Generating traffic-level adversarial examples from feature-level specifications

Robert Flood; Marco Casadio; David Aspinall; Ekaterina Komendantskaya

doi:10.1007/978-3-031-82362-6_8

Generating traffic-level adversarial examples from feature-level specifications

Robert Flood^*, Marco Casadio, David Aspinall, Ekaterina Komendantskaya

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Machine learning-based network intrusion detection methods often rely on statistical summaries of traffic, causing a disconnect between the traffic space and the feature space that is difficult to bridge [13]. Realistic adversarial attacks are hard to generate because natural well-formedness constraints at the traffic level aren’t respected at the feature level with usual adversarial attack generation methods. We use a novel attack generation method combining two tools: (1) a bespoke synthetic traffic generation suite, PackGen, and (2) a formal verification tool for neural networks, Vehicle [7]. PackGen produces aggregated Markov chain representations of network traffic which allows us to reconstruct valid packet sequences that are modified by realistic perturbations on an input specification. Vehicle’s formal specification language lets us represent granular threat models such as adversaries who can only manipulate packet timings. Unlike other methods, Vehicle’s formal verification is guaranteed to find counterexamples if they exist, which correspond with evasive adversarial examples. We feed these feature-level counterexamples into modified PackGen representations to generate PCAP files containing reconstructed, evasive network flows, generating adversarial examples that cross the gap between the traffic and feature spaces. We evaluate PackGen by replicating DoS traffic using a variety of timing distributions, before testing our full pipeline by producing evasive counterexamples, outperforming projected gradient descent.

Original language	English
Title of host publication	Computer Security. ESORICS 2024 International Workshops
Editors	Joaquin Garcia-Alfaro, Harsha Kalutarage, Naoto Yanai, Rafał Kozik, Marek Pawlicki, Michał Choraś, Paweł Ksieniewicz, Michał Woźniak, Habtamu Abie, Sandeep Pirbhulal, Silvio Ranise, Luca Verderame, Enrico Cambiaso, Rita Ugarelli, Isabel Praça, Basel Katt, Ankur Shukla
Publisher	Springer
Pages	118-127
Number of pages	10
ISBN (Print)	9783031823619
DOIs	https://doi.org/10.1007/978-3-031-82362-6_8
Publication status	Published - 1 Apr 2025
Event	19th International Workshop on Data Privacy Management, DPM 2024, 8th International Workshop on Cryptocurrencies and Blockchain Technology, CBT 2024 and 10th Workshop on the Security of Industrial Control Systems and of Cyber-Physical Systems, CyberICPS 2024 which were held in conjunction with the 29th European Symposium on Research in Computer Security, ESORICS 2024 - Bydgoszcz, Poland Duration: 16 Sept 2024 → 20 Sept 2024

Publication series

Name	Lecture Notes in Computer Science
Volume	15264 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	19th International Workshop on Data Privacy Management, DPM 2024, 8th International Workshop on Cryptocurrencies and Blockchain Technology, CBT 2024 and 10th Workshop on the Security of Industrial Control Systems and of Cyber-Physical Systems, CyberICPS 2024 which were held in conjunction with the 29th European Symposium on Research in Computer Security, ESORICS 2024
Country/Territory	Poland
City	Bydgoszcz
Period	16/09/24 → 20/09/24

Keywords / Materials (for Non-textual outputs)

Adversarial Attacks
Formal Verification
Network Intrusion Detection

Access to Document

10.1007/978-3-031-82362-6_8

Cite this

Flood, R., Casadio, M., Aspinall, D., & Komendantskaya, E. (2025). Generating traffic-level adversarial examples from feature-level specifications. In J. Garcia-Alfaro, H. Kalutarage, N. Yanai, R. Kozik, M. Pawlicki, M. Choraś, P. Ksieniewicz, M. Woźniak, H. Abie, S. Pirbhulal, S. Ranise, L. Verderame, E. Cambiaso, R. Ugarelli, I. Praça, B. Katt, & A. Shukla (Eds.), Computer Security. ESORICS 2024 International Workshops (pp. 118-127). (Lecture Notes in Computer Science; Vol. 15264 LNCS). Springer. https://doi.org/10.1007/978-3-031-82362-6_8

Flood, Robert ; Casadio, Marco ; Aspinall, David et al. / Generating traffic-level adversarial examples from feature-level specifications. Computer Security. ESORICS 2024 International Workshops. editor / Joaquin Garcia-Alfaro ; Harsha Kalutarage ; Naoto Yanai ; Rafał Kozik ; Marek Pawlicki ; Michał Choraś ; Paweł Ksieniewicz ; Michał Woźniak ; Habtamu Abie ; Sandeep Pirbhulal ; Silvio Ranise ; Luca Verderame ; Enrico Cambiaso ; Rita Ugarelli ; Isabel Praça ; Basel Katt ; Ankur Shukla. Springer, 2025. pp. 118-127 (Lecture Notes in Computer Science).

