Adv-Bot: Realistic Adversarial Botnet Attacks

against Network Intrusion Detection Systems

Islam Debichaa,b,∗, Benjamin Cocheza,∗, Tayeb Kenazac , Thibault Debattyb , Jean-Michel Dricota , Wim Meesb
a Cybersecurity Research Center, Université Libre de Bruxelles, 1000 Brussels, Belgium
b Cyber Defence Lab, Royal Military Academy, 1000 Brussels, Belgium
c Computer Security Laboratory, Ecole Militaire Polytechnique, Algiers, Algeria

Abstract
Due to the numerous advantages of machine learning (ML) algorithms, many applications now incorporate them. However,
many studies in the field of image classification have shown that MLs can be fooled by a variety of adversarial attacks. These attacks
take advantage of ML algorithms’ inherent vulnerability. This raises many questions in the cybersecurity field, where a growing
number of researchers are recently investigating the feasibility of such attacks against machine learning-based security systems, such
as intrusion detection systems. The majority of this research demonstrates that it is possible to fool a model using features extracted
from a raw data source, but it does not take into account the real implementation of such attacks, i.e., the reverse transformation
from theory to practice. The real implementation of these adversarial attacks would be influenced by various constraints that would
make their execution more difficult. As a result, the purpose of this study was to investigate the actual feasibility of adversarial
attacks, specifically evasion attacks, against network-based intrusion detection systems (NIDS), demonstrating that it is entirely
possible to fool these ML-based IDSs using our proposed adversarial algorithm while assuming as many constraints as possible in
a black-box setting. In addition, since it is critical to design defense mechanisms to protect ML-based IDSs against such attacks, a
defensive scheme is presented. Realistic botnet traffic traces are used to assess this work. Our goal is to create adversarial botnet
traffic that can avoid detection while still performing all of its intended malicious functionality.
Keywords: Intrusion detection system, Botnet attacks, Machine learning, Evasion attacks, Adversarial detection.

1. Introduction
Sophisticated methods of cybercrime, such as botnets, are
becoming increasingly rampant. Given the severity of the threat, 25
it is essential to have a defense mechanism that can detect all
5 types of botnet traffic. Among these mechanisms, the use of in-
trusion detection systems dedicated to network analysis, known
as NIDS, is gaining popularity. And given the difficulty of
some signature-based NIDSs in detecting new botnet attacks 30
or even variants of known botnet attacks, NIDSs based on ma-
10 chine learning algorithms have become more prevalent. These
machine learning-based NIDS can detect not only variants of
known attacks, but also novel attacks, also known as zero-day
attacks [1, 2]. 35
Despite this encouraging achievement, many recent studies
15 have shown that it is possible to fool the ML algorithms used
in these detection methods [3, 4], as has been discovered previ-
ously in other application areas, such as computer vision [5, 6].
These ML algorithms have been shown to be vulnerable to a va- 40
riety of adversarial attacks, including poisoning, extraction, and
20 evasion. Evasion attacks are studied in this paper because they
are more realistic in cyber security scenarios than the other two
∗ Corresponding
author
Email addresses: [email protected] (Islam Debicha),
[email protected] (Benjamin Cochez)
types of attacks [7]. Evasion attacks can fool any ML model
during its inference process by adding slight, often impercep-
tible, perturbations to the original instance sent to create so-
called adversarial instances.
The literature study shows that there has been considerable
research on the impact of adversarial attacks on machine learn-
ing models [8, 9, 10]. However, their feasibility in domain-
constrained applications, such as intrusion detection systems,
is still in its early stages [11, 12, 13]. Adversarial attacks can
be performed in either white-box or black-box settings. Many
white-box adversarial attacks, originally developed for com-
puter vision applications [14, 15, 16], have been applied di-
rectly to network traffic without addressing domain constraints
properly [17, 18, 19].
Aside from the issue of functionality preservation, white-
box attacks necessitate knowledge of the target system’s inter-
nal architecture. It is unlikely that an attacker would have ac-
cess to the internal configuration of the ML model [8], mak-
ing a white-box attack in a realistic environment less likely
[7]. As a result, recent research [20, 21] has focused on de-
signing adversarial network traffic in a black-box setting where
the attacker has little or no knowledge of the defender’s NIDS.
Model querying [22] and transferability [14] are two methods
45 for launching black-box attacks.
An attacker can extract useful information such as the clas-
sifier’s decision by sending multiple queries to the target NIDS,

