Ubuntu Security Podcast 194

Last updated:

Ubuntu Security Podcast Episode


The incremental diffusion of machine learning algorithms in supporting cybersecurity is creating novel defensive opportunities but also new types of risks. Multiple researches have shown that machine learning methods are vulnerable to adversarial attacks that create tiny perturbations aimed at decreasing the effectiveness of detecting threats. We observe that existing literature assumes threat models that are inappropriate for realistic cybersecurity scenarios because they consider opponents with complete knowledge about the cyber detector or that can freely interact with the target systems. By focusing on Network Intrusion Detection Systems based on machine learning, we identify and model the real capabilities and circumstances required by attackers to carry out feasible and successful adversarial attacks. We then apply our model to several adversarial attacks proposed in literature and highlight the limits and merits that can result in actual adversarial attacks. The contributions of this paper can help hardening defensive systems by letting cyber defenders address the most critical and real issues, and can benefit researchers by allowing them to devise novel forms of adversarial attacks based on realistic threat models.




My name is Andrei. I’m a new member of the security team from Ubuntu, and I’m thrilled to be now part of this podcast.

We'll begin a new segment today, in which we will delve further into academia and examine papers on cybersecurity. We will analyze them to understand the ideas put forth by the authors, the reason they are novel, and how security professionals might employ these ideas in their research, development, or analysis.

"Modeling Realistic Adversarial Attacks against Network Intrusion Detection Systems" is the title of the study that we will be looking at today. The work was published in ACM's Digital Threats journal by five academics from Italy and Liechtenstein. It's one of the most cited cybersecurity papers from 2022, and it examines the intersection of computer security and one of the fastest growing domains right now, artificial intelligence.

Key Topics

We will set the stage by introducing the key topics.

One way for classifying security mechanisms in a computer network is to evaluate where they are located.

Host-based solutions are those that are deployed on a host within that network. It is a program that runs continually, infrequently, or on demand that searches various areas of that particular host. The host-based scanning varies from normal files and processes, as in Clam AntiVirus, to kernel virtual memory, as in The Rootkit Hunter Project.

The analysis of communication between hosts in the network is another method for spotting malicious behavior. A security solution might examine a packet's payload, like the domain contained in a DNS query. Because this strategy is not practical for encrypted packets, such as DNS over HTTPS, other solutions inspect metadata, which is information that describes the participants, payload, and metrics about the communication. The destination MAC address, the cipher suite used during a TLS handshake, and the time interval between two successive ICMP packets are a few examples of metadata of each kind.

To mention a few network-based safeguards, we have the Uncomplicated Firewall, Arkime as a full packet capture, and Suricata, which can operate in two modes: intrusion detection and intrusion prevention.

Machine learning is another topic to take into account. As its adoption in recent years has enabled society to develop novel answers to complicated problems, the cybersecurity industry has not been overlooked. The focus has primarily been on spam detectors and antimalware programs, although other research in academia and industry has examined the use of ML in network intrusion detection systems.

But how exactly do these ML-IDSes operate? Both during training and production, the models do the same analysis on a packet. It is parsed to determine its fields, and some attributes are retrieved from the raw data to create a classification that determines whether the packet is benign or malicious, in the latter case an alarm is generated. Training and production are different in that the former employs samples that are pre-collected while the latter analyzes ones that have never been seen before.

Attacks against ML-IDSes

Up to this point, everything seems fine, but an arms race is taking place. As defenders implement more sophisticated solutions in their infrastructures, hostile actors devise innovative adversarial attacks against these AI-based systems, in which they fool the model into forecasting results in their favor. This could indicate, for instance, DoS attacks by misclassifying legitimate requests as malicious or the use of exploits by misclassifying malicious requests as legitimate.

Having stated that, the goal of the study is to develop a realistic theoretical model of how these attackers may look.


The extent to which the attacker has control over the ML-based intrusion detection system is how the authors define the idea of power. It was divided into 5 factors, each of which offers a unique description of the attacker's strength.

Let's look into each of them!

To begin, we have knowledge of the training data. If the attacker gets read access to the dataset, she could examine the data to look for patterns among samples that were labeled as harmless. Do all the dataset's benign ELF files have PIE, ASLR, and canaries enabled? Then, let's develop malware that acts as a dropper and has the same security features enabled. The likelihood of malware being discovered is decreased in this way. Additionally, if the attacker has write privileges, she may inject harmful samples to be categorized as benign.

Secondly, the attacker might be aware of the feature set, meaning the specific data from the sample that the IDS examines in order to make a forecast. If the attacker is aware that ELF sections with unusual names are not inspected by the ML-IDS, the malware can transfer its dangerous code from the .text section to a strangely named one.

The knowledge of the detection model, specifically the algorithm and its parameters, is another factor that contributes to modeling power. The authors don't insist on this unrealistic detail because the only way to know it is to completely compromise the IDS.

Fourth, the attacker might possess oracle abilities, which would allow him to submit some inputs and observe the accompanying predictions. Unfortunately for him, he might run into two problems. There may be additional security solutions installed that detect a huge number of requests to the ML-IDS, causing him to be identified. On the other hand, it could be challenging for the attacker to learn the outcome of the forecast. Since we are talking about IDSes rather than IPSes, the detections are likely routed into a SIEM, a system that is difficult to hack.

The depth of the manipulation is the final variable in the concept of power. Can the attacker just change raw data, like fields in a DNS request? Or can she manipulate high-level representations, such as the combination of fields in that request that are specific to a model?

Plausible Attacks

Thus, the authors' conclusion was that the following attack is the most plausible one:

  1. Manipulation of raw data and not high-level abstractions;
  2. Partial knowledge about the extracted features;
  3. No oracle power; and
  4. No access to the training data.

Papers Analysis

The document displays a table categorizing various studies published up until March 2021 by using analysis with these 5 power variables in mind. It cites a paper from 2019 as a suitable example, in which an attacker reduced the 99% detection rate to 70%, all under real-world conditions.


In conclusion, the first edition of this new podcast section covered modeling realistic attacks on ML-based intrusion detection systems. After observing the differences between host-based and network-based security solutions, we discovered the notion of attack power, which consists of five pillars: oracle power, manipulation depth, and knowledge of the training data, feature set, and detection model.

If you have any recommendations for improving this section, please contact us at [email protected]. Until next time!