Alexandre Azor

Security of Embedded AI in Network Intrusion Detection Systems (NIDSs)

Thesis Context

Intrusion Detection Systems (IDSs) have existed since the late 1980s [D87] and are ubiquitous in cybersecurity environments. Even today, the use of thresholds, heuristics, and simple statistical profiles remains a reliable way to detect certain intrusions and/or anomalies. However, probabilistic approaches based on Machine Learning appear more flexible and effective [MFS21]. The expected objectives of such a system include: low false positive and false negative rates, ease of configuration, adjustment, and maintenance, adaptation to evolving data trends, effective performance across different types of datasets, resource efficiency and suitability for real-time applications, and explainable alerts.

However, attackers strive to bypass these IDSs, fueling the field of research known as Adversarial Machine Learning [VOF+24]. Security and machine learning researchers regularly publish studies on practical cases of attacks against cybersecurity applications, notably: antivirus engines [XQE16], anti-spam filters [NBC+08], and IDSs [RNH+09]. Three main families of attacks (and their corresponding mitigation strategies) are studied [VDF+24]: evasion, data and model poisoning, and data/model privacy. More specifically, model evasion attacks are exploratory attacks that identify an "adversarial" space containing input samples that lead models to make errors they were not designed to produce. Model poisoning attacks involve an attacker attempting to influence the learning process by altering input data or model parameters during training. Poisoning attacks have been studied and demonstrated on various machine learning techniques, including: support vector machines [BNL12], centroid-based and generic anomaly detection algorithms [KL12], regression models [MZ15], anti-spam filters [NBC+08], malware classification [BRA+14], principal component analysis [HJN+11], and deep learning [MBD+17].

Scientific Challenges

Strengthening the security of Machine Learning models, while not providing absolute protection against attacks, currently presents several major challenges [VDF+24].

Regarding evasion attacks, several countermeasures have been proposed, including adversarial training, randomized smoothing, and formal verification. For example, adversarial training [MMS+18] involves training the target model using correctly labeled adversarial samples to minimize the adversarial space. However, this countermeasure is not perfect, as the adversarial space cannot be entirely eliminated. Additionally, training time can increase significantly. Other countermeasures may involve making it more difficult for an attacker to obtain information about the gradients of a model’s decision surface [GVD15].

Protecting models against poisoning attacks is also highly challenging. Methods such as "sanitization" of training data [NBC+08] or the use of so-called "robust" statistics to mitigate poisoning during training [SK17] have been proposed, but they do not provide 100% protection and add additional computational overhead.

Methodological Approach

The papers [Ganesh2023] and [Thoppe2024] introduce an innovative framework for robust online learning in adversarial environments. In these works, we propose an iterative algorithm that guarantees almost sure convergence to the system state average, even in the presence of adversaries disturbing observations. Our algorithm can handle sporadic and heterogeneous data, and we also achieve optimal convergence rates.
One limitation of our current algorithms is that they are restricted to linear cases, limiting their application to more complex real-world systems.

This thesis aims to extend our previous work to nonlinear cases. More specifically:

1. Known nonlinear observation model: If the nonlinear observation model is known, we need to identify the necessary conditions for successfully learning the model parameters in the presence of adversaries. We will explore how to adapt our existing algorithm to solve this problem, ensuring robustness against adversarial disturbances while striving for optimal convergence rates.
2. Unknown nonlinear observation model: In cases where the nonlinear observation model is unknown, the goal is to estimate this model even in the presence of adversaries. To achieve this, we will rely on advanced manifold learning techniques, such as those discussed in [Borkar2018]. We will adapt these techniques to learn the nonlinear model while integrating resilience mechanisms against adversarial attacks.

This project aims to bridge the gap between current linear approaches and the challenges posed by nonlinear systems, proposing robust and adaptive solutions for broader and more diverse applications.

Réferences

[D87] D. Denning. “An Intrusion-Detection Model”. IEEE Transactions on Software Engineering, 13:2, 222-232, 1987.
[MFS21] B. Millot, J. Francq, F. Sicard. “Systematic and Efficient Anomaly Detection Framework using Machine Learning on Public ICS Datasets”, IEEE CSR, pages 292-297, 2021.
[VOF+24] A. Vassilev, A. Oprea, A. Fordyce, H. Anderson. “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations”, NIST AI 100-2 E2023, 2024.
[XQE+16] W. Xu, Y. Qi, D. Evans. “Automatically Evading Classifiers: A Case Study on PDF Malware Classifiers”, NDSS, 2016.
[NBC+08] B. Nelson, M. Barreno, F. J. Chi, A. D. Joseph, B. I. P. Rubinstein, U. Saini, C. Sutton, K. Xia. “Exploiting Machine Learning to Subvert Your Spam Filter”, USENIX LEET 2008.
[RNH+09] B. I. P. Rubinstein, B. Nelson, L. Huang, A. D. Joseph, S.-H. Lau, S. Rao, N. Taft, and J. D. Tygar. “Antidote: understanding and defending against poisoning of anomaly detectors”, ACM SIGCOMM, pages 1–14, 2009.
[BNL12] B. Baggio, B. Nelson, P. Laskov. “Poisoning Attacks Against Support Vector Machines”, ACM ICML, pages 1467-1474, 2012.
[KL12] M. Kloft, P. Laskov. ”Security Analysis of Online Centroid Anomaly Detection”, Journal of Machine Learning Research, numéro 13, pages 3681-3724, 2012.
[MZ15] S. Mei, X. Zhu. “Using Machine Learning to Identify Optimal Training-Set Attacks on Machine Learners”, ACM AAAI, pages 2871–2877, 2015.
[BRA+14] B. Baggio, K. Rieck, D. Ariu, C. Wressnegger, I. Corona, G. Giacinto, F. Roli. “Poisoning Behavioral Malware Clustering”, ACM AISec, pages 27-36, 2014.
[HJN+11] L. Huang, A. D. Joseph, B. Nelson, B. I. P. Rubinstein, J. D. Tygar. “Adversarial Machine Learning”, ACM AISec, pages 43-58, 2011.
[MBD+17] L. Munoz-Gonzalez, B. Biggio, A. Demontis, A. Paudice, V. Wongrassamee, E. C. Lupu, F. Roli. “Towards Poisoning of Deep-Learning Algorithms with Back-Gradient Optimization”, pages 27-38, 2017.
[MMS+18] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, A. Vladu. “Towards Deep Learning Models Resistant to Adversarial Attacks”. ICLR 2018.
[GVD15] G. Hinton, O. Vinyals J. Dean. “Distilling the Knowledge in a Neural Network”, arXiv 1503.02531, 2015.
[SK17] S. A. Shah, V. Koltun. “Robust Continuous Clustering”, Proc. of the National Academy of Sciences, Vol. 114, No. 37, pages 9814-9819, 2017.
[Ganesh2023] Ganesh, Swetha, Alexandre Reiffers-Masson, and Gugan Thoppe. "Online learning with adversaries: A differential-inclusion analysis." 2023 62nd IEEE Conference on Decision and Control (CDC). IEEE, 2023.
[Thoppe2024] Thoppe, Gugan, Mihir Dhankshiru, Nibedita Roy, Alexandre Reiffers-Masson, Naman Naman, and Alexandre Azor. "Adversary-Resilient Distributed Estimation using Intermittent and Heterogeneous Data with Application to Network Tomography." (2024).
[Borkar2018] Borkar, Vivek S., Vikranth R. Dwaracherla, and Neeraja Sahasrabudhe. "Gradient estimation with simultaneous perturbation and compressive sensing." Journal of Machine Learning Research 18, no. 161 (2018): 1-27.