Preprint submitted to Computers & Security March 8, 2023

 allowing the attacker to craft adversarial perturbations capa-
ble of evading the NIDS [20, 23, 24]. Although this approach
50 achieves high success rates, it has two limitations. The first is
that NIDSs are not designed to provide feedback when queried,
unless side-channel attacks are used [25]. The second limitation105
is that it requires a relatively high number of queries to function
properly, exposing the attacker to detection by a simple query
55 detector [26, 21]. As a result, for a realistic attack, the IDS
querying approach is less feasible [7].
The transferability property of adversarial examples is used110
as an alternative black-box approach. Goodfellow et al. [14]
were the first to investigate this property in computer vision,
60 demonstrating that adversarial examples that fool one model
can fool other models with a high probability without the need
for the models to have the same architecture or be trained on115
the same dataset. An attacker can use the transferability prop-
erty to launch black-box attacks by training a surrogate model
65 on the same data distribution as the target model [27]. Sniffing
network traffic is a simple way to accomplish this, especially
in a botnet scenario where the attacker already has a foothold120
in the corporate network [28]. To the best of our knowledge,
this paper represents the first proposal that exploits the transfer-
70 ability property to design a realistic black-box evasion attack
by considering the constraints of the NIDS domain to create
adversarial botnet traffic.
This paper provides a dedicated framework for leveraging
evasion attacks to mislead the NIDS into classifying botnet traf-
75 fic as benign under realistic constraints. Three contributions are
included in this work:
• An in-depth analysis of the feasibility constraints required
to generate valid adversarial perturbations while preserv-130
ing the underlying logic of the network attack.
80 • A new black-box adversarial algorithm that can generate
valid adversarial botnet traffic capable of evading botnet
detection without any knowledge of the target NIDS. 135
• A defense that allows the proposed botnet evasion attack
to be mitigated. This defense is inspired by adversarial
85 detection and an ensemble method known as bagging.
The remainder of the paper is organized as follows. Back-140
ground and related work are presented in Section 2. The pro-
posed method is explained in Section 3. Results and discussions
are presented in Section 4. Concluding remarks and sugges-
90 tions for possible follow-up work are given in Section 5.
2. Background & Related work
2.1. Background
With the increasing research on evasion attacks, the feasi-
bility of such attacks in the real world is gaining more and more150
95 attention, regardless of the application domain. It is possible to
distinguish three criteria that influence the realism of such at-
tacks, namely: knowledge restriction, domain constraints, and
manipulation space. The focus of this paper is on the analy-
sis of these criteria in the domain of network-based intrusion155
100 detection system.
2.1.1. Knowledge Restriction
Adversarial attacks come in three varieties: white-box, grey-
box, and black-box. White-box attacks mean that the adver-
sary knows everything about the model architecture and train-
ing dataset, in particular all the parameters and meta-parameters,
which are, for example, the inputs and gradients in the case of
neural networks, or the tree depth for decision trees. In addi-
tion, the adversary may also know the chosen cost function or
the optimizer type in the case of neural networks. The gray-box
attack, on the other hand, implies that the attacker has some lim-
ited knowledge of the target model. He may, for instance, know
what data was used to train the model without knowing the type
of model used or its internal architecture. A black-box attack
occurs when the attacker does not know the architecture of the
target model and the dataset used. Nevertheless, even with-
out knowing anything about the model, it could still approach
a decision boundary similar to that of the target model and thus
fool it by querying the target model and receiving responses
in the form of decisions or probabilities. An alternative black-
box approach is known as ”transferability” where the attacker
can create his own model (i.e. surrogate model) with similar
functionality to the target model in order to fool it by creat-
ing adversarial instances based on his surrogate model and then
transferring these instances to the target model to fool it as well.
125 Obviously, black-box attacks are more complicated to perform,
not only due to lack of knowledge but also because they require
more computational resources to accommodate these accumu-
lated knowledge biases.
2.1.2. Domain constraints
Regarding the feasibility of adversarial attacks, it varies ac-
cording to the domain in question as it is strongly limited by
several constraints. Such constraints can be divided into two
main categories: syntactic constraints and semantic constraints.
Syntactic constraints refer to all constraints related to syn-
tax. In their work, Merzouk et al. [19] identified three syntac-
tic constraints that an adversarial instance must respect, namely
out-of-range values, non-binary values, and multi-category mem-
bership. Out-of-range values are values that exceed a theoreti-
cal maximum value that cannot be exceeded. Non-binary val-
ues are entries that violate the binary nature of a feature, and
multi-category membership are values that violate the concept
of one-hot encoding.
Semantic links represent the connections that various fea-
tures may have with each other. It is challenging to identify
145 precisely such constraints since they are specific to each appli-
cation and to each particular feature used. Nevertheless, the
work of Hashemi et al. [4], and Teuffeunbach et al. [29] sug-
gest an intuitive approach in the NIDS domain by categorizing
the features into roughly three different groups with different
semantic links. The first group includes features that can be
directly modified by the attacker (e.g., the number of forward-
ing packets, the size of the forwarding packets, and flow dura-
tion). The second group concerns features that depend on the
first group. They must be recalculated on the basis of the lat-
ter (e.g., number of packets/second or average forward packet
2
 size). The third group includes features that cannot be changed
by the attacker (e.g., IP address, protocol number).
2.1.3. Manipulation Space
An essential property of a realistic adversarial instance is
160 the ability of an attacker to modify its characteristics. In the-
ory, it is possible to directly modify the features of adversarial
instances. However, in real-world scenarios, this approach is
considered unsuitable for certain domains, such as IDSs that195
analyze network traffic. This is mainly due to the fact that the
165 feature extraction process (i.e., from raw traffic to feature space)
is not a fully reversible process, unlike in other domains such
as computer vision. This means that features can be extracted,
modified, but not easily reintroduced into network traffic due to200
the semantic links between features. Moreover, direct feature
170 modification requires full knowledge of the feature extraction
process used by the IDS in order to respect the syntactic or se-
mantic constraints assigned to them. We can therefore deduce
that working on the feature space is not very realistic. For this205
reason, recent studies [30, 31, 32] propose to directly manipu-
175 late the network traffic, so that it is not necessary to know the
features used, nor to transform the feature values into traffic
form. In this way, we can distinguish two manipulation spaces,
the feature-based and the traffic-based.
2.1.4. Performance Metrics
180 All IDS models can be analyzed in terms of their perfor-
mance. To evaluate their performance, different evaluation met-
rics can be used. All of them are based on the confusion matrix215
represented in Table 1.
Table 1: IDS Confusion matrix
Predicted Class
Actual Class Anomaly Normal
Anomaly True Positive (TP) False Negative (FN)
Normal False Positive (FP) True Negative (TN)
Once all of the behavioral responses are classified, it is pos-
185 sible to determine evaluation metrics. Of these, the ones com-
monly used are : 225
1. Recall, also called the ”detection rate”, is the percentage
of the patterns classified as malicious and which are in-
deed malicious.
TP
Recall = (1)230
(T P + FN)
2. Precision represents the percentage of relevant results in-
stead of irrelevant results.
TP
Precision = (2)235
(T P + FP)
3. F-measure, also called the ”F1 score”, gives the perfor-
mance of the combined recall and precision evaluation
metrics, it’s the harmonic mean of both. It provides the
system with the capacity to give relevant results and refuse240
the others.
(2 ∗ Recall ∗ Precision)
F-measure = (3)
(Recall + Precision)
2.2. Related work
A common approach used by researchers in many areas is
to focus on the theoretical aspect of the problem. In the case of
190 adversarial machine learning, this entails focusing only on the
feature level which is the ML representation of raw data after
the feature extraction step [33, 34, 35]. Semantic and syntactic
constraints, on the other hand, are two very important aspects to
consider when transcribing a feature-represented instance into
raw values in practice, and they are frequently overlooked or
ignored. This implies that the realistic feasibility of adversarial
attacks is not fully addressed [7].
Merzouk et al. [19] provide an in-depth analysis of the
feasibility of some state-of-the-art white-box attacks against an
IDS. The white-box adversarial algorithms studied are FGSM
[14], BIM [6], C&W [16], DeepFool [36] and JSMA [37]. They
have shown that these adversarial algorithms produce invalid
adversarial instances and thus do not meet any of the feasibility
criteria for a realistic adversarial attack as discussed in Section
2.1. In addition to the issue of functionality preservation, white-
box attacks require knowledge of the internal architecture of the
target system. It is unlikely that an attacker would have access
to the internal configuration of the ML model [8] , making it
less likely that an attacker could perform a white-box attack in
210 a realistic environment [7].
Recent research has focused on designing adversarial net-
work traffic in a black-box setting where the attacker has limited
or no information about the defender’s NIDS [20, 21]. Black-
box attacks can be launched using two approaches: model query-
ing [22] and transferability [14].
Studies have shown that by sending multiple queries to the
target NIDS, an attacker can extract useful information such as
the classifier’s decision, which allows the attacker to craft ad-
versarial perturbations capable of evading the NIDS [20, 23,
220 24]. Although achieving high success rates, this approach has
two limitations: the first is that NIDSs are not designed to give
feedback when queried, unless side-channel attacks are used
[25]. The second limitation is that it requires a relatively high
number of queries to work properly, which can expose the at-
tacker to be easily detected using a simple query detector [26,
21]. Thus, the IDS querying approach is less feasible for a re-
alistic attack [7].
The second black-box approach is to rely on the transfer-
ability property of adversarial examples. This property was first
explored by Goodfellow et al [14], who show that adversarial
examples that fool one model can fool other models with a high
probability without the need to have the same architecture or be
trained on the same dataset. An attacker can exploit the transfer-
ability property to launch black-box attacks by creating a sur-
rogate model trained on data following the same distribution
as the target model [27]. This can be easily done by sniffing
network traffic [28], especially in a botnet scenario where the
attacker already has a foothold in the corporate network.
Miller et al. [8] classify defenses against evasion attacks
into two groups: robust classification and anomaly detection.
The goal of robust classification is to accurately classify all ad-
versarial instances (i.e., classify them as malicious in our case)
3
 while trying not to affect the performance of the classifier in the
absence of adversarial attacks. The anomaly detection strategy,
245 on the other hand, advocates detecting and treating adversar-
ial instances rather than attempting to accurately classify them
despite the attack.
Adversarial training [5, 14] was one of the first robust clas-
sification strategies to be proposed. Adversarial examples are
250 added to the training set used to create the classifier as part of
the data augmentation technique known as adversarial training.
The correct label is given to these adversarial data in order to305
build a more robust classifier that can correctly classify samples
even if they have been adversarially modified. This method,
255 while showing good prospects in some areas of research, is sub-
ject to the problem of blind spots [8], which means that if ad-
versarial examples of a certain attack family are not included in310
the learning phase, the classifier may fail to be robust to these
adversarial examples. Consequently, this implies that adversar-
260 ial training could not be as effective against zero-day attacks,
which are one of the key issues facing the intrusion detection
sector. Moreover, the IDS may perform worse in its original315
classification job as a result of being retrained with adversarial
instances [38].
265 Defensive distillation, which was originally used to lower
the dimensionality of DNNs, is another adversarial defense pre-
sented in the literature [39, 40]. Papernot et al. [39] sug-320
gest a distillation-based defense with the goal of smoothing
the model’s decision surface. Carlini and Wagner [41] demon-
270 strated that defensive distillation is no more robust to adversity
than unprotected neural networks. As such, this defense is bro-
ken using the C&W attack.
To defend against adversarial assaults, one might discard325
any features that could be modified by the attacker without af-
275 fecting the logic of network communication [42, 43]. However,
Apruzzese et al. [3] demonstrated that doing so has a nega-
tive influence on detector performance in non-adversarial con-
ditions, for example, by generating more false alarms, which is
extremely undesired for current cyber security platforms. This330
280 decrease in performance is due to the deleted features having
a major influence on the underlying processes of the baseline
detectors.
Anomaly detection is an interesting alternative defensive
mechanism against evasion attacks. One of the noted advan-
285 tages is that correctly classifying adversarial examples is diffi-
cult, while detection is slightly simpler [44]. A supporting ar-
gument is that if a good robust classifier is created, then a good
detector is obtained for free: detection can be performed when
the decision of the robust classifier differs from the decision of
290 the non-robust classifier [8]. Instead of trying to correctly clas-
sify the adversarial instance into its original class, this strategy
recommends detecting the adversarial instance and treating it
accordingly. The most common action is to reject the identified
adversarial sample and prevent it from passing through the sys-
295 tem [45, 46, 27]. Our proposed defense falls into the category
of anomaly detection.
3. Proposed method
3.1. Threat scenario
With the increasing use of machine learning-based NIDS,
300 some research has focused on the possibility of evading these
NIDS using adversarial attacks already well known in the field
of computer vision, which have shown various weaknesses in-
herent in machine learning algorithms. In order to overcome
these weaknesses, it is therefore essential to focus on the ro-
bustness of machine learning techniques in the cybersecurity
domain.
As shown in Figure 2, our work is based on a realistic sce-
nario involving a connected computer device in an enterprise
network infected with malware, making it part of the botnet
controlled by a dedicated centralized server called Command
and Control (C&C), which is designed to command a multitude
of bots. Within this network, a NIDS using a neural network-
based model is present to detect any form of attack on the net-
work. In high-speed networks environment and considering
the difficulties of analyzing each individual packet, it is real-
istic to consider that the NIDS is a flow-based system rather
than a packet-based system. This NIDS therefore analyzes the
flow data generated by the router based on the traffic outgo-
ing/entering the network. All flows first pass through a flow
exporter, which extracts the network features, as described in
Table 2, containing the information of each network flow and
sends it to the NIDS for preprocessing and classification. In
this table, three groups can be highlighted:
• The first one, with a green color, contains all the features
that can be directly manipulated by an attacker.
• The second one, highlighted in yellow, contains the fea-
tures depending on the first group, and can therefore be
manipulated indirectly.
• The last group, with a red background, contains features
that cannot be manipulated by an attacker.
Flow exporter NIDS
Internet
xadv = x + ε
Attacker Adversarial
botnet traffic Bot Enterprise
network
Figure 1: An illustration of the considered threat scenario
Concerning the temporal aspect of the execution, the pro-
cessing of the network flow is done in real time on the NIDS,
which processes the information online while its learning phase
has been carried out offline.
4
 Table 2: Common features description used by flow-based NIDS for botnet be modified by the attacker, either directly or indirectly. Only
attacks [47]
the three green features: Dur, Out/InBytes, and TotPkts can be
Features Name Description Type Category
Dur Duration of the flow Float manipulated by the attacker. It should be noted that modifying
Bytes outgoing/entering the 370 the green features will result in some indirect changes to the
Out/InBytes Integer Modifiable
network yellow features. These changes should be taken into account in
TotPkts Total of exchanged packets Integer order to properly address the respect of semantic and syntactic
TotBytes Total of exchanged bytes Integer
constraints. To manipulate the network factors explained just
BytesPerPkt Total bytes by packet Float
BytesPerSec Total bytes by second Float before, the attacker can use the following three approaches:
Dependent
PktsPerSec Total packet by second Float
Ratio between outgoing and
375 1. Time manipulation attack: with this approach, it is pos-
RatioOutIn Float sible to act on two time-related aspects during the attack.
entering bytes
ConnectionState The state of the connection Categorical On the one hand, by reducing the frequency of the attack
FlowDirection Direction of the flow Categorical packets by increasing the sending time between packets
The destination port is a private, of the same flow, as in the work of Zhijun et al. [50]
Src/DstPortType Categorical
registered or known port
Unmodifiable 380 which shows the implication of this variant on DoS at-
The network IP source or
IPSrc/DestType Boolean tacks. On the other hand, by accelerating the frequency
destination
Source and destination type of of attack packets in a moderate way by decreasing the
Src/DstTos Integer
service time taken to send the packets. These two variants allow
to influence directly the ”Duration” feature and indirectly
385 the ”BytesPerSec” and ”PktsPerSec” features.
2. Packet quantity manipulation attack: This attack can be
335 Concerning the knowledge assumptions, it is considered that carried out in two different manners. The first is packet
the attacker has limited access to network data and has no infor- injection, which suggests injecting new packets into the
mation about the model and parameters of the NIDS used by the network flow by creating them directly, with tools such as
company. This means he can only intercept traffic that passes390 Hping 4 or Scapy 5 , or by breaking a packet into several
through his machine and gathers limited information about the fragments, using packet fragmentation, so as to preserve
340 benign traffic that passes through the bot’s machine. In terms the content and underlying logic of the packet without
of requirements, our scenario assumes that the attacker has pre- damaging its overall behavior. Packet fragmentation is,
viously breached the network by infecting a machine with mal- for example, used by some attacks such as the TCP frag-
ware in order to connect to the C&C server. As a result, the395 ment attack [51] or a DoS attack. A variant suggested by
attacker will be able to gather information about the benign traf- this possibility would be to resend the same packet mul-
345 fic. Regarding the flow exporter, the attacker does not need to tiple times using a tool like Tcpreplay 6 . The other way
have knowledge about it or about the extracted features used by to do this is packet retention, which would be to not send
the NIDS since he acts directly on factors that he can manipu- a packet immediately, but rather to send it after a certain
late in the traffic space. Given the recurring use of certain net-400 amount of time, thus adding that packet to the next flow,
work factors (in particular, packet duration, number, and size) thus avoiding having more packets in a single flow. With
350 in botnet detection by state-of-the-art NIDSs, the attacker can the same idea of retention, another suggested possibil-
assume that these factors are part of the set of features used ity could be a modification of the general communication
by the NIDS. The attacker can retrieve these feature lists from system used in the botnet attack to shorten the number of
known exporters such as Argus 1 , CIC-FlowMeter 2 or nProbe405 packets sent between the botnet devices. In both cases,
3
and from scientific papers [48, 49, 3] explaining the features this attack directly influences the ”TotPkts” feature, and
355 used by NIDS models. The attacker has the ability to com- indirectly the ”PktsPerSec” and ”BytesPerPkt” features.
municate with and target the infected computing device. It is 3. Byte quantity manipulation attack: Similar to the previ-
therefore also considered that the attacker can manipulate, in ous approach, there are two ways to perform this attack.
both directions of communication, the duration of packet trans-410 The first is byte expansion. In the case where the com-
mission, the number of packets sent and received, as well as the munication is not encrypted, a suggestion would be to
360 number of bytes sent and received, as shown in Table 2, respect- directly modify the payload to obtain the desired num-
ing the semantic and syntactic constraints related to the network ber of bytes. In case it is encrypted, it is assumed that
protocols used and maintaining the underlying logic of his mali- the attacker knows the cryptographic suite used to en-
cious communications. In order to maintain the malware’s full415 crypt the two-way communication channel. This would
behavior, the attacker cannot directly act on certain features, allow him to add padding using a tool like Scapy, calcu-
365 such as the source and destination IP addresses or the type of late its encrypted version, and then verify that the packet
service. In fact, the features highlighted in red in Table 2 cannot size is the desired one. The addition of padding is known

