The Role of Learning in Attacking Intrusion Detection Systems

Recent work on network attacks have demonstrated that ML-based network intrusion detection systems (NIDS) can be evaded with adversarial perturbations. However, these attacks rely on complex optimizations that have large computational overheads, making them impractical in many real-world settings. In this paper, we introduce a lightweight adversarial agent that implements strategies (policies) trained via reinforcement learning (RL) that learn to evade ML-based NIDS without requiring online optimization. This attack proceeds by (1) offline training, where the agent learns to evade a surrogate ML model by perturbing malicious flows using network traffic data assumed to be collected via reconnaissance, then (2) deployment, where the trained agent is used in a compromised device controlled by an attacker to evade ML-based NIDS using learned attack strategies. We evaluate our approach across diverse NIDS and several white-, gray-, and black-box threat models. We demonstrate that attacks using these lightweight agents can be highly effective (reaching up to 48.9% attack success rate), extremely fast (requiring as little as 5.72ms to craft an attack), and require negligible resources (e.g., 0.52MB of memory). Through this work, we demonstrate that future botnets driven by lightweight learning-based agents can be highly effective and widely deployable in diverse environments of compromised devices.

💡 Research Summary

The paper introduces a lightweight, reinforcement‑learning (RL) based adversarial agent designed to evade machine‑learning (ML)‑based network intrusion detection systems (NIDS) without requiring per‑flow online optimization. The authors observe that prior adversarial attacks on NIDS rely on heavyweight gradient‑based optimizations (e.g., PGD, CW) that are computationally expensive and unsuitable for large‑scale botnets or low‑resource devices such as IoT nodes, routers, or smartphones. To address this limitation, they propose a two‑phase “offline training → online deployment” framework.

In the offline phase, the attacker first gathers NetFlow‑v9 traffic from the target environment (reconnaissance) and uses it to train a surrogate NIDS model that approximates the decision boundary of the victim system. Next, a reinforcement‑learning agent is trained against this surrogate model. The authors formalize the problem as a Partially Observable Markov Decision Process (POMDP) where the state space consists of bidirectional NetFlow features, observations are the attacker‑visible inbound features, and actions are bounded perturbations to delay, byte count, and packet count. The reward function gives a positive signal only when the surrogate model classifies the perturbed flow as benign, and the magnitude of the reward is proportional to the fraction of the allowed perturbation budget that remains unused. This encourages the agent to achieve evasion with minimal changes. Training uses standard continuous‑action RL algorithms (e.g., PPO, DDPG) on a fixed dataset of malicious flows; each episode starts from a random malicious sample and runs for a small, fixed number of steps T, with a per‑step budget ε, ensuring that the total perturbation budget T·ε is never exceeded.

After training, the resulting policy πθ is extremely compact (≈0.52 MB) and can be embedded in a compromised host. During deployment, the bot receives a command from its command‑and‑control (C2) channel, feeds the malicious flow into the policy, and instantly generates the perturbation vector. No further model loading or gradient computation is required, yielding an average inference latency of 5.72 ms per flow.

The authors evaluate the approach on four diverse NetFlow datasets (enterprise, cloud, IoT) and four ML‑based NIDS models (Random Forest, XGBoost, Deep Neural Network, etc.). They consider four threat models: white‑box (full access to surrogate model and in‑distribution data), gray‑box (data‑only or model‑only access), and black‑box (no access to either). Across all settings, the agent achieves an average evasion success rate of 48.9 %, outperforming prior gradient‑based attacks in speed by roughly tenfold. Notably, for volume‑based attacks such as DoS, DDoS, and brute‑force (as categorized by MITRE ATT&CK), the agent improves success by up to 18 % because it learns to subtly manipulate byte and packet counts to dilute volumetric detection signatures. Even in the strictest black‑box scenario, where training data are out‑of‑distribution and the victim model is unknown, the agent still attains up to 64 % success against a specific NIDS, demonstrating strong cross‑environment generalization.

The paper’s contributions are threefold: (1) a novel lightweight adversarial agent framework that eliminates per‑flow optimization, (2) extensive empirical validation showing that learned evasion strategies generalize across datasets, models, and threat assumptions, and (3) a comparative analysis revealing that the agent matches or exceeds the effectiveness of existing attacks while requiring orders of magnitude less computational resources.

Implications are significant for both attackers and defenders. For attackers, the approach enables large‑scale, autonomous botnets that can adaptively evade NIDS without heavy C2 communication or on‑device compute, making detection and attribution harder. For defenders, the results highlight a new class of low‑cost, learning‑based evasion techniques that can bypass feature‑level defenses, especially those relying on volume statistics. Future NIDS designs must therefore consider robust training against adaptive policies, incorporate runtime randomness, or employ detection mechanisms that are less susceptible to small, learned perturbations.