FASER-IN: Evasion of Network Intrusion Detection Systems in Industrial Networks

Industrial Control Systems (ICS) are critical to infrastructure sectors such as energy, manufacturing, and transportation. One of the primary security measures used in ICS are Network Intrusion Detection Systems (NIDS). Commercial NIDS for ICS use proprietary methods to detect attacks, and little research has been performed so far in their efficacy and resilience against manipulation.
In this work, we systematically analyze a common NIDS product for ICS. We identify how attacks and anomalies are detected by the NIDS, and systematically investigate whether attacker could avoid detection via evasion attacks. We design and implement a Framework for Adversarial Spoofing and Evasion of Rule-based ICS-NIDS (FASER-IN), which allows us to conduct evasion attacks, and test this against the NIDS. FASER-IN includes four main stages: dataset generation, surrogate model generation, adversarial example generation, and evasion attack execution. We execute the evasion attack by sending the adversarial examples crafted using our novel algorithm, AutoSpoofing, to both the surrogate model and the NIDS. We observe the Attack Success Rate for the surrogate model and the NIDS to be 69.57% and 56.52% respectively, highlighting the efficacy of AutoSpoofing attack. Our work emphasizes the need for more robust intrusion detection mechanisms in ICS network security.