# Adversarial Attack Generator

Based on: https://github.com/Trusted-AI/adversarial-robustness-toolbox/wiki/Get-Started#setup </p>
- Docs: https://adversarial-robustness-toolbox.readthedocs.io/en/latest/index.html


---

## Import Data

In [18]:
# # load data
# import pandas as pd

# # load dataset
# df = pd.read_csv('../data/preprocessed/binary_min_max_combined.csv')
# df.shape
# df.head()

Unnamed: 0,Destination Port,Flow Duration,Total Fwd Packets,Total Backward Packets,Total Length of Fwd Packets,Total Length of Bwd Packets,Fwd Packet Length Max,Fwd Packet Length Min,Fwd Packet Length Mean,Fwd Packet Length Std,...,min_seg_size_forward,Active Mean,Active Std,Active Max,Active Min,Idle Mean,Idle Std,Idle Max,Idle Min,Label
0,0.837186,1.333333e-07,5e-06,0.0,9.302326e-07,0.0,0.000242,0.002581,0.00101,0.0,...,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0
1,0.84007,1.016667e-06,0.0,3e-06,4.651163e-07,9.153974e-09,0.000242,0.002581,0.00101,0.0,...,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0
2,0.840085,5.416666e-07,0.0,3e-06,4.651163e-07,9.153974e-09,0.000242,0.002581,0.00101,0.0,...,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0
3,0.705516,3.916666e-07,0.0,3e-06,4.651163e-07,9.153974e-09,0.000242,0.002581,0.00101,0.0,...,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0
4,0.837156,1.333333e-07,5e-06,0.0,9.302326e-07,0.0,0.000242,0.002581,0.00101,0.0,...,1.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0


In [24]:
# # create smaller dataset
# small_df = df.sample(frac=0.0003, random_state=10)
# small_df.shape

(848, 71)

In [26]:
# # split data
# from sklearn.model_selection import train_test_split

# X = small_df.drop(columns=[' Label'])
# y = small_df[' Label']

# y = pd.get_dummies(y)
# y.columns = ["BENIGN", "MALICIOUS"]
# print(y[:2])

# X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.25, random_state=42)
# print(X_train.shape, X_test.shape)

         BENIGN  MALICIOUS
468003    False       True
1239319    True      False
(636, 70) (212, 70)


---

## Load Data Split

In [20]:
import pandas as pd

X_train = pd.read_csv("../CICIDS2017/train_test_split/X_train_proto.csv")
X_test = pd.read_csv("../CICIDS2017/train_test_split/X_test_proto.csv")
y_train = pd.read_csv("../CICIDS2017/train_test_split/y_train_proto.csv")
y_test = pd.read_csv("../CICIDS2017/train_test_split/y_test_proto.csv")

print(X_train.shape, X_test.shape, y_train.shape, y_test.shape)

(8000, 70) (2000, 70) (8000, 2) (2000, 2)


## Import Model

In [21]:
# load model
from tensorflow import keras

model = keras.models.load_model('../CICIDS2017/models/ids_dnn.keras')
model.summary()

## Convert Model

In [22]:
# convert model to ART -> needed for adversarial attacks
from art.estimators.classification import TensorFlowV2Classifier
import tensorflow as tf

# Define loss function
loss_object = keras.losses.BinaryCrossentropy()
optimizer = keras.optimizers.Adam(learning_rate=0.001)
input_dim = X_train.shape[1] 

@tf.function
def custom_train_step(model, x_batch, y_batch):
    with tf.GradientTape() as tape:
        predictions = model(x_batch, training=True)
        loss = loss_object(y_batch, predictions)
    
