“What is the Problem Space?” Defining Host-space Adversarial Perturbations against Network Intrusion Detection Systems
Conference ACM Asia Conference on Computer and Communications Security
Bangalore, India
Oneliner: Changing one character of one command can lead to a complete bypass.
This talk is the natural extension of our SaTML’26 paper, which presented ConCap, a tool for automatically generating and labeling NetFlow data. Originally, these two contributions were in the same paper. However, we had really a hard time with reviewers: some liked ConCap but did not appreciate the “Host-space Perturbations” (HsP) contribution; others thought the opposite. Eventually, we decided to split the paper in two—and it appears that this was the right way to go.
What we do in this paper is quite simple: we show that by minimally altering a command to launch a network-related attack, one can completely defeat ML-driven classifiers that detect malicious NetFlows. We show that even a single character change can lead to this—without altering the overarching goal of the attacker or the involved hosts. We argue such tactics, which can only be observed by operating on the host, are much more viable than traditional “adversarial perturbations” applied in the feature space. We hope future research can better examine this complementary way to evade ML-driven NIDS.
