PANDA: Practical Adversarial Attack Against Network Intrusion Detection

While adversarial machine learning (AML) attacks have become prevalent in the computer vision (CV) domain, their applications in other domains, such as network intrusion detection systems (NIDS), remain limited. This gap stems from the lack of a well-defined input space in non-image domains, hindering the generation of adversarial examples. Unlike CV problems, where the input space is the feature space, other domains generally lack a precise inverse mapping from the feature space to the problem space. In this work, we propose PANDA, a novel approach that bridges this gap and enables AML attacks against NIDS. PANDA represents a series of packets as images for training a surrogate NIDS model. Benefiting from the invertibility of this representation, PANDA leverages well-evolved image-based AML attacks to generate adversarial examples against the surrogate model. It then repurposes the adversarial examples from the surrogate model to evade the target NIDS model. We demonstrate the effectiveness of PANDA by successfully crafting adversarial network intrusions with the UQ-IoT dataset. This work establishes a framework for transferring AML attacks from the CV domain to the network domain, opening new avenues for attack modelling and defence strategies in NIDS.