Poisoning Machine Learning Based Wireless IDSs via Stealing Learning Model

  • Pan Li
  • Wentao ZhaoEmail author
  • Qiang LiuEmail author
  • Xiao Liu
  • Linyuan Yu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10874)


Recently, machine learning-based wireless intrusion detection systems (IDSs) have been demonstrated to have high detection accuracy in malicious traffic detection. However, many researchers argue that a variety of attacks are significantly challenging the security of machine learning techniques themselves. In this paper, we study two different types of security threats which can effectively degrade the performance of machine learning based wireless IDSs. First, we propose an Adaptive SMOTE (A-SMOTE) algorithm which can adaptively generate new training data points based on few existing ones with labels. Then, we introduce a stealing model attack by training a substitute model using deep neural networks (DNNs) based on the augmented training data in order to imitate the machine learning model embedded in targeted systems. After that, we present a novel poisoning strategy to attack against the substitute machine learning model, resulting in a set of adversarial samples that can be used to degrade the performance of targeted systems. Experiments on three real data sets collected from wired and wireless networks have demonstrated that the proposed stealing model and poisoning attacks can effectively degrade the performance of IDSs using different machine learning algorithms.


  1. 1.
    Tsai, C.F., Hsu, Y.F., Lin, C.Y., Lin, W.Y.: Intrusion detection by machine learning: a review. Expert Syst. Appl. Int. J. 36(10), 11994–12000 (2009). Scholar
  2. 2.
    Kloft, M., Laskov, P.: Online anomaly detection under adversarial impact. In: Proceedings of the AISTATS 2010, pp. 405–412 (2010)Google Scholar
  3. 3.
    Liu, Q., Li, P., Zhao, W., Cai, W., Yu, S., Leung, V.C.M.: A survey on security threats and defensive techniques of machine learning: a data driven view. IEEE Access 6, 12103–12117 (2018). Scholar
  4. 4.
    Barreno, M., Nelson, B., Sears, R., Joseph, A.D., Tygar, J.D.: Can machine learning be secure? In: Proceedings of the ASIACCS 2006, pp. 16–25. ACM (2006).
  5. 5.
    Zhao, M., An, B., Gao, W., Zhang, T.: Efficient label contamination attacks against black-box learning models. In: Proceedings of the IJCAI 2017, pp. 3945–3951 (2017).
  6. 6.
    Wittel, G.L., Wu, S.F.: On attacking statistical spam filters. In: Proceedings of the CEAS 2004 (2004).
  7. 7.
    Hu, W., Tan, Y.: Generating adversarial malware examples for black-box attacks based on GAN (2017).
  8. 8.
    Tramèr, F., Zhang, F., Juels, A., Reiter, M.K., Ristenpart, T.: Stealing machine learning models via prediction APIs, pp. 601–618 (2016)Google Scholar
  9. 9.
    Shokri, R., Stronati, M., Song, C., Shmatikov, V.: Membership inference attacks against machine learning models. In: Proceedings of the Symposium on Security and Privacy 2017, pp. 3–18 (2017).
  10. 10.
    Biggio, B., Nelson, B., Laskov, P.: Poisoning attacks against support vector machines. In: Proceedings of the ICML 2012, pp. 1467–1474 (2012)Google Scholar
  11. 11.
    Biggio, B., Fumera, G., Roli, F., Didaci, L.: Poisoning adaptive biometric systems. In: Gimel’farb, G., et al. (eds.) SSPR/SPR 2012. LNCS, vol. 7626, pp. 417–425. Springer, Heidelberg (2012). Scholar
  12. 12.
    Li, P., Liu, Q., Zhao, W., Wang, D., Wang, S.: BEBP: an poisoning method against machine learning based IDSs (2018).
  13. 13.
    Rubinstein, B.I., Nelson, B., Huang, L., Joseph, A.D., Lau, S., Rao, S., Taft, N., Tygar, J.D.: Antidote: understanding and defending against poisoning of anomaly detectors. In: Proceedings of the IMC 2009, pp. 1–14. ACM, New York (2009).
  14. 14.
    Chawla, N.V., Bowyer, K.W., Hall, L.O., Kegelmeyer, W.P.: Smote: synthetic minority over-sampling technique. J. Artif. Intell. Res. 16(1), 321–357 (2002). Scholar
  15. 15.
    Song, J., Takakura, H., Okabe, Y., Eto, M., Inoue, D., Nakao, K.: Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDs evaluation. In: Proceedings of the BADGERS 2011, pp. 29–36. ACM, New York (2011).
  16. 16.
    Almomani, I., Al-Kasasbeh, B., Al-Akhras, M.: WSN-DS: a dataset for intrusion detection systems in wireless sensor networks. J. Sens. 2016(2), 1–16 (2016). Scholar
  17. 17.
    Ambusaidi, M.A., He, X., Nanda, P., Tan, Z.: Building an intrusion detection system using a filter-based feature selection algorithm. IEEE Trans. Comput. 65(10), 2986–2998 (2016). Scholar
  18. 18.
    Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: Proceedings of the ASIACCS 2017, pp. 506–519. ACM, New York (2017).

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.National University of Defense TechnologyChangshaChina

Personalised recommendations