The experiments reported are based on the application of two popular adversarial attacks to normal and Denial of Service traffic. The results obtained provide an initial warning on the (mis)use of feature-space attacks in NIDS and suggest that the lessons learned on adversarial robustness, training and defense of NIDS based on the use of feature-space attacks should be treated with extreme caution.