AI Lab

Princeton Laboratory for Artificial Intelligence Research Blog

Category: News

  • Robustifying ML-powered Network Classifiers with PANTS

    By Minhao Jin and Maria Apostolaki

    Background

    Machine learning is invaluable for managing computer networks (e.g., enterprise networks or data centers), enabling pattern recognition in traffic that facilitates efficient resource allocation and accurate detection of network threats. However, its vulnerability to adversarial attacks poses significant risks. Imagine an attacker manipulating traffic (i.e.,  packet sequences) to deceive an ML-powered network classifier, leading to outages, degraded performance, or even a security breach. Our paper, Robustifying ML-powered Network Classifiers with PANTS, demonstrates that research-grade network classifiers are 70.33% vulnerable to our synthetically generated adversarial inputs. Beyond identifying this threat and offering specific adversarial examples for the network operator to investigate, we also introduce a novel iterative augmentation training process that can enhance the robustness of ML-powered network classifiers. 

    What is special about PANTS?

    At first glance, canonical adversarial ML (AML)—i.e. methods that generate images that would be misclassified by a target classifier and use them to retrain it—should work. However, blindly applying AML to network environments poses seemingly insurmountable challenges. Indeed, the space of possible adversarial packet sequences as generated by typical AML methods is vast, making robust model training appear impossible. PANTS addresses this challenge by leveraging a key insight: the adversarial input space can be effectively reduced without sacrificing security by incorporating network semantics. By combining symbolic reasoning, –which encodes network semantics– with AML techniques –which guide the search using backpropagation– PANTS constrains the space of adversarial packets sequences to only those that are realizable, making the problem tractable. 

    More concretely, PANTS incorporates a novel adversarial input generation process into a fine-tuning process, as illustrated in Fig. 1. The generation process consists of an AML component and an SMT solver, working in an iterative manner. The AML component is a white-box generator that perturbs the original packet sequence to maximize its distance from the original decision boundaries of the target classifier, thereby creating an adversarial packet sequence. The SMT solver then refines this sequence, ensuring it does not deviate too far from the AML’s output while remaining consistent with logic constraints that encode the threat model, network semantics, and networking rules. This generative process is integrated into an interactive training loop that strengthens the target classifier.

    Figure 1: A high-level overview of PANTS’ workflow. PANTS generates adversarial inputs that are also used to iteratively train the target classifiers. PANTS receives the implementation of a classifier together with a training dataset and a couple of rules that constrain the generated inputs. At its core, PANTS features an AML component that collaborates with an SMT solver.

    Evaluation

    PANTS is 70%-2x more likely to find adversarial samples compared to the baselines. 

    We compare PANTS with state-of-the-art adversarial generation solutions, namely Amoeba (black-box RL-based technique) and BAP (white-box gradient-based technique), in their ability to generate adversarial flows under two threat models corresponding to on-path and end-host attackers against three applications and report the Attack Success Rate (ASR). PANTS clearly outperforms baselines in all cases. This is critical because it shows that PANTS can provide a more reliable assessment of the robustness of the various classifiers. 

    Figure 2: The attack success rate (ASR) of PANTS, Amoeba and BAP for various ML models, applications and threat models. PANTS has a much higher ASR compared to Amoeba and BAP, demonstrating its ability to effectively generate adversarial samples, which can be used for debugging, fine-tuning, and robustness assessment.

    Iterative augmentation with adversarial, realizable, and semantics-preserving samples improves the robustness of an ML-based networking classifier without hurting its accuracy.

    We compare PANTS’ iterative augmentation with other robustification approaches in Fig. 3. Unlike authentic adversarial training (star), which hurts model accuracy, PANTS (cross) can robustify the classifier without sacrificing its accuracy.

    Figure 3: The accuracy and ASR for the vanilla and robustified models using different ways of robustification. PANTS-robustified models are robust against both PANTS and Amoeba without sacrificing model accuracy.

    PANTS can improve the robustness of classifiers even against threat models outside those used during robustification.  Fig. 4 shows the ASR for two classifiers against various threat models before and after robustification. The notation w(b) refers to the white-box(black-box) attacker, while the (α, β, γ, δ) represents an attacker who can delay packets with at most α%, append payload for at most β% packets, inject at most γ packets, and split at most δ% packets. The threat model used during robustification is (20, 20, 20, 0). PANTS is able to improve the robustness of models even against strictly stronger attackers (e.g., w(40, 40, 40, 40)). 

    Conclusion

    We developed PANTS to assist network operators in debugging and enhancing their ML-powered network classifiers. This work brings us one step closer to our broader vision of making ML-powered networking applications more trustworthy, ultimately enabling the networking field to fully leverage the benefits of machine learning. 

    This work is accepted by Usenix Security ‘25. Please read the paper (https://arxiv.org/abs/2409.04691) and code (https://github.com/jinminhao/PANTS/) and we look forward to your feedback!