Poisoning Attacks on Federated Le Learning-based In Intrusion - - PowerPoint PPT Presentation

▶

Jan 07, 2023 163 likes •511 views

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc Nguyen, Phillip Rieger, Markus Miettinen, Ahmad-Reza Sadeghi Typical IoT Devices 2 IoT The S stands for Security 3 Mirai: Largest Disruptive

SLIDE 1 Thien Duc Nguyen, Phillip Rieger, Markus Miettinen, Ahmad-Reza Sadeghi

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System

SLIDE 2

Typical IoT Devices

SLIDE 3

IoT

The S stands for Security

SLIDE 4 Source: https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

Mirai: Largest Disruptive Cyberattack in History

4 More than 145,000 infected devices Peak bandwidth

f 1156 Gbps

SLIDE 5 Source: https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

Mirai: Largest Disruptive Cyberattack in History

4 More than 145,000 infected devices Peak bandwidth

f 1156 Gbps

SLIDE 6 Client 5

Federated Learning

Aggregator Client Client

SLIDE 7 Client 5

Federated Learning

Aggregator Client Client

SLIDE 8 Client 5

Federated Learning

Aggregator Client Client

SLIDE 9 Client 5

Federated Learning

Aggregator Client Client

SLIDE 10

Advantages of Federated Learning

Allows all participants to profit from all data
Privacy Preserving

▪ E.g.: Don’t reveal network traffic

Distributing computation load to clients

SLIDE 11 SGW 7

IoT NIDS

Nguyen et.al., ICDCS 2019 SGW SGW Aggregator SGW: Security Gateway (e.g., Local WiFi router)

SLIDE 12 SGW 7

IoT NIDS

Nguyen et.al., ICDCS 2019 SGW SGW Aggregator SGW: Security Gateway (e.g., Local WiFi router)

SLIDE 13 SGW 7

IoT NIDS

Nguyen et.al., ICDCS 2019 SGW SGW Aggregator SGW: Security Gateway (e.g., Local WiFi router)

SLIDE 14 SGW 7

IoT NIDS

Nguyen et.al., ICDCS 2019 SGW SGW Aggregator SGW: Security Gateway (e.g., Local WiFi router)

SLIDE 15

Examples of Backdoor Attacks: Adversary Chosen Label

IoT malware detection Inject malicious traffic, e.g., use compromised IoT devices Word prediction Select end words, e.g., ”buy phone from Google” Image classification Change labels, e.g.,

Speed limit signs from

30kph to 80kph Our new Attack 8

SLIDE 16 Client 9

Backdoor Attacks on FL

Nguyen et.al., ICDCS 2019 Aggregator Client Client

1. Manipulate training data
2. Manipulate local models

SLIDE 17 Client 9 Nguyen et.al., ICDCS 2019 Aggregator Client Client Attack Strategies:

1. Manipulate training data
2. Manipulate local models

Backdoor Attacks on FL

SLIDE 18

Our Threat Model

10 Attack Goal:

Inject Backdoor

Attacker’s Capabilities:

Full knowledge about the targeted system
Fully control some IoT devices

Attacker cannot:

Control Security Gateways
Control devices in < 50% of all networks

SLIDE 19

Our Approach – High Level Idea

Challenge: Prevent detection of data poisoning
Only few attack data

→ Gateway will not detect it → Still include malware traffic in training data → Neural Network learns to predict malware behavior

Use compromised IoT devices

SLIDE 20 Aggregator 12

Our Approach

1. SGW SGW SGW: Security Gateway (e.g., Local WiFi router) SGW 2.

1. Compromise IoT Devices
2. Inject Malicious Data

SLIDE 21 Aggregator 12

Our Approach

1. SGW SGW SGW: Security Gateway (e.g., Local WiFi router) SGW 2.

1. Compromise IoT Devices
2. Inject Malicious Data

SLIDE 22 Aggregator 12

Our Approach

1. SGW SGW SGW: Security Gateway (e.g., Local WiFi router) SGW 2.

1. Compromise IoT Devices
2. Inject Malicious Data

SLIDE 23 Aggregator 12

Our Approach

1. SGW SGW SGW: Security Gateway (e.g., Local WiFi router) SGW 2.

1. Compromise IoT Devices
2. Inject Malicious Data

SLIDE 24

Experimental Setup

3 Real – World Datasets [1, 2]
Consisting of traffic from 46 IoT devices
Different stages of Mirai: infection, scanning, different DDoS attacks
Distributed data to 100 clients

▪

Approx. 2h of traffic

13 [1] Nguyen et.al., ICDCS 2019 [2] Sivanathan et.al., IEEE Transactions on Mobile Computing 2018

SLIDE 25

Attack Parameters

Poisoned Model Rate (PMR)

▪ Indicates percentage of poisoned local models

E.g., ratio of networks, containing compromised IoT devices
Poisoned Data Rate (PDR)

▪ Indicates ratio between poisoned and benign data

E.g., ratio between malware and benign network traffic

SLIDE 26

Evaluation Metrics

Backdoor Accuracy (BA)

▪ E.g., alerts, raised on malware traffic ▪ 100 % BA → No Alert for malware traffic

Main task Accuracy (MA)

▪ E.g., accuracy on benign network traffic ▪ 100 % MA → No alert for benign traffic

SLIDE 27

Experimental Results

Malware traffic not detected for PDR of

36.7% ( ± 6.5%) PDR: Poisoned Data Rate

SLIDE 28

Experimental Results

Malware traffic not detected for PDR of

36.7% ( ± 6.5%)

Attack successful for low number of

compromised networks ▪ BA 100% for PMR 25% and PDR 20% ▪ Higher PMRs are successful for lower PDRS ▪ Lower PMRs require higher PDRs ▪ PMR 5% is too low PDR: Poisoned Data Rate PMR: Poisoned Model Rate

SLIDE 29 Illustration for PDR = 30%

Experimental Results – Clustering Defense

Calculates pairwise Euclidean Distances
Apply Clustering on them

Mechanism: Experimental Results

BA 100%
Attack effective for PDR ≤ 20%

SLIDE 30 Illustration for PDR = 20%

Experimental Results – Clustering Defense

Calculates pairwise Euclidean Distances
Apply Clustering on them

Mechanism: Experimental Results

BA 100%
Attack effective for PDR ≤ 20%

SLIDE 31

Experimental Results – Differential Privacy Defense

Not effective for PDR >= 15%
BA 100%
MA reduced significantly
Restricts Euclidean distance of local models
Adds gaussian noise

Mechanism: Experimental Results

SLIDE 32

➢ Introduced novel backdoor attack vector

➢ Requires only control of few IoT devices ➢ Inject Malware Traffic Stealthily

➢ Evaluated on 3 real – world datasets ➢ Bypasses current defenses

Conclusion

SLIDE 33

Improve IDS
Filter poisoned data on clients
Defense against these poisoning attacks

Future Research Direction