@inproceedings{5c109ff5b0854f3ababc38902416f703,

title = "Generating traffic-level adversarial examples from feature-level specifications",

abstract = "Machine learning-based network intrusion detection methods often rely on statistical summaries of traffic, causing a disconnect between the traffic space and the feature space that is difficult to bridge [13]. Realistic adversarial attacks are hard to generate because natural well-formedness constraints at the traffic level aren{\textquoteright}t respected at the feature level with usual adversarial attack generation methods. We use a novel attack generation method combining two tools: (1) a bespoke synthetic traffic generation suite, PackGen, and (2) a formal verification tool for neural networks, Vehicle [7]. PackGen produces aggregated Markov chain representations of network traffic which allows us to reconstruct valid packet sequences that are modified by realistic perturbations on an input specification. Vehicle{\textquoteright}s formal specification language lets us represent granular threat models such as adversaries who can only manipulate packet timings. Unlike other methods, Vehicle{\textquoteright}s formal verification is guaranteed to find counterexamples if they exist, which correspond with evasive adversarial examples. We feed these feature-level counterexamples into modified PackGen representations to generate PCAP files containing reconstructed, evasive network flows, generating adversarial examples that cross the gap between the traffic and feature spaces. We evaluate PackGen by replicating DoS traffic using a variety of timing distributions, before testing our full pipeline by producing evasive counterexamples, outperforming projected gradient descent.",

keywords = "Adversarial Attacks, Formal Verification, Network Intrusion Detection",

author = "Robert Flood and Marco Casadio and David Aspinall and Ekaterina Komendantskaya",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; 19th International Workshop on Data Privacy Management, DPM 2024, 8th International Workshop on Cryptocurrencies and Blockchain Technology, CBT 2024 and 10th Workshop on the Security of Industrial Control Systems and of Cyber-Physical Systems, CyberICPS 2024 which were held in conjunction with the 29th European Symposium on Research in Computer Security, ESORICS 2024 ; Conference date: 16-09-2024 Through 20-09-2024",

year = "2025",

month = apr,

day = "1",

doi = "10.1007/978-3-031-82362-6\_8",

language = "English",

isbn = "9783031823619",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "118--127",

editor = "Joaquin Garcia-Alfaro and Harsha Kalutarage and Naoto Yanai and Rafa{\l} Kozik and Marek Pawlicki and Micha{\l} Chora{\'s} and Pawe{\l} Ksieniewicz and Micha{\l} Wo{\'z}niak and Habtamu Abie and Sandeep Pirbhulal and Silvio Ranise and Luca Verderame and Enrico Cambiaso and Rita Ugarelli and Isabel Pra{\c c}a and Basel Katt and Ankur Shukla",

booktitle = "Computer Security. ESORICS 2024 International Workshops",

address = "United Kingdom",

}

Flood, R, Casadio, M, Aspinall, D & Komendantskaya, E 2025, Generating traffic-level adversarial examples from feature-level specifications. in J Garcia-Alfaro, H Kalutarage, N Yanai, R Kozik, M Pawlicki, M Choraś, P Ksieniewicz, M Woźniak, H Abie, S Pirbhulal, S Ranise, L Verderame, E Cambiaso, R Ugarelli, I Praça, B Katt & A Shukla (eds), Computer Security. ESORICS 2024 International Workshops. Lecture Notes in Computer Science, vol. 15264 LNCS, Springer, pp. 118-127, 19th International Workshop on Data Privacy Management, DPM 2024, 8th International Workshop on Cryptocurrencies and Blockchain Technology, CBT 2024 and 10th Workshop on the Security of Industrial Control Systems and of Cyber-Physical Systems, CyberICPS 2024 which were held in conjunction with the 29th European Symposium on Research in Computer Security, ESORICS 2024, Bydgoszcz, Poland, 16/09/24. https://doi.org/10.1007/978-3-031-82362-6_8

Generating traffic-level adversarial examples from feature-level specifications. / Flood, Robert; Casadio, Marco; Aspinall, David et al.
Computer Security. ESORICS 2024 International Workshops. ed. / Joaquin Garcia-Alfaro; Harsha Kalutarage; Naoto Yanai; Rafał Kozik; Marek Pawlicki; Michał Choraś; Paweł Ksieniewicz; Michał Woźniak; Habtamu Abie; Sandeep Pirbhulal; Silvio Ranise; Luca Verderame; Enrico Cambiaso; Rita Ugarelli; Isabel Praça; Basel Katt; Ankur Shukla. Springer, 2025. p. 118-127 (Lecture Notes in Computer Science; Vol. 15264 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Generating traffic-level adversarial examples from feature-level specifications