1 https://openargus.org/ 4 http://www.hping.org/
2 https://github.com/CanadianInstituteForCybersecurity/CICFlowMeter 5 https://scapy.net/
3 https://www.ntop.org/products/netflow/nprobe/ 6 https://tcpreplay.appneta.com/

5
 to both communicating parties, allowing the receiver to
420 remove the unnecessary part and thus recover the origi-460
nal payload. The second method is byte squeezing. The
idea is to reduce the number of bytes sent. To do this, it
would be possible to compress the data to directly reduce
the size of the payload using a tool like Zlib [52]. This
425 is a common tool already used in the IoT domain to re-
duce the bytes exchanged, as explained in [53]. Another465
possibility would be to modify the general behavior of
the botnet system by minimizing the content of the pay-
load to be sent. This second possibility can only be done
430 before the machine is affected by the malicious bot soft-
ware, but can be proactively prepared by an attacker. Fur-470
thermore, whether it is byte expansion or byte compres-
sion, the attack directly influences the ”OutBytes” and
”InBytes” features, and indirectly the TotBytes, ”Bytes-
435 PerPkt”, ”BytesPerSec” and ”RatioOutIn” features.
Internet
Enterprise network
Attacker
Defender NIDS
3 tacks and common to both datasets used. These features are
Transferability
1 2
4 attacks were not included because they do not have enough ma-
Surrogate models trained
with sniffed traffic Bot
Attacker side Defender side
Figure 2: An illustration of the adversarial botnet traffic generation steps
As shown in Figure 2, There are four steps in the process
490
of creating adversarial botnet traffic. During step 1, the attacker
generates adversarial traffic that is specifically designed to by-
pass the surrogate models that the attacker previously trained
440 using sniffed traffic. The attacker then receives and analyzes
the adversarial traffic that managed to avoid detection by the
495
surrogate models during step 2. During step 3, the attacker uses
the transferability property to send adversarial botnet traffic to
the defender NIDS. In step 4, the adversarial botnet traffic that
445 successfully bypassed the defender NIDS will arrive at its final
destination, the bot.
3.2. Datasets
To perform reproducible experiments, the CTU-13 [54] and
CSE-CIC-IDS2018 [55] datasets were used to provide results
450 that could be comparable to multiple datasets as well as a wider505
range of attacks.
• CTU-13: This dataset, provided by the Czech Techni-
cal University in Prague, contains different labeled traffic
from 13 different application scenarios. Each of them
455 follows the same process, including a different botnet at-
tack variant (Neris, Rbot, Virut, Murlo, Menti, NSIS.ay510
and Sogou). The process involves monitoring a network
for both benign network communications and malicious
traffic executed by the botnet attack. All of this traffic is
extracted as PCAP files and then formatted as flows via
the Argus tool, which turns raw network data into flows.
• CSE-CIC-IDS2018: This dataset contains a set of com-
puter attack scenarios, such as Brute-force, Heartbleed,
Botnet, DoS, DDoS, or Web attacks. There are two vari-
ants of botnet attacks: Zeus and Ares. The network traf-
fic for each scenario was extracted as a PCAP file and
formatted by CICFlowMeter to provide a set of 83 net-
work features for thousands of labeled network flows.
This dataset, being relatively recent, provides consistent
data following the dataset creation methodology present
in [56], allowing to have a reliable and realistic dataset.
Other than botnets, CTU-13 and CSE-CIC-IDS2018 con-
tain a variety of attack types. Because our research focuses
solely on botnet attacks, all other attack types were removed to
475 create a dataset containing only botnet attack records. To avoid
incorporating potential biases when creating these new datasets,
we relied on the work done by Venturi et al. [47]. Features were
filtered to keep only those consistent for the study of botnet at-
480 those described in Table 2. Regarding CTU-13, the botnet at-
tacks considered in this work are Neris, Virut, and Rbot. Other
licious instances to provide consistent results. For CSE-CIC-
IDS2018, after initially being indistinguishable in the original
485 dataset, the Zeus and Ares botnet attacks were extracted into
the same dataset (Zeus & Ares).
To ensure the practicality of the present work, the CTU-13
and CSE-CIC-IDS2018 datasets were divided into two equiva-
lent datasets and stratified according to the labels. These datasets
are equivalent in terms of size and distribution, which repre-
sents more than 32,000 instances for each side. The first is used
for training and evaluation of the model used by the defender.
The second is used by the attacker to train the surrogate models
independently. The attacker can obtain this data by sniffing the
network. This is particularly possible in the case of a botnet sce-
nario, as the attacker communicates bidirectionally with the in-
fected device. The datasets for each side (defender and attacker)
are split into a training dataset and a test dataset for validation
with proportions of 75% and 25% respectively. Each training
500 and test data subset is evenly split in terms of malicious and be-
nign traffic. The datasets are separated in this manner to have
the most balanced representation so as to avoid the problem of
unbalanced data given that it is out of the scope of this study.
The attacker and defender datasets thus follow similar but not
identical distributions since they are not the same datasets. The
arrangement of the datasets is illustrated in Figure 3.
3.3. Preprocessing
General preprocessing has already been performed on the
dataset provided by Venturi et al. [47], resulting in clean data
where outliers, empty values, and non-TCP traffic were removed.
Data filtering and ”one-hot encoding” of categorical features
were carried out. This encoding transforms the categorical data
6
 75%
Train Dataset
Defender
Dataset
50%
Datasets partitioning
Test Dataset
25%
Datasets
75%
Train Dataset
50%
Attacker
Dataset
Test Dataset
25%
Figure 3: Partitioning of the datasets for experiments
into a binary format that can be exploited by the model. How-
ever, some inconsistencies are present in the dataset provided
515 by Venturi et al. [47]. By default, when the ”OutBytes” and
”InBytes” features are set to 0, the ”RatioOutIn” feature is set
to the maximum value present in the data set, simulating an infi-
nite value. Since the ratio in this case is 0/0, we chose to replace
it with 0 instead of a pseudo-infinite value, representing a zero
520 byte exchange.
For training the neural network algorithms, some additional
preprocessing was applied to the training and test data. First,
the data were normalized using a minmax scaling method, trans-
forming the data to be projected to a value between zero and555
525 one, according to Eq. 4. Then, the labels undergo a one-hot
encoding to transform them to binary values so that they can be
processed by the MLP.
X − min(X)
X scaled =
max(X) − min(X)
where X is an instance and X scaled is the normalized in-
stance.
530 3.4. ML-based NIDS
As neural networks are increasingly used in the context of
NIDS based on machine learning algorithms, a couple of them
are chosen, as well as more classical ML algorithms. On the de-
fender side, the defender uses a Multilayer Perceptron (MLP),565
535 Random Forrest (RF) and K-Nearest Neighbors (KNN) algo-
rithm as a model for his IDS. For the attacker, the same algo-
rithms are chosen with different parameters and hyperparame-
ters and trained with a different dataset. These three ML mod-
els were chosen in our work given their popular use in the IDS570
540 community [57, 58, 59]. All these algorithms follow the same
training and testing process, as shown in Figure 4.
Meta-parameters are chosen randomly to avoid having the
same model parameters between the attacker and defender. Ex-
amples of meta-parameters are the the number of neighbors k575
545 defined in the KNN algorithm, the number of hidden layers or
neurons in the DNN, or the number of estimators used in the
Figure 4: Machine Learning pipeline for both attacker and defender
RF. The choice to use several algorithms allows for more com-
parable results, especially in the case of transferability. Having
several ML models allows for a better understanding of the im-
550 pact of transferability of adversarial network traffic, both intra
and cross-transferability. The meta-parameters of all models
can be seen in Table 3.
Table 3: Meta-parameters of the selected ML models
Classifier Attacker Parameters Defender Parameters
Hidden Layers (HL) = 3 Hidden Layers (HL) = 2
Neurons by HL = 128 Neurons by HL = 256
MLP
Activation = ReLU Activation = ReLU
Optimizer = Adam Optimizer = Adam
Nb estimators = 300 Nb estimators = 200
Criterion = Gini Criterion = Gini
Random Forest
Bootstrap = True Bootstrap = True
KNN Nb neighbors = 5 Nb neighbors = 3
3.5. Proposed evasion attacks
In order to generate adversarial perturbations, which are
added to the malicious instances to make them benign, we pro-
pose two evasion attack variations formulated in Eq. 5 and Eq.
6.
t
xadv ( f ) = Pro j[xt−1 ( f ) + sign(benign mean( f )
(4) (5)
−x0 ( f )) ∗ (c ∗ t) ∗ mean ratio( f )]
where x0 ( f ) is the initial value of the targeted network factor
f in the instance, the sign function specifies the direction of
560 the perturbation, c is a multiplicative coefficient that regulates
the perturbation rate generated at each step t, benign mean is
the mean of the benign set of the targeted network factor f that
the attacker can obtain from sniffing network traffic, mean ratio
is the ratio between the mean of the malicious set and the be-
nign set of the targeted network factor f , and Pro j is a pro-
jection function that projects the values of modified features
that violate syntactic and semantic constraints into the space
of valid values. These modified features are only network fac-
tors that the attacker can manipulate directly or indirectly, as
represented by the green and yellow groups in Table 2. If the
attacker manipulates one of the modifiable features shown in
Table 2 with green color, the Proj function will make sure that
the dependents features will change values accordingly. For in-
stance, changing the flow duration by the attacker will induce a
change in ”total packet by second” feature which equals num-
ber of packets divided by the flow duration. In nutshul, the pro-
jection function is what allows, when features are modified, to
7
 ensure that the domain constraints are respected. This enables
the adversarial instances created to be valid and reversible in
580 the targeted domain. In this manner, the malware’s intended
behavior is preserved.