    # Compute and apply gradients
    gradients = tape.gradient(loss, model.trainable_variables)
    optimizer.apply_gradients(zip(gradients, model.trainable_variables))
    
    return loss

# KerasClassifier uses tf.keras.backend.placeholder, which has been removed in TensorFlow 2.10+.so we need to use TensorFlowV2Classifier
classifier = TensorFlowV2Classifier(
    model=model,
    nb_classes=2,  # Binary classification (0 or 1)
    input_shape=(input_dim,),  # Input shape
    clip_values=(0, 1), # because of the min-max normalization
    optimizer=optimizer, 
    loss_object=loss_object,
    train_step=custom_train_step  # Use default training function
)

# print accuracy
from sklearn.metrics import classification_report, accuracy_score

y_pred = classifier.predict(X_test)
y_pred = (y_pred > 0.5)

print(classification_report(y_test, y_pred, target_names=['BENIGN', 'ATTACK']))
print(f"Accuracy : {accuracy_score(y_test, y_pred)*100:.2f}%")

              precision    recall  f1-score   support

      BENIGN       0.99      0.99      0.99      1619
      ATTACK       0.94      0.97      0.95       381

   micro avg       0.98      0.98      0.98      2000
   macro avg       0.97      0.98      0.97      2000
weighted avg       0.98      0.98      0.98      2000
 samples avg       0.98      0.98      0.98      2000

Accuracy : 98.20%


## Generate Attacks

In [23]:
# convert to numpy -> needed for adversarial attacks
X_test_np = X_test.to_numpy()

### Carlini & Wagner Attack - White Box

In [9]:
# from art.attacks.evasion import CarliniL2Method

# # Create the C&W attack (non-targeted)
# attack_cw = CarliniL2Method(classifier=classifier, confidence=0.0, targeted=False)

# # Generate adversarial examples on the test set
# X_test_adv_cw = attack_cw.generate(x=X_test_np)
# print(f'Adversarial C&W examples generated. Shape: {X_test_adv_cw.shape}')

C&W L_2:   0%|          | 0/500 [00:00<?, ?it/s]

Adversarial examples generated. Shape: (500, 70)


### FGSM Attack - White Box

In [24]:
from art.attacks.evasion import FastGradientMethod

# Create FGSM attack
attack_fgsm = FastGradientMethod(estimator=classifier, eps=0.5)  # ε tune this for stronger/weaker attacks: 0.01 weak, 0.1 balanced, 0.3-0.5 strong, 1 very strong
# the higher the epsilon, the easier it will be detected

# Generate adversarial examples
X_test_adv_fgsm = attack_fgsm.generate(x=X_test_np)
print(f'Adversarial FGSM examples generated. Shape: {X_test_adv_fgsm.shape}')

Adversarial FGSM examples generated. Shape: (2000, 70)


### HopSkipJumpAttack - Black Box

In [25]:
from art.attacks.evasion import HopSkipJump
import numpy as np

# Create HopSkipJump attack
attack_hop_skip_jump = HopSkipJump(classifier=classifier, targeted=False, norm=2)

# create target labels: [1, 0]
target_labels = np.ones((X_test_np.shape[0], 2))
target_labels[:, 0] = 1
target_labels[:, 1] = 0
print(target_labels[:2])


# Generate adversarial examples
X_test_adv_hop_skip_jump = attack_hop_skip_jump.generate(x=X_test_np)
print(f'Adversarial HopSkipJump examples generated. Shape: {X_test_adv_hop_skip_jump.shape}')

[[1. 0.]
 [1. 0.]]


HopSkipJump:   0%|          | 0/2000 [00:00<?, ?it/s]

Adversarial HopSkipJump examples generated. Shape: (2000, 70)


## Evaluate Attacks

In [8]:
# check for negative values in attacks
print(np.any(X_test_adv_fgsm < 0))
print(np.any(X_test_adv_hop_skip_jump < 0))

False
False


In [26]:
# Evaluate the model on adversarial examples
loss, accuracy = model.evaluate(X_test_np, y_test)
print(f'Accuracy on clean examples: {accuracy * 100:.2f}%')