AU - Flood, Robert

AU - Casadio, Marco

AU - Aspinall, David

AU - Komendantskaya, Ekaterina

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025/4/1

Y1 - 2025/4/1

N2 - Machine learning-based network intrusion detection methods often rely on statistical summaries of traffic, causing a disconnect between the traffic space and the feature space that is difficult to bridge [13]. Realistic adversarial attacks are hard to generate because natural well-formedness constraints at the traffic level aren’t respected at the feature level with usual adversarial attack generation methods. We use a novel attack generation method combining two tools: (1) a bespoke synthetic traffic generation suite, PackGen, and (2) a formal verification tool for neural networks, Vehicle [7]. PackGen produces aggregated Markov chain representations of network traffic which allows us to reconstruct valid packet sequences that are modified by realistic perturbations on an input specification. Vehicle’s formal specification language lets us represent granular threat models such as adversaries who can only manipulate packet timings. Unlike other methods, Vehicle’s formal verification is guaranteed to find counterexamples if they exist, which correspond with evasive adversarial examples. We feed these feature-level counterexamples into modified PackGen representations to generate PCAP files containing reconstructed, evasive network flows, generating adversarial examples that cross the gap between the traffic and feature spaces. We evaluate PackGen by replicating DoS traffic using a variety of timing distributions, before testing our full pipeline by producing evasive counterexamples, outperforming projected gradient descent.

AB - Machine learning-based network intrusion detection methods often rely on statistical summaries of traffic, causing a disconnect between the traffic space and the feature space that is difficult to bridge [13]. Realistic adversarial attacks are hard to generate because natural well-formedness constraints at the traffic level aren’t respected at the feature level with usual adversarial attack generation methods. We use a novel attack generation method combining two tools: (1) a bespoke synthetic traffic generation suite, PackGen, and (2) a formal verification tool for neural networks, Vehicle [7]. PackGen produces aggregated Markov chain representations of network traffic which allows us to reconstruct valid packet sequences that are modified by realistic perturbations on an input specification. Vehicle’s formal specification language lets us represent granular threat models such as adversaries who can only manipulate packet timings. Unlike other methods, Vehicle’s formal verification is guaranteed to find counterexamples if they exist, which correspond with evasive adversarial examples. We feed these feature-level counterexamples into modified PackGen representations to generate PCAP files containing reconstructed, evasive network flows, generating adversarial examples that cross the gap between the traffic and feature spaces. We evaluate PackGen by replicating DoS traffic using a variety of timing distributions, before testing our full pipeline by producing evasive counterexamples, outperforming projected gradient descent.

KW - Adversarial Attacks

KW - Formal Verification

KW - Network Intrusion Detection

UR - https://www.scopus.com/pages/publications/105002716057

U2 - 10.1007/978-3-031-82362-6_8

DO - 10.1007/978-3-031-82362-6_8

M3 - Conference contribution

AN - SCOPUS:105002716057

SN - 9783031823619

T3 - Lecture Notes in Computer Science

SP - 118

EP - 127

BT - Computer Security. ESORICS 2024 International Workshops

A2 - Garcia-Alfaro, Joaquin

A2 - Kalutarage, Harsha

A2 - Yanai, Naoto

A2 - Kozik, Rafał

A2 - Pawlicki, Marek

A2 - Choraś, Michał

A2 - Ksieniewicz, Paweł

A2 - Woźniak, Michał

A2 - Abie, Habtamu

A2 - Pirbhulal, Sandeep

A2 - Ranise, Silvio

A2 - Verderame, Luca

A2 - Cambiaso, Enrico

A2 - Ugarelli, Rita

A2 - Praça, Isabel

A2 - Katt, Basel

A2 - Shukla, Ankur

PB - Springer

T2 - 19th International Workshop on Data Privacy Management, DPM 2024, 8th International Workshop on Cryptocurrencies and Blockchain Technology, CBT 2024 and 10th Workshop on the Security of Industrial Control Systems and of Cyber-Physical Systems, CyberICPS 2024 which were held in conjunction with the 29th European Symposium on Research in Computer Security, ESORICS 2024

Y2 - 16 September 2024 through 20 September 2024

ER -

Flood R, Casadio M, Aspinall D, Komendantskaya E. Generating traffic-level adversarial examples from feature-level specifications. In Garcia-Alfaro J, Kalutarage H, Yanai N, Kozik R, Pawlicki M, Choraś M, Ksieniewicz P, Woźniak M, Abie H, Pirbhulal S, Ranise S, Verderame L, Cambiaso E, Ugarelli R, Praça I, Katt B, Shukla A, editors, Computer Security. ESORICS 2024 International Workshops. Springer. 2025. p. 118-127. (Lecture Notes in Computer Science). doi: 10.1007/978-3-031-82362-6_8