t
xadv ( f ) = Pro j[xt−1 ( f ) + sign(benign mean( f )
(6)
−x0 ( f )) ∗ (c ∗ t) ∗ |mean di f f ( f )|]

where mean di f f is the difference between the mean of the be-

nign set and the malicious set of the targeted network factor
Figure 6: Process to generate adversarial instances
f . In this case, mean di f f is an absolute value to avoid influ-
585 encing the direction of added perturbations during adversarial
Algorithm 1 Crafting adversarial examples for flow-based IDS
generation.
Although both methods yield similar results, we decided to procedure CraftAdvEx(x) ▷ where x is a malicious flow
use the second method (i.e. mean difference method as in Eq. xadv ← x
6) to conduct the experiments. This choice is purely for illustra- t←1
590 tive purposes, as the mean difference method is more intuitive m ← mean di f f erence() ▷ or mean ratio()
and can be illustrated by Figure 5 which shows how a mali- repeat
cious instance tends to become benign, and thus adversarial. for mask ← mask1 , ..., mask15 do
Mean is the average of the benign data. The figure is shown in ϵ ← sign[benign mean( f ) − x0 ( f )] ∗ (c ∗ t) ∗ m( f )
two dimensions for the sake of simplicity, but in reality the ma- ϵ ← ϵ ∗ mask
595 nipulation space is much larger because many factors are being xadv ← xadv + ϵ
manipulated. xadv ← Pro j(xadv )
if predict(xadv ) == benign then
return xadv
Constrainted decision boundary
end if
Class 0 - Benign end for
t ←t+1
Decision boundary until predict(xadv ) == benign
end procedure
Mean
Proj() procedure Proj(xadv ) ▷ applying domain constraints to xadv
xadv ← ApplyS yntacticConstraints(xadv )
10% xadv ← ApplyS emanticConstraints(xadv )
return xadv
end procedure

To select the combinations of attacks (presented in Section

Class 1 - Malicious
With Constant C = 0.1
Figure 5: 2D illustration of a malicious instance transformation with the mean
difference method
3.6. Adversarial instances generation
To generate adversarial instances, the process illustrated in
Figure 6 is followed. During this process, the previously de-
600 fined Eq. 6 is applied during the execution of the adversarial
generation step described in Algorithm 1.
It is worth mentioning that this algorithm applies increas-620
ingly large perturbations to the initial malicious stream at each
iteration, whenever the new adversarial instance is not classified
605 as benign. Both formulas guarantee small initial perturbations
and are modulated by the multiplicative constant c.
3.1) that should be applied to manipulate the network traffic
flow, a method of masks is employed where each corresponds to
610 a combination of the manipulable factors (i.e., the total number
of packets, the transmission time of the packets, and the number
of outgoing or incoming bytes in those packets). At each itera-
tion, the masks are applied in a gradual manner by multiplying
them by the previously generated perturbations using Eq. 6 and
615 Eq. 5. This ensures that only the perturbations needed at that
current stage are applied to the selected factors. These masks
follow a binary logic and represent 15 combinations. The repre-
sentation of these masks with their corresponding manipulable
factors is shown in Table 4.
Once perturbations are applied at each stage, syntactic and
semantic constraints are enforced, through the Pro j() function,
to respect the underlying logic of the malicious network com-
munication. This projection function has a couple of actions: it
allows to apply semantic and syntactic constraints to make ad-

8
 Table 4: Features used by combination with their corresponding mask domain-constrained systems such as NIDS and that there is still
Combinaison Mask Target factor
1 0001 Duration room for improvement [41, 60], although some of them have the
2 0010 TotPackets 660 potential to reduce the impact of adversarial instances [14, 61].
3 0011 Duration, TotPackets For this reason, a defense is proposed in this work.
4 0100 InBytes
5 0101 InBytes, Duration
6 0110 InBytes, TotPackets
7 0111 InBytes, TotPackets, Duration
8 1000 OutBytes
9 1001 OutBytes, Duration
10 1010 OutBytes, TotPackets
11 1011 OutBytes, TotPackets, Duration
12 1100 OutBytes, InBytes
13 1101 OutBytes, InBytes, Duration
14 1110 OutBytes, InBytes, TotPackets
15 1111 OutBytes, InBytes, TotPackets, Duration

625 versarial instances valid. To do this, this function recalculates

the dependent factors (i.e., the yellow group in Table 2) that de-
pend on the directly manipulatable factors (i.e., the green group
in Table 2). Furthermore, when a value obtained exceeds the
maximum value listed in the entire test set, this value is pro-
630 jected to this maximum value to ensure that it is transcribed
in its appropriate scope. Given that each dependent feature (in
yellow) is linked to a modifiable feature (in green) via an easy Figure 7: Proposed defense process
and intuitive formula explained in Table 2 (e.g., RationOutIn =
OutBytes/InBytes), We chose not to list all of the formulae in
As shown in Figure 8, the proposed reactive defense fol-
635 Algorithm 1, instead providing a list of the corresponding de-
lows the process illustrated in Figure 7. The defense itself is
pendent features as shown in Table 5, which are updated when
inspired by adversarial training [14], adversarial detection [61],
an attacker manipulates one of the modifiable features to ensure
665 and bagging as an ensemble method. The role of this defense
semantic constraints are respected. This algorithm is feasible in
is to act as an adversarial detector (filter) that is placed before
that the attacker acts directly on the network traffic and not on
the NIDS to prevent adversarial instances from being able to
640 the features. This means that it follows a so-called traffic-based
reach and fool the NIDS. The main idea of this defense is to
methodology, which is more realistic than the feature-based
train three MLP models in parallel, each taking as input a spe-
one because the attacker only needs limited information about
670 cific group of features in order to detect adversarial instances.
the defender, such as information about the network traffic he
There are thus three groups corresponding to features that can
plans to attack. This allows us to assume black-box knowledge,
be directly manipulated by the attacker, features that depend
645 which is not the case with feature-based manipulation, which
on the first group, and features that cannot be modified. This
requires white-box knowledge, such as access to the internal
arrangement corresponds to the manipulability of features in a
architecture of the intrusion detection system, its parameters,
675 realistic context, i.e., features that can be modified by the at-
and the dataset used to train the ML model. It can be noted that
tacker. The instances used to train the three sub-detectors are
our adversarial algorithm was designed to consider two objec-
divided into two classes: the first one contains benign and ma-
650 tive functions: one to minimize the amount of modification in
licious instances, having been concatenated together and rela-
each factor and the other to minimize the number of modified
beled as clean (i.e., non-adversarial), the second class contains
factors.
680 adversarial instances previously created based on malicious in-
Table 5: When an attacker manipulates one of the modifiable features, the cor- stances exclusively. Table 6 illustrates the different data types
responding dependent features are updated using the Proj() function to ensure used to better understand this distinction.
semantic constraints are respected.
Modifiable features Corresponding dependent features updated using Proj fucntion Table 6: Description of datasets and labels used by the detectors
Dur BytesPerSec, PktsPerSec Dataset Type Description
Out/InBytes TotBytes, BytesPerPkt, BytesPerSec, RatioOutIn Benign The network traffic that contain benign communications.
TotPkts BytesPerPkt, PktsPerSec Malicious The network traffic that contain a botnet attack.
Clean The concatenation of benign and malicious traffic.
The generated adversarial instances produced
Adversarial
with an adversarial algorithm using malicious traffic.

3.7. Strengthening adversarial robustness

Since ML algorithms are inherently vulnerable to adversar- Each of the three feature groups is assigned a particular
655 ial examples, it is necessary to find various approaches to de- weight. These weights are set during model training based on
fend them. After reviewing a range of defenses found in the685 the overall detection rate of each detector. Once the predictions
literature, we found that many of them are not fully adapted to have been made by each sub-model for each test instance, they

9
 Figure 8: Proposed defense approach using MLP sub-detectors

undergo a contextual discounting and then a Bayesian fusion,710
as defined in Eq. 7, where the prediction matrix is multiplied
by the corresponding weights, and then the three resulting ma-
690 trices are summed. Once this step is complete, the new values
are normalized to obtain the final probabilities, where Pa rep-
resents the probability that the instance is adversarial, and Pc is715
the probability that it is clean. The result is a final prediction of
whether an instance is adversarial or not, and thus is subject to
695 rejection by the detector.
P3
i=1 (Pai∗ wi )
Pa = P3
720
is investigated to see the impact of transferability between the
same and different models as well as the training data. A study
of the time taken by each attack is also considered, as well as
an analysis of the differences in perturbation between the initial
malicious instance and the adversarial instance. Then, a general
comparison is made on the performance of the proposed adver-
sarial generation algorithm across the botnet attacks present in
each dataset. The last section includes the results of the pro-
posed defense against the adversarial instances generated by the
previously proposed evasion attack algorithm.
4.1. Initial performance of ML-IDS models in clean settings

i=1 (Pai ∗ wi ) + i=1 (Pci ∗ wi )