#loss_adv, accuracy_adv = model.evaluate(X_test_adv_cw, y_test)
#print(f'Accuracy on c&w attack: {accuracy_adv * 100:.2f}%')

loss_adv_fgsm, accuracy_adv_fgsm = model.evaluate(X_test_adv_fgsm, y_test)
print(f'Accuracy on fgsm attack: {accuracy_adv_fgsm * 100:.2f}%')

loss_adv_hop_skip_jump, accuracy_adv_hop_skip_jump = model.evaluate(X_test_adv_hop_skip_jump, y_test)
print(f'Accuracy on hop skip jump attack: {accuracy_adv_hop_skip_jump * 100:.2f}%')

[1m63/63[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m0s[0m 1ms/step - accuracy: 0.9798 - loss: 0.0483 
Accuracy on clean examples: 98.20%
[1m63/63[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m0s[0m 1ms/step - accuracy: 0.7691 - loss: 377.8260  
Accuracy on fgsm attack: 76.55%
[1m63/63[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m0s[0m 1ms/step - accuracy: 0.8243 - loss: 0.8233
Accuracy on hop skip jump attack: 80.95%


In [27]:
from sklearn.metrics import classification_report

y_pred = model.predict(X_test)
y_pred = (y_pred > 0.5)
#y_pred_adv_cw = model.predict(X_test_adv_cw)
#y_pred_adv_cw = (y_pred_adv_cw > 0.5)
y_pred_adv_fgsm = model.predict(X_test_adv_fgsm)
y_pred_adv_fgsm = (y_pred_adv_fgsm > 0.5)
y_pred_adv_hop_skip_jump = model.predict(X_test_adv_hop_skip_jump)
y_pred_adv_hop_skip_jump = (y_pred_adv_hop_skip_jump > 0.5)

print("Normal Classification Report:")
print(classification_report(y_test, y_pred, target_names=['BENIGN', 'ATTACK']))
#print("C&W Classification Report:")
#print(classification_report(y_test, y_pred_adv_cw, target_names=['BENIGN', 'ATTACK']))
print("FGSM Classification Report:")
print(classification_report(y_test, y_pred_adv_fgsm, target_names=['BENIGN', 'ATTACK']))
print("Hop Skip Jump Classification Report:")
print(classification_report(y_test, y_pred_adv_hop_skip_jump, target_names=['BENIGN', 'ATTACK']))

[1m63/63[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m0s[0m 2ms/step
[1m63/63[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m0s[0m 910us/step
[1m63/63[0m [32m━━━━━━━━━━━━━━━━━━━━[0m[37m[0m [1m0s[0m 792us/step
Normal Classification Report:
              precision    recall  f1-score   support

      BENIGN       0.99      0.99      0.99      1619
      ATTACK       0.94      0.97      0.95       381

   micro avg       0.98      0.98      0.98      2000
   macro avg       0.97      0.98      0.97      2000
weighted avg       0.98      0.98      0.98      2000
 samples avg       0.98      0.98      0.98      2000

FGSM Classification Report:
              precision    recall  f1-score   support

      BENIGN       0.80      0.94      0.87      1619
      ATTACK       0.08      0.02      0.04       381

   micro avg       0.77      0.77      0.77      2000
   macro avg       0.44      0.48      0.45      2000
weighted avg       0.67      0.77      0.71      2000
 samples avg

  _warn_prf(average, modifier, f"{metric.capitalize()} is", len(result))


In [29]:
# show accuracy, precision, recall, f1-score
from sklearn.metrics import accuracy_score, precision_score, recall_score, f1_score
import numpy as np

