Adversarial Black-Box Attacks in the Domain of Device Fingerprints

Abstract

Network security products incorporate many different tools in order to secure large networks. State-of-the-artproductsoftenutilizemachinelearninginordertoclassify devices connected to a network to assign them different levels of trust without the need for authentication. These zero-configuration security mechanisms work similarly to image classifying Deep Neural Networks and are of interest for big organizations where large amounts of devices come and go every day. However, solutions leveraging the power of machine learning also inherit its vulnerability to adversarial samples. Previous work has shown that even in query-limited blackbox scenarios, which is the most limiting for an attacker, image classifiers are vulnerable to adversarial attacks that make use of specially crafted input vectors [24]. This study shows that known attack techniques against image classifiers can be successfully reapplied to classifiers in the domain of device fingerprints in computer networks. We provide proof of concept that previously discovered adversarial sampling techniques are applicable in the domain of device fingerprints by attacking a well known commercial classifier. We show that across ten different devices on average 9.9% of the adversarial samples were successfully misclassified by the classifier. The most prominent of those devices had 36% of its adversarial samplesmisclassified. Theseresultspointtotheneedformoresophisticatedtraining algorithmsaswellastheimportanceofnotbuildingsolutionsthatbuildsontrusting device- or user-supplied data.