P3
P3
i=1 (Pci ∗ wi )
Pc = P3
i=1 (Pai ∗ wi ) + i=1 (Pci ∗ wi )
P3
Figure 8 illustrates the use of MLP as a sub-detector, but
it should be noted that these detectors can use different ma-
chine learning algorithms. This defense could even be used in a
stacking scheme involving detectors, each using some specific
700 machine learning algorithms.
4. Evaluation
This section discusses the findings of several experiments.
First, those concerning the performance of the initial attacker735
and defender models are discussed based on different metrics,
705 namely precision, recall and F1 score. These results concern
the models trained with the CSE-CIC-IDS2018 and CTU-13
datasets. In a second step, results regarding the performance of
the models in adversarial contexts are discussed. A preliminary740
study of the models trained with the CSE-CIC-IDS2018 dataset
To evaluate the initial performance of ML-IDS models trained
(7) in clean (i.e. non-adversarial) settings on both the attacker and
defender sides, several metrics are used, namely: recall defined
in Eq. 1; precision defined in Eq. 2; and f1-score defined in
725 Eq. 3. ML-IDS models are requested to perform a binary clas-
sification to distinguish malicious from benign traffic in clean
settings.
As shown in Figure 9, the results for the initial performance
of the attacker-side trained ML models yield metrics of 100%
730 for all models trained with CSE-CIC-IDS2018. In the case of
CTU-13, they are less significant. Nevertheless, all models have
metrics above 96%. These results regarding the performance of
ML-IDS on both datasets are comparable to those found in the
literature [62, 63, 64].
These initial results show good performance in general. Mod-
els trained with CTU-13 perform somewhat less well than those
trained with CSE-CIC-IDS2018. This may be due to the fact
that CSE-CIC-IDS2018 contains only two botnet attacks, while
CTU-13 contains five, forcing the models to expand their de-
cision boundary to try to correctly classify all types of attacks
into a single class (i.e., malicious).
10
 100% 765 the models trained by the attacker. The defender-trained mod-
99% els are different from the attacker-trained models in two aspects:
98%
i) they have different hyperparameters; ii) they are trained with
97%
96%
different datasets. We test the effect of using the same or dif-
95% ferent hyperparameters on the transferability of adversarial in-
94% 770 stances from the attacker’s models to the defender’s models.
93% It should be noted that the results of the experiments in the
92%
91%
various tables always compare equal proportions for the de-
90% fender and attacker with different data ( i.e. different contents).
Precision Recall F1-score Precision Recall F1-score As shown in Figure 3, the size of the training (75%) and test
CTU-13 CSE-CIC-IDS2018 775 data (25%) is the same for the attacker and defender because
MLP RF KNN the original dataset is divided in half. Since the size of the data
Figure 9: Performance of the attacker-side trained ML models on CTU-13 and
is the same, by saying that the data is different, we invariably
CSE-CIC-IDS2018 in clean settings mean its content.
Table 7a illustrates the performance of the adversarial trans-
780 ferability property between the attacker’s trained models. It is
Regarding the performance of the defender-side trained ML worth mentioning that all the attacker’s models are trained with
models, presented in Figure 10, we can see slight variations in the same data. As we can see, the diagonal values of the table
the metrics for the models trained with CTU-13. These vari- are all zeros. This is to be expected since the adversarial in-
745 ations are very small and of the order of 1% maximum. We stances were designed based on the decision boundary of this
can note that the model using a random forest gives a metric785 model, so testing on the same model will give a detection rate
of 100%. For the models trained with CSE-CIC-IDS2018, the of 0%. We also notice that the adversarial instances generated
metrics are all at 100%, which gives identical performance to based on MLP were able to drop the detection rate of RF and
that of the attacker-side trained ML models. In general, the KNN to 0%, while the adversarial instances based on these two
750 same observations can be made for the defender models, as the models were able to drop the detection rate to about 50%. Fi-
results are relatively similar. 790 nally, we can see that on average, the detection rate dropped to
21.9%, which is a rather satisfactory result for the attacker.
100% Table 7b represents the impact of adversarial instances, gen-
99% erated using the attacker’s model, against the defender’s mod-
98%
els. The particularity is that the defender uses, in this case,
97%
96%
795 the same hyperparameters as the attacker’s models. Only the
95% dataset used during training changes. This allows, compared
94% to Table 7a, to see the effect of intra-transferability through the
93%
same models and the same hyperparameters using a different
92%
91%
dataset for training, but also of inter-transferability through dif-
90% 800 ferent models with the same hyperparameters. This gives con-
Precision Recall F1-score Precision Recall F1-score crete information about the impact of the training data and the
CTU-13 CSE-CIC-IDS2018 model used on the transferability of adversarial instances. Com-
MLP RF KNN pared to Table 7a, Table 7b shows slight changes in the effect
Figure 10: Performance of the defender-side trained ML models on CTU-13
of intra-transferability (i.e., the same model) as seen in the di-
and CSE-CIC-IDS2018 in clean settings 805 agonal values ( 1% for RF and 3% for KNN) while the effect of
cross-transferability remains similar in both tables. These re-
sults indicate that the attacker does not need to train his models
4.2. Performance of ML-IDS models in adversarial settings with the same data as the defender, data with a similar distribu-
tion will be sufficient to make the transferability property work
To study the impact of adversarial instances generated by
810 effectively.
our algorithm 1, as well as the effectiveness of transferring these
Table 7c again shows the adversarial performance against
755 adversarial instances created by the attacker to the models trained
the defender models. However, although the models use the
by the defender, the first experiment focuses on the CSE-CIC-
same learning algorithms, this time they have different hyperpa-
IDS2018 dataset containing the Zeus & Ares botnet attacks. To
rameters. This allows us to show the effect of intra-transferability
measure the impact of adversarial instances, the detection rate
815 and cross-transferability on different models with different hy-
metric, also called recall, is used 1. It measures the rate of ad-
perparameters as well as different training data sets. This table
760 versarial instances detected by the ML-IDS as malicious. To do
is therefore the one that provides the closest insight to the real-
this, the attacker first generates adversarial instances for each
ity because, here, the attacker’s knowledge is extremely limited
model trained on his side (i.e., MLP, RF, and KNN). The ad-
since he neither knows the model used, nor the parameters or
versarial instances generated for one model will be sent to the
820 hyperparameters of the model, nor the data used to train the de-
other models to evaluate the transferability property between
fender’s model. This demonstrates the effect of transferability
11
 in a realistic context. The results provide a fairly similar de- Table 8: The maximum and average perturbation difference between the mali-
cious and adversarial instance on CSE-CIC-IDS2018
tection rate between Table 7b and Table 7c, indicating that not
using the same hyperparameters as the defender does not have Attacked model MLP
825 a significant impact on the transferability of the adversarial in- Manipulated factor Dur InBytes OutBytes TotPkts
stances. Average Perturb Diff. 0.075 55.251 10.286 0.001
From Table 7, we can see that not knowing the training data, Max Perturbation Diff. 0.218 348.368 1126.160 0.498
hyperparameters, or model used by the defender does not pre-
vent the attacker from creating adversarial instances and suc-
Attacked model RF
830 cessfully transferring them to the defender’s ML-IDS.
Manipulated factor Dur InBytes OutBytes TotPkts
Table 7: Performance of the adversarial transferability between ML-IDS mod- Average Perturb Diff. 0.071 55.251 10.286 0.001
els in term of detection rate
(a) Performance of the adversarial transferability between the attacker’s trained models Max Perturbation Diff. 0.218 348.368 1126.160 0.498

Attacker side Attacked model KNN

Attacker\Attacker MLP RF KNN Mean Manipulated factor Dur InBytes OutBytes TotPkts
MLP 0% 0% 0% 0% Average Perturb Diff. 0.044 0.813 179.585 0.000
RF 50% 0% 48% 33% Max Perturbation Diff. 0.073 116.123 375.387 0.000
KNN 50% 49% 0% 33%
Grand Mean 21.9%
(b) Performance of the adversarial transferability from the attacker to the defender models
(having the same attacker’s hyperparameters) ferability property of adversarial instances allows the attacker to
create an adversarial malicious instance to evade the defender’s
Defender side (same as attacker's hyperparameters) IDS without needing to know its internal architecture while en-
Attacker\Defender MLP RF KNN Mean suring that the needed perturbations are small enough to be fea-
MLP 0% 0% 0% 0% 850 sible in realistic scenarios, we proceed to create adversarial in-
stances for four botnet attacks, namely Neris, Rbot and Virut
RF 50% 1% 48% 33% from the CTU-13 dataset and Zeus & Ares from the CSE-CIC-
KNN 50% 49% 3% 34% IDS2018 dataset. Note that the attacker and defender models
Grand Mean 22.3% are trained on different data as shown in Figure 3 and have dif-
(c) Performance of the adversarial transferability from the attacker to the defender models855 ferent hyperparameters as shown in 3.
(having different hyperparameters from the attacker’s ones) Table 9 represents the detection rate of the attacker’s mod-
els against adversarial botnet attacks. For each botnet type, the
Defender side (different hyperparameters) attacker generates adversarial instances corresponding to ma-
Attacker\Defender MLP RF KNN Mean licious botnets based on the decision boundaries of one of his
MLP 0% 0% 0% 0% 860 models using the adversarial generation algorithm 1, and then
RF 50% 1% 48% 33% tests these generated adversarial instances on other ML mod-
els. On average, we can see that the attacker managed to reduce
KNN 50% 49% 4% 34% the detection rate to 15.8%, 5.3%, 22.2% and 21.9% for Neris,
Grand Mean 22.4% Rbot, Virut and Zeus & Ares respectively.
865 On the other hand, Table 10 represents the detection rate of
the defender’s models against adversarial botnet instances gen-
The set of sub-tables in Table 8 represents the average and erated previously by the attacker. On average, we can see that
maximum perturbation difference between the malicious instances the attacker managed to reduce the detection rate of the models
and their adversarial counterparts using the CSE-CIC-IDS2018 trained by the defender to 23.0%, 8.1%, 37.8% and 22.4% for
dataset. Each of these tables represents the ML model used by 870 Neris, Rbot, Virut and Zeus & Ares respectively.
835 the adversarial generation algorithm 1 to craft the perturbations Using Neris as an example, the attacker generated adver-
to be added to the manipulatable factors. Note that the duration sarial instances corresponding to this malware traffic using the
factor ”Dur” is expressed in seconds. decision boundaries of his trained RF model. When testing the
The main observation that can be made from this set of ta- effectiveness of his generated adversarial instances on his other
bles is that the perturbations are rather small for all the manip- 875 trained ML models (i.e., MLP and KNN), he achieves a detec-
840 ulable factors and therefore feasible in realistic scenarios. It tion rate of 34% and 22%, respectively, as shown in Table 9 and
should be noted that these perturbations are influenced by the 0% when tested on RF, since these instances are specifically
number of steps and the regulation coefficient c present in the designed to fool this particular trained model. The attacker
adversarial generation algorithm 1 and driven by the mean of then sends these RF-based generated adversarial instances to
each manipulable factor. 880 the defender IDS. The detection rates for the three ML mod-
845 After confirming from Table 7 and Table 8, that the trans- els trained by the defender are 41%, 19%, and 23% for MLP,
12
 Table 9: Detection rate of the attacker’s models against adversarial botnet at- Table 10: Detection rate of the defender models against adversarial botnet at-
tacks tacks
Neris Neris
Attacker/Attacker MLP RF KNN Mean Attacker/Defender MLP RF KNN Mean
MLP 0% 19% 7% 9% MLP 18% 20% 8% 15%
RF 34% 0% 22% 19% RF 41% 19% 23% 28%
KNN 26% 34% 0% 20% KNN 35% 35% 8% 26%
Grand Mean 15.8% Grand Mean 23.0%

