Robustifying ML-Powered Network Classifiers with PANTS

This post from the Princeton Laboratory for Artificial Intelligence Research Blog details a novel method called PANTS, designed to enhance the robustness of Machine Learning (ML)-powered network classifiers against adversarial attacks. Machine learning is crucial for modern network management, enabling tasks like efficient resource allocation and threat detection by analyzing traffic patterns. However, these ML models are vulnerable to adversarial attacks, where malicious actors manipulate network traffic (e.g., packet sequences) to trick the classifier, potentially leading to network outages, performance degradation, or security breaches. The research highlights that research-grade network classifiers can be significantly vulnerable, with a reported 70.33% susceptibility to synthetically generated adversarial inputs. PANTS addresses this by leveraging network semantics to reduce the adversarial input space and combines Symbolic Reasoning with AML techniques, making robust training tractable.

What is Special About PANTS?

Traditional Adversarial Machine Learning (AML) methods face challenges in network environments due to the vastness of possible adversarial packet sequence spaces. PANTS overcomes this by incorporating network semantics to constrain the adversarial input space. It integrates an AML component (a white-box generator) with an SMT (Satisfiability Modulo Theories) solver. The AML component creates adversarial packet sequences, while the SMT solver refines them to be realizable and compliant with network rules and threat models. This process is embedded within an interactive training loop to strengthen the classifier.

Evaluation Highlights:

Superior Adversarial Sample Generation: PANTS outperforms baseline methods like Amoeba and BAP in generating adversarial samples, demonstrating a higher Attack Success Rate (ASR) and providing a more reliable assessment of classifier robustness.
Robustness Without Accuracy Loss: The iterative augmentation process using PANTS improves classifier robustness without negatively impacting its accuracy, unlike some other robustification methods.
Cross-Threat Model Robustness: PANTS enhances classifier robustness even against threat models not explicitly used during training, showing resilience against novel attack variations.

Conclusion:

PANTS is presented as a valuable tool for network operators to debug and enhance ML-powered network classifiers, contributing to more trustworthy AI-powered networking applications. The work has been accepted by Usenix Security '25, with paper and code available for review.