# convert to binary 
y_test_binary = np.array(y_test).argmin(axis=1)
y_pred_binary = np.array(y_pred).argmin(axis=1)
y_pred_adv_fgsm_binary = np.array(y_pred_adv_fgsm).argmin(axis=1)
y_pred_adv_hop_skip_jump_binary = np.array(y_pred_adv_hop_skip_jump).argmin(axis=1)
y_pred_hop_skip_jump_binary = np.array(y_pred_adv_hop_skip_jump).argmin(axis=1)

print("Normal:")
print(f"Accuracy: {accuracy_score(y_test_binary, y_pred_binary)*100:.2f}%")
print(f"Precision: {precision_score(y_test_binary, y_pred_binary)*100:.2f}%")
print(f"Recall: {recall_score(y_test_binary, y_pred_binary)*100:.2f}%")
print(f"F1-Score: {f1_score(y_test_binary, y_pred_binary)*100:.2f}%")

print("FGSM:")
print(f"Accuracy: {accuracy_score(y_test_binary, y_pred_adv_fgsm_binary)*100:.2f}%")
print(f"Precision: {precision_score(y_test_binary, y_pred_adv_fgsm_binary)*100:.2f}%")
print(f"Recall: {recall_score(y_test_binary, y_pred_adv_fgsm_binary)*100:.2f}%")
print(f"F1-Score: {f1_score(y_test_binary, y_pred_adv_fgsm_binary)*100:.2f}%")

print("Hop Skip Jump:")
print(f"Accuracy: {accuracy_score(y_test_binary, y_pred_adv_hop_skip_jump_binary)*100:.2f}%")
print(f"Precision: {precision_score(y_test_binary, y_pred_adv_hop_skip_jump_binary)*100:.2f}%")
print(f"Recall: {recall_score(y_test_binary, y_pred_adv_hop_skip_jump_binary)*100:.2f}%")
print(f"F1-Score: {f1_score(y_test_binary, y_pred_adv_hop_skip_jump_binary)*100:.2f}%")

Normal:
Accuracy: 98.20%
Precision: 99.19%
Recall: 98.58%
F1-Score: 98.88%
FGSM:
Accuracy: 76.55%
Precision: 80.36%
Recall: 94.01%
F1-Score: 86.65%
Hop Skip Jump:
Accuracy: 80.95%
Precision: 80.95%
Recall: 100.00%
F1-Score: 89.47%


## Compare Data

In [30]:
#adv_cw_df = pd.DataFrame(X_test_adv_cw)
# set column names
#adv_cw_df.columns = X_test.columns
#print(adv_cw_df.head(2))

adv_fgsm_df = pd.DataFrame(X_test_adv_fgsm)
# set column names
adv_fgsm_df.columns = X_test.columns
print(adv_fgsm_df.head(2))

adv_hop_skip_jump_df = pd.DataFrame(X_test_adv_hop_skip_jump)
# set column names
adv_hop_skip_jump_df.columns = X_test.columns
print(adv_hop_skip_jump_df.head(2))

norm_df = pd.DataFrame(X_test_np)
print(norm_df.head(2))

    Destination Port   Flow Duration   Total Fwd Packets  \
0           0.085107             0.0                 0.0   
1           0.501221             0.0                 0.0   

    Total Backward Packets  Total Length of Fwd Packets  \
0                      0.0                          0.0   
1                      0.0                          0.5   

    Total Length of Bwd Packets   Fwd Packet Length Max  \
0                           0.0                0.500242   
1                           0.5                0.500000   

    Fwd Packet Length Min   Fwd Packet Length Mean   Fwd Packet Length Std  \
0                0.502581                  0.50101                     0.5   
1                0.500000                  0.50000                     0.5   

   ...   act_data_pkt_fwd   min_seg_size_forward  Active Mean   Active Std  \
0  ...                0.0                    1.0          0.0          0.0   
1  ...                0.0                    0.5          0.5          0

## Store Adversarial Instances

In [31]:
# store the adversarial examples
#adv_cw_df.to_csv("../CICIDS2017/adversarial_samples/X_test_small_adv_cw.csv", index=False)
adv_fgsm_df.to_csv("../CICIDS2017/adversarial_samples/X_test_adv_fgsm_proto.csv", index=False)
adv_hop_skip_jump_df.to_csv("../CICIDS2017/adversarial_samples/X_test_adv_hsj_proto.csv", index=False)