Rbot Rbot
Attacker/Attacker MLP RF KNN Mean Attacker/Defender MLP RF KNN Mean
MLP 0% 5% 0% 2% MLP 1% 6% 0% 2%
RF 18% 0% 16% 11% RF 18% 22% 15% 18%
KNN 2% 7% 0% 3% KNN 2% 8% 1% 4%

Defender side
Attacker side

Grand Mean 5.3% Grand Mean 8.1%

Virut Virut
Attacker/Attacker MLP RF KNN Mean Attacker/Defender MLP RF KNN Mean
MLP 0% 69% 1% 23% MLP 25% 69% 2% 32%
RF 28% 0% 23% 17% RF 28% 90% 24% 47%
KNN 7% 72% 0% 26% KNN 29% 71% 2% 34%
Grand Mean 22.2% Grand Mean 37.8%

Zeus & Ares Zeus & Ares

Attacker/Attacker MLP RF KNN Mean Attacker/Defender MLP RF KNN Mean
MLP 0% 0% 0% 0% MLP 0% 0% 0% 0%
RF 50% 0% 48% 33% RF 50% 1% 48% 33%
KNN 50% 49% 0% 33% KNN 50% 49% 4% 34%
Grand Mean 21.9% Grand Mean 22.4%

Table 11: Time taken (in seconds) to generate 3000 adversarial instances for all
RF, and KNN, respectively, as shown in Table 10, resulting in botnet attacks using Algorithm 1
an average of 28% for the defender models. This is a relative Model\Botnet Neris Rbot Virut Zeus & Ares Mean
success for the attacker since their malicious traffic is only de- MLP 32.48 10.21 11.69 15.22 17.40
885 tected 28% of the time and has almost a three-quarter chance of RF 16.95 5.48 9.55 6.85 9.71
KNN 3.17 1.92 1.95 0.14 1.79
evading the defender’s installed intrusion detection systems in Grand Mean 9.63
a black-box setting.
Comparing Table 9 and Table 10, we can observe that the
adversarial instances generated by the attacker are, on average,
890 more efficient on his own models than on the models of the de- tection rate) by relying solely on the transferability property of
fender who uses different training data and hyper-parameters. It adversarial instances. Our proposed defense aims to negate the
can also be observed that intra-transferability has more impact910 effect of the transferability property by adding an adversarial
than cross-transferability. Even if this loss is not negligible, the detector to filter out adversarial instances, allowing the NIDS
results show good performance on average, both through intra- to process only clean traffic.
895 and cross-transferability. We first evaluate the performance of the proposed adversar-
The time taken to generate an adversarial instance for each ial detector and its sub-detectors by generating adversarial in-
of the botnet attacks and models is shown in Table 11. It seems915 stances based on the CTU-13 and CSE-CIC-IDS2018 datasets.
that MLP is, for each of the attacks, the algorithm that con- During this analysis, each sub-detector is evaluated as shown
sumes the most time to generate adversarial instances, followed in Figure 7. To measure this performance, various metrics are
900 by RF, which is an ensemble method. On the other hand, KNN used: recall as defined in Eq. 1; precision as defined in Eq. 2;
seems to be the fastest algorithm to generate adversarial in- and F1-score as defined in Eq. 3.
stances for the four botnet attacks, which would make it an in-920 As shown in Figure 11, we can see that the first two sub-
teresting option if a trade-off between efficiency and time had detectors are performing quite well, reaching more than 96%
to be made. for each metric for CTU-13 and 99% for CSE-CIC-IDS2018,
while the last one seems to be less efficient, with performances
905 4.3. Proposed Defense effectiveness around 70%. We can also observe that the final detector per-
As we discussed in section 4.2, the attacker is able to evade925 formance after Bayesian fusion provides good performances,
the defender’s NIDS with a high success rate (i.e., a low de-
13
 reaching 97% for CTU-13 and 100% for CSE-CIC-IDS2018.
The poorer performance of the third detector can be ex-
plained by the fact that it is trained with the group of non-
modifiable features. Since the value of these features does not970
930 change, it seems that the detector is not able to distinguish
adversarial instances from clean instances, thus behaving ran-
domly.
We also note that the fusion of the three detectors slightly
improved the overall performance of the proposed defense com-975
935 pared to the individual detectors. The inferior performance of
the third detector does not seem to diminish the performance of
the proposed defense due to the contextual discounting mecha-
nism, which allows the performance of each individual detector
to be taken into account during the fusion stage. 980
Figure 11: Performance of our proposed defense against adversarial traffic
100%
90%
80%
70%
60%
50%
40%
30%
tal adversarial botnet traffic sent by the attacker, thus protecting
the NIDS from getting evaded by these adversarial instances.
Table 12c represents the detection rate of the defender’s
NIDS protected by our proposed adversarial defense. In fact,
it shows the impact of adversarial instances that have made it
through our adversarial detector and reached the NIDS. It can
be seen from this table that NIDS has, on average, a detection
rate of 96.9% for any type of machine learning model used for
adversarial generation, across all botnet attacks.
These results indicate that NIDS seems to be significantly
more robust once the adversarial detection method is used, go-
ing from an average detection rate of 21.3% without defense, as
shown in Table 13a, to 96.9% when using the proposed adver-
sarial detector. This also shows that NIDS is hardly affected by
adversarial instances capable of passing the adversarial detec-
tor.
Table 12: Proposed adversarial defense effectiveness
(a) Detection rate of the defender MLP-based NIDS against adversarial instances without
adversarial defense
Defender using MLP-based NIDS without adversarial defense
Model\Botnet Neris Rbot Virut Zeus & Ares Mean
MLP 18% 1% 25% 0% 11%
Attacker

20%
RF 41% 18% 28% 50% 34%
10%
0% KNN 35% 2% 29% 50% 29%
Precision Recall F1-score Precision Recall F1-score Grand Mean 24.8%
CTU-13 CSE-CIC-IDS2018

Sub-detector 1 (modifiable features) Sub-detector 2 (dependent features) (b) Detection rate of our proposed adversarial defense

Sub-detector 3 (unmodifiable features) Proposed defense approach (fusion) Our proposed adversarial defense performance
Model\Botnet Neris Rbot Virut Zeus & Ares Mean
MLP 95% 99% 98% 100% 98%
Attacker

RF 88% 94% 91% 84% 89%

940 After confirming that our proposed adversarial detector works KNN 90% 99% 97% 86% 93%
as intended, we integrate it into our threat scenario. The at- Grand Mean 93.4%
tacker creates adversarial instances of the four adversarial bot-
net malware types, namely Neris, Rbot, Virut, and Zeus & Ares, (c) Detection rate of the defender MLP-based NIDS against adversarial instances with our
proposed adversarial defense
using the adversarial instance generation algorithm on three ML
945 model decision boundaries, namely MLP, RF, and KNN. The Defender using MLP-based IDS with our adversarial defense
defender, on the other hand, uses an MLP-based NIDS to detect Model\Botnet Neris Rbot Virut Zeus & Ares Mean
MLP 93% 97% 96% 100% 97%
Attacker

the malicious traffic. In this experiment, attacks are launched

RF 93% 98% 97% 100% 97%
twice: the first with the defender’s NIDS protected by our pro- KNN 94% 98% 97% 100% 97%
posed adversarial defense and the second without protection. Grand Mean 96.9%
950 This is done to evaluate the effect of using such a defense mech-
anism on the performance of the defender’s NIDS. The detec-
tion rate metric, also known as recall, is used to measure the
performance of the NIDS in identifying malicious and benign
4.4. Comparison with existing defensive strategies
traffic, but it is also used to assess the performance of the pro-
955 posed adversarial detector in identifying adversarial and clean Several countermeasures against the evasion attacks have
traffic. The results are presented in Table 12, consisting of three985 been proposed in the literature. However, many of them have
sub-tables: been shown to be ineffective. Therefore, we decided in this
Table 13a shows the performance results of the defender’s work to compare our proposed defense with adversarial train-
MLP-based NIDS against adversarial instances with no adver- ing, which is a state-of-the-art defense that has already demon-
960 sarial defense. As already shown in Table 10, we see that the strated its effectiveness. To prevent adversarial training from
attacker has successfully decreased the performance of the de-990 undermining the effectiveness of the IDS in its primary task, we
fender’s NIDS by dropping the average detection rate to 24.8%. implement this defense in an anomaly detection manner, hence
Table 12b reports the results regarding the ability of our the name adversarial training detection.
proposed adversarial defense to detect the adversarial instances Indeed, adversarial data may be detected by comparing the
965 generated by the attacker. It can be seen that, on average, the classification of two models: a baseline model trained solely on
proposed adversarial defense was able to detect 93.4% of the to-995 non-adversarial samples and a robust adversarial model trained

14
 on both non-adversarial and adversarial samples. When apply-
ing the two models to a sample, one may assume that if the
two models categorize it differently, the sample is adversarial.
In principle, if the provided sample is not adversarial, the base1035
1000 model and robust model should correctly identify it. If the sam-
ple is adversarial, the base model will categorize it wrong, but
the resilient model would classify it properly.
Adversarial training detection defense is built by training a
second defense-side MLP-based IDS on data sets with an equal1040
1005 mix of adversarial and non-adversarial samples. We then use
the same adversarial instances created by the attacker to attack
both models and record their predictions. We infer a final set of
predictions by comparing these two sets of predictions so as to
classify each instance as adversarial or non-adversarial. 1045
Table 13: Detection rate comparison between adversarial training detection and
our proposed adversarial defense
(a) Detection rate of our proposed adversarial defense
Our proposed adversarial defense performance
Model\Botnet Neris Rbot Virut Zeus & Ares
MLP 95% 99% 98% 100%
Attacker
ing valid adversarial network traffic by adding small perturba-
tions, thus evading NIDS protection with high probability while
maintaining the underlying logic of the botnet attack. To the
best of our knowledge, this is the first complete black-box bot-
net attack that proposes to evade NIDS by exploiting the trans-
ferability property, and without using any query method, with
very limited knowledge of the target NIDS, which acts on the
traffic space, while respecting the domain constraints.
The second component of the proposed framework is a re-
active defense that limits the impact of the proposed attack.
This defense, inspired by adversarial detection, capitalizes on
the fact that it does not change the initial performance of the
NIDS since it provides an additional layer of security indepen-
dent of the model. The proposed defense is considered mod-
ular because it uses an ensemble method called bagging yet
can use any type of machine learning algorithm. In addition to
this ensemble method, it also includes a contextual discounting
method that improves the overall performance of the defense.
1050 The results showed that the proposed defense is able to de-
Mean
98%
tect most adversarial botnet traffic, showing promising results

RF 88% 94% 91% 84% 89% with respect to state-of-the-art defenses. Since the proposed
KNN 90% 99% 97% 86% 93% framework is easily adaptable to other domains, evaluating its
Grand Mean 93.4% performance in other highly constrained domains would be an
1055 interesting future work.
(b) Detection rate of adversarial training detection

Adversarial training detection

Declaration of competing interest
Model\Botnet Neris Rbot Virut Zeus & Ares Mean
MLP 94% 98% 96% 100% 97%
Attacker

RF 87% 93% 90% 84% 89%

The authors declare that they have no known competing fi-
KNN 89% 98% 96% 86% 92% nancial interests or personal relationships that could have ap-
Grand Mean 92.6% peared to influence the work reported in this paper.

