Towards targeted and universal adversarial attacks against network traffic classification

Abstract

With the continuous advancement of technology, deep learning has become the mainstream method in the field of network traffic classification, demonstrating excellent classification performance. However, due to the inherent vulnerability of deep learning models, they also face the threat of adversarial attacks. Currently, adversarial attack techniques for network traffic classification only remain at the level of untargeted attacks, and most of them are attack methods based on specific perturbation. These methods have high time overhead, high sample dependency, and are unable to perform targeted attacks on target categories, which poses significant limitations in practical applications. To this end, this article proposes a targeted and universal adversarial attack method against network traffic classification. It iteratively trains to minimize the distance between network traffic and the target category feature domain, thereby generating the universal perturbation vector for the target category. This maximizes the prediction probability of the model output target category, allowing the classifier to incorrectly predict any non-target category network traffic as the specified target category. Meanwhile, this article uses dynamic masking and modular operations to generate adversarial network traffic, ensuring the data reversibility and transferability of network traffic packets during adversarial attacks. Finally, this article selected three standard network traffic datasets with different classification tasks, CICIoT2023, ISCX2016, and USTC-TFC2016, as well as four mainstream network traffic classification models such as LeNet5, for experiments, and built the adversarial attack testing platform in the real network environment. The results show that the proposed method effectively implements targeted and universal adversarial attacks against network traffic classification on three datasets and four classification models, with the average attack success rate of over 56 % and the single attack time of 1–3 ms, greatly improving the application scope and practical value of adversarial attack techniques in the field of network traffic classification.