1060 CRediT authorship contribution statement

1010 In Table 13, we can see that the achieved results are decent
compared to the other state-of-the-art defenses. Our proposed
defense slightly outperforms adversarial training detection with
an average detection rate of 93.4% versus 92.6%.
Furthermore, compared to other state-of-the-art defenses,
1015 our proposed defense is considered a reactive defense, as it does1065
not change the overall performance of the defender’s NIDS or
general behavior. Therefore, this defense is a better choice
when it comes to preserving the general performance of the
model, which is not the case with adversarial training, for ex-
1020 ample, which reduces the performance of the underlying model.
1070
5. Conclusion
The potential of using NIDS based on machine learning al-
gorithms raises intriguing security issues. Indeed, despite their
impressive performance, these ML models are prone to various1075
1025 types of adversarial attacks, especially evasion attacks. Due to
their prevalence and feasibility among all adversarial attacks,
evasion attacks were considered in this paper to generate botnet
adversarial attacks capable of evading the intrusion detection1080
system.
1030 The proposed framework includes two main contributions.
The first is a realistic adversarial algorithm capable of generat-
Islam Debicha: Conceptualization, Software, Validation,
Methodology, Writing - Original Draft. Benjamin Cochez:
Software, Visualization, Writing - Original Draft. Tayeb Ke-
naza: Validation, Writing - Review & Editing, Supervision.
Thibault Debatty: Validation, Writing - Review & Editing,
Supervision. Jean-Michel Dricot: Validation, Writing - Re-
view & Editing, Supervision. Wim Mees: Funding acquisition,
Supervision.
References
[1] Y. Xin, L. Kong, Z. Liu, Y. Chen, Y. Li, H. Zhu, M. Gao, H. Hou,
C. Wang, Machine learning and deep learning methods for cybersecurity,
IEEE Access 6 (2018) 35365–35381.
[2] S. Mahdavifar, A. A. Ghorbani, Application of deep learning to cyberse-
curity: A survey, Neurocomputing 347 (2019) 149–176.
[3] G. Apruzzese, M. Colajanni, M. Marchetti, Evaluating the effectiveness
of adversarial attacks against botnet detectors, in: 2019 IEEE 18th In-
ternational Symposium on Network Computing and Applications (NCA),
IEEE, 2019, pp. 1–8.
[4] M. J. Hashemi, G. Cusack, E. Keller, Towards evaluation of nidss in ad-
versarial setting, in: Proceedings of the 3rd ACM CoNEXT Workshop on
Big DAta, Machine Learning and Artificial Intelligence for Data Com-
munication Networks, 2019, pp. 14–21.

15
 [5] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfel-
low, R. Fergus, Intriguing properties of neural networks, in: Y. Bengio,1155
1085 Y. LeCun (Eds.), 2nd International Conference on Learning Representa-
tions, ICLR 2014, Banff, AB, Canada, April 14-16, 2014, Conference
Track Proceedings, 2014.
[6] A. Kurakin, I. J. Goodfellow, S. Bengio, Adversarial examples in the
physical world, in: Artificial intelligence safety and security, Chapman1160
1090 and Hall/CRC, 2018, pp. 99–112.
[7] G. Apruzzese, M. Andreolini, L. Ferretti, M. Marchetti, M. Colajanni,
Modeling realistic adversarial attacks against network intrusion detection
systems, Digital Threats: Research and Practice (DTRAP) 3 (3) (2022)
1–19. 1165
1095 [8] D. J. Miller, Z. Xiang, G. Kesidis, Adversarial learning targeting deep
neural network classification: A comprehensive review of defenses
against attacks, Proceedings of the IEEE 108 (3) (2020) 402–433.
[9] J. Zhang, C. Li, Adversarial examples: Opportunities and challenges,
IEEE transactions on neural networks and learning systems 31 (7) (2019)1170
1100 2578–2593.
[10] S. Qiu, Q. Liu, S. Zhou, C. Wu, Review of artificial intelligence adversar-
ial attack and defense technologies, Applied Sciences 9 (5) (2019) 909.
[11] N. Martins, J. M. Cruz, T. Cruz, P. H. Abreu, Adversarial machine learn-
ing applied to intrusion and malware scenarios: a systematic review, IEEE1175
1105 Access 8 (2020) 35403–35419.
[12] J. Vitorino, N. Oliveira, I. Praça, Adaptative perturbation patterns: Re-
alistic adversarial learning for robust intrusion detection, Future Internet
14 (4) (2022) 108.
[13] A. McCarthy, E. Ghadafi, P. Andriotis, P. Legg, Functionality-preserving1180
1110 adversarial machine learning for robust classification in cybersecurity and
intrusion detection domains: A survey, Journal of Cybersecurity and Pri-
vacy 2 (1) (2022) 154–190.
[14] I. J. Goodfellow, J. Shlens, C. Szegedy, Explaining and harnessing adver-
sarial examples, in: Y. Bengio, Y. LeCun (Eds.), 3rd International Con-1185
1115 ference on Learning Representations, ICLR 2015, San Diego, CA, USA,
May 7-9, 2015, Conference Track Proceedings, 2015.
[15] A. Madry, A. Makelov, L. Schmidt, D. Tsipras, A. Vladu, Towards deep
learning models resistant to adversarial attacks, in: 6th International
Conference on Learning Representations, ICLR 2018, Vancouver, BC,1190
1120 Canada, April 30 - May 3, 2018, Conference Track Proceedings, Open-
Review.net, 2018.
[16] N. Carlini, D. A. Wagner, Towards evaluating the robustness of neural
networks, in: 2017 IEEE Symposium on Security and Privacy, SP 2017,
San Jose, CA, USA, May 22-26, 2017, IEEE Computer Society, 2017,1195
1125 pp. 39–57.
[17] M. Pawlicki, M. Choras, R. Kozik, Defending network intrusion detection
systems against adversarial evasion attacks, Future Gener. Comput. Syst.
110 (2020) 148–154.
[18] I. Debicha, R. Bauwens, T. Debatty, J.-M. Dricot, T. Kenaza, W. Mees,1200
1130 Tad: Transfer learning-based multi-adversarial detection of evasion at-
tacks against network intrusion detection systems, Future Generation
Computer Systems 138 (2023) 185–197.
[19] M. A. Merzouk, F. Cuppens, N. Boulahia-Cuppens, R. Yaich, Investigat-
ing the practicality of adversarial evasion attacks on network intrusion1205
1135 detection, Annals of Telecommunications (2022) 1–13.
[20] G. Apruzzese, M. Andreolini, M. Marchetti, A. Venturi, M. Colajanni,
Deep reinforcement adversarial learning against botnet evasion attacks,
IEEE Transactions on Network and Service Management 17 (4) (2020)
1975–1987. 1210
1140 [21] C. Zhang, X. Costa-Pérez, P. Patras, Adversarial attacks against deep
learning-based network intrusion detection systems and defense mech-
anisms, IEEE/ACM Transactions on Networking.
[22] P.-Y. Chen, H. Zhang, Y. Sharma, J. Yi, C.-J. Hsieh, Zoo: Zeroth or-
der optimization based black-box attacks to deep neural networks without1215
1145 training substitute models, in: Proceedings of the 10th ACM workshop on
artificial intelligence and security, 2017, pp. 15–26.
[23] J. Zhang, Q. Yan, M. Wang, Evasion attacks based on wasserstein gener-
ative adversarial network, in: 2019 Computing, Communications and IoT
Applications (ComComAp), IEEE, 2019, pp. 454–459. 1220
1150 [24] Y. Ren, Q. Zhou, Z. Wang, T. Wu, G. Wu, K.-K. R. Choo, Query-efficient
label-only attacks against black-box machine learning models, Computers
& security 90 (2020) 101698.
[25] F. Boenisch, R. Munz, M. Tiepelt, S. Hanisch, C. Kuhn, P. Francis, Side-
16
channel attacks on query-based data anonymization, in: Proceedings of
the 2021 ACM SIGSAC Conference on Computer and Communications
Security, 2021, pp. 1254–1265.
[26] C. Zhang, X. Costa-Pérez, P. Patras, Tiki-taka: Attacking and defending
deep learning-based intrusion detection systems, in: Proceedings of the
2020 ACM SIGSAC Conference on Cloud Computing Security Work-
shop, 2020, pp. 27–39.
[27] I. Debicha, T. Debatty, J.-M. Dricot, W. Mees, T. Kenaza, Detect & re-
ject for transferability of black-box adversarial attacks against network
intrusion detection systems, in: International Conference on Advances in
Cyber Security, Springer, 2021, pp. 329–339.
[28] Y. Al-Hadhrami, F. K. Hussain, Real time dataset generation framework
for intrusion detection systems in iot, Future Generation Computer Sys-
tems 108 (2020) 414–423.
[29] M. Teuffenbach, E. Piatkowska, P. Smith, Subverting network intrusion
detection: Crafting adversarial examples accounting for domain-specific
constraints, in: International Cross-Domain Conference for Machine
Learning and Knowledge Extraction, Springer, 2020, pp. 301–320.
[30] D. Han, Z. Wang, Y. Zhong, W. Chen, J. Yang, S. Lu, X. Shi, X. Yin, Eval-
uating and improving adversarial robustness of machine learning-based
network intrusion detectors, IEEE Journal on Selected Areas in Commu-
nications 39 (8) (2021) 2632–2647.
[31] A. M. Sadeghzadeh, S. Shiravi, R. Jalili, Adversarial network traffic: To-
wards evaluating the robustness of deep-learning-based network traffic
classification, IEEE Transactions on Network and Service Management
18 (2) (2021) 1962–1976.
[32] J. Chen, X. Gao, R. Deng, Y. He, C. Fang, P. Cheng, Generating ad-
versarial examples against machine learning based intrusion detector in
industrial control systems, IEEE Transactions on Dependable and Secure
Computing.
[33] Z. Wang, Deep learning-based intrusion detection with adversaries, IEEE
Access 6 (2018) 38367–38384.
[34] K. Yang, J. Liu, C. Zhang, Y. Fang, Adversarial examples against the deep
learning based network intrusion detection systems, in: MILCOM 2018-
2018 ieee military communications conference (MILCOM), IEEE, 2018,
pp. 559–564.
[35] N. Martins, J. M. Cruz, T. Cruz, P. H. Abreu, Analyzing the footprint of
classifiers in adversarial denial of service contexts, in: EPIA Conference
on Artificial Intelligence, Springer, 2019, pp. 256–267.
[36] S. Moosavi-Dezfooli, A. Fawzi, P. Frossard, Deepfool: A simple and ac-
curate method to fool deep neural networks, in: 2016 IEEE Conference on
Computer Vision and Pattern Recognition, CVPR 2016, Las Vegas, NV,
USA, June 27-30, 2016, IEEE Computer Society, 2016, pp. 2574–2582.
[37] N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B. Celik, A. Swami,
The limitations of deep learning in adversarial settings, in: 2016 IEEE
European symposium on security and privacy (EuroS&P), IEEE, 2016,
pp. 372–387.
[38] I. Debicha, T. Debatty, J. Dricot, W. Mees, Adversarial training for deep
learning-based intrusion detection systems, in: ICONS 2021, The Six-
teenth International Conference on Systems, 2021, pp. 45–49.
[39] N. Papernot, P. D. McDaniel, X. Wu, S. Jha, A. Swami, Distillation as
a defense to adversarial perturbations against deep neural networks, in:
IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA,
May 22-26, 2016, IEEE Computer Society, 2016, pp. 582–597.
[40] G. Apruzzese, M. Andreolini, M. Colajanni, M. Marchetti, Hardening
random forest cyber detectors against adversarial attacks, IEEE Trans.
Emerg. Top. Comput. Intell. 4 (4) (2020) 427–439.
[41] N. Carlini, D. Wagner, Defensive distillation is not robust to adversarial
examples, arXiv preprint arXiv:1607.04311.
[42] F. Zhang, P. P. K. Chan, B. Biggio, D. S. Yeung, F. Roli, Adversarial fea-
ture selection against evasion attacks, IEEE Trans. Cybern. 46 (3) (2016)
766–777.
[43] C. Smutz, A. Stavrou, Malicious PDF detection using metadata and struc-
tural features, in: R. H. Zakon (Ed.), 28th Annual Computer Security Ap-
plications Conference, ACSAC 2012, Orlando, FL, USA, 3-7 December
2012, ACM, 2012, pp. 239–248.
[44] N. Carlini, D. A. Wagner, Adversarial examples are not easily detected:
Bypassing ten detection methods, in: B. M. Thuraisingham, B. Biggio,
D. M. Freeman, B. Miller, A. Sinha (Eds.), Proceedings of the 10th ACM
Workshop on Artificial Intelligence and Security, AISec@CCS 2017,
Dallas, TX, USA, November 3, 2017, ACM, 2017, pp. 3–14.
1225 [45] J. Lu, T. Issaranon, D. A. Forsyth, Safetynet: Detecting and rejecting ad- Islam Debicha received his master’s
versarial examples robustly, in: IEEE International Conference on Com- degree in Computer Science with a focus
puter Vision, ICCV 2017, Venice, Italy, October 22-29, 2017, IEEE Com- in network security in 2018. He is pur-
puter Society, 2017, pp. 446–454.
[46] D. J. Miller, Y. Wang, G. Kesidis, When not to classify: Anomaly detec- suing a joint Ph.D. in machine learning-
1230 tion of attacks (ADA) on DNN classifiers at test time, Neural Comput. based intrusion detection systems at ULB
31 (8) (2019) 1624–1670. and ERM, Brussels, Belgium. He works
[47] A. Venturi, G. Apruzzese, M. Andreolini, M. Colajanni, M. Marchetti, at ULB cybersecurity Research Center and
Drelab-deep reinforcement learning adversarial botnet: A benchmark
dataset for adversarial attacks against botnet intrusion detection systems, Cyber Defence Lab on evasion attacks against
1235 Data in Brief 34 (2021) 106631. machine learning-based intrusion detection
[48] M. Sarhan, S. Layeghy, M. Portmann, Towards a standard feature set for systems. He is the author or co-author of 6 peer-reviewed scien-
network intrusion detection system datasets, Mobile Networks and Ap-
tific publications. His research interests include defenses against
plications 27 (1) (2022) 357–370.
[49] A. Pektaş, T. Acarman, Effective feature selection for botnet detection adversarial examples, machine learning applications in cyberse-
1240 based on network flow analysis, in: International Conference Automatics curity, data fusion, and network security.
and Informatics, 2017, pp. 1–4.
[50] W. Zhijun, L. Wenjing, L. Liang, Y. Meng, Low-rate dos attacks, detec- Benjamin Cochez received his mas-
tion, defense, and challenges: A survey, IEEE access 8 (2020) 43920– ter’s degree in Cybersecurity from the Uni-
43943. versité Libre de Bruxelles (ULB). He works
1245 [51] G. Ziemba, D. Reed, P. Traina, Rfc1858: Security considerations for ip
fragment filtering (1995).
as a cybersecurity consultant for a consul-
[52] J.-l. Gailly, zlib: A massively spiffy yet delicately unobtrusive compres- tancy company based in Brussels, and his
sion library, http://www. zlib. net/. main areas of interest are cloud security,
[53] S. R. Zahra, M. A. Chishti, Packet header compression in the internet of endpoint security, machine learning and
1250 things, Procedia Computer Science 173 (2020) 64–69.
[54] S. Garcia, M. Grill, J. Stiborek, A. Zunino, An empirical comparison of adversarial learning.
botnet detection methods, computers & security 45 (2014) 100–123.
[55] I. Sharafaldin, A. H. Lashkari, A. A. Ghorbani, Toward generating a new
Tayeb Kenaza received a Ph.D. de-
intrusion detection dataset and intrusion traffic characterization, in: Pro-
1255 ceedings of the 4th International Conference on Information Systems Se- gree in computer science from Artois Uni-
curity and Privacy, ICISSP, 2018, pp. 108–116. versity, France, in 2011. Since 2017, he is
[56] A. Gharib, I. Sharafaldin, A. H. Lashkari, A. A. Ghorbani, An evaluation the Head of the Computer Security Labo-
framework for intrusion detection dataset, in: 2016 International Confer-
ence on Information Science and Security (ICISS), IEEE, 2016, pp. 1–6.
ratory at the Military Polytechnic School
1260 [57] M. Wang, Y. Lu, J. Qin, A dynamic mlp-based ddos attack detection of Algiers. He is currently a full professor
method using feature selection and feedback, Computers & Security 88 in Computer Science Department at the
(2020) 101645. same school. His research and publication
[58] E. Min, J. Long, Q. Liu, J. Cui, W. Chen, Tr-ids: Anomaly-based intrusion
detection through text-convolutional neural network and random forest,
interests include Computer Network Se-
1265 Security and Communication Networks 2018. curity, Wireless Communication Security, Intelligent Systems,
[59] R. Wazirali, An improved intrusion detection system based on knn hyper- and Data Mining.
parameter tuning and cross-validation, Arabian Journal for Science and
Engineering 45 (12) (2020) 10859–10873. Thibault Debatty obtained a master’s
[60] W. Xu, D. Evans, Y. Qi, Feature squeezing: Detecting adversarial exam- degree in applied engineering sciences at
1270 ples in deep neural networks, arXiv preprint arXiv:1704.01155. the Royal Military Academy (RMA) in Bel-
[61] K. Grosse, P. Manoharan, N. Papernot, M. Backes, P. McDaniel,
On the (statistical) detection of adversarial examples, arXiv preprint gium, followed by a master’s degree in
arXiv:1702.06280. applied computer science at the Vrije Uni-
[62] F. S. d. Lima Filho, F. A. Silveira, A. de Medeiros Brito Junior, G. Vargas- versiteit Brussel (VUB). Finally, he ob-
1275 Solar, L. F. Silveira, Smart detection: an online approach for dos/ddos at-
tained a Ph.D. with a specialization in dis-
tack detection using machine learning, Security and Communication Net-
works 2019. tributed computing at both Telecom Paris
[63] V. Kanimozhi, T. P. Jacob, Artificial intelligence based network intru- and the RMA. He is now an associate pro-
sion detection with hyper-parameter optimization tuning on the realis- fessor at the RMA, where he teaches courses in networking,
1280 tic cyber dataset cse-cic-ids2018 using cloud computing, in: 2019 inter-
national conference on communication and signal processing (ICCSP),
distributed information systems, and information security. He
IEEE, 2019, pp. 0033–0036. is also president of the jury of the Master of Science in Cyber-
[64] B. Nugraha, A. Nambiar, T. Bauschert, Performance evaluation of bot- security organized by the Université Libre de Bruxelles (ULB),
net detection using deep learning techniques, in: 2020 11th International the RMA, and four other institutions.
1285 Conference on Network of the Future (NoF), IEEE, 2020, pp. 141–149.

17
 Jean-Michel Dricot leads research on
network security with a specific focus on
the IoT and wireless networks. He teaches
communication networks, mobile networks,
the internet of things, and network secu-
rity. Prior to his tenure at the ULB, Jean-
Michel Dricot obtained a Ph.D. in network
engineering, with a focus on wireless sen-
sor network protocols and architectures.
In 2010, Jean-Michel Dricot was appointed professor at the
Université Libre de Bruxelles, with tenure in mobile and wire-
less networks. He is the author or co-author of more than 100+
papers published in peer-reviewed international Journals and
Conferences and served as a reviewer for European projects.
Wim Mees is Professor in computer
science and cyber security at the Royal
Military Academy and is leading the Cy-
ber Defence Lab. He is also teaching in
the Belgian inter-university Master in Cy-
bersecurity, and in the Master in Enter-
prise Architecture at the IC Institute. Wim
has participated in and coordinated numer-
ous national and European research projects
as well EDA and NATO projects and task groups.

18