AttackNet V2.2: Detection & Evasion
- The paper presents AttackNet V2.2 as a composite system integrating SDN-based volumetric attack detection with adversarial machine-learning evaluation.
- It employs per-flow telemetry, K-Means clustering, and thresholding to identify and isolate distributed high-volume IPv4 attacks.
- The framework combines simulation via Mininet and GAN-augmented intrusion detection to assess and mitigate evolving network threats.
Searching arXiv for the specified papers to ground the article in published sources. AttackNet V2.2 denotes a synthesized technical concept for network-attack detection, simulation, and adversarial evaluation that is strongly guided by two distinct lines of work on SDN-based Layer 3 volumetric attack detection in simulated networks and adversarial attacks against machine-learning intrusion detectors (Rutishauser, 2018, Piplai et al., 2020). In this framing, AttackNet V2.2 is not a standalone canonical system described in a single paper; rather, it is a composite design perspective centered on two complementary capabilities: first, detecting and mitigating distributed high-volume IPv4 attacks from per-flow OpenFlow statistics, and second, constructing adversarial feature-space attacks against learned intrusion classifiers. The resulting concept spans traffic telemetry, streaming analytics, clustering, thresholding, GAN-augmented classification, and gradient-based evasion.
1. Conceptual scope and threat models
AttackNet V2.2 can be defined, in the narrowest sense supported by the source material, as a system for detecting and/or simulating L3 volumetric network attacks while also serving as a framework for adversarial stress-testing machine-learning-based intrusion detection (Rutishauser, 2018, Piplai et al., 2020). The two source papers operate at different layers of abstraction. “Simulation for L3 Volumetric Attack Detection” focuses on Layer 3 denial-of-service and distributed denial-of-service scenarios in which many sources send high-volume IPv4 traffic toward a target server, and detection is performed from per-flow packet and byte counts gathered via an SDN controller (Rutishauser, 2018). “NAttack! Adversarial Attacks to bypass a GAN based classifier trained to detect Network intrusion” addresses a different problem: whether a neural intrusion detector trained with GAN-generated adversarial data can still be bypassed by gradient-based perturbations in normalized feature space (Piplai et al., 2020).
The volumetric-attack threat model is explicit. Attacks are modeled as high-volume IPv4 flows directed at a server, with distributed sources and rates that can be varied so as to push aggregate target traffic above a configured threshold (Rutishauser, 2018). The adversary is therefore assumed to possess the ability to generate sufficient aggregate traffic and to do so from many sources. The paper also delineates attacks that are not addressed in the prototype. TCP flood attacks would require TCP flag analysis, and amplification attacks based on spoofing are only discussed as a possible edge-validation extension rather than implemented functionality (Rutishauser, 2018).
The adversarial-machine-learning threat model is effectively white-box. The attack mechanism uses gradients of classifier loss with respect to input features, and its objective is to transform samples labeled as attack into samples predicted as non-attack (Piplai et al., 2020). Perturbations are bounded and small in normalized feature space, but the attack remains highly effective: with all features available for modification, the reported attack success rate is 96%, and it remains 41% even when the top three most significant features are not perturbed (Piplai et al., 2020). This suggests that AttackNet V2.2, construed as a combined architecture, encompasses both operational traffic-side threats and model-space evasive threats.
2. SDN simulation architecture and network environment
The SDN-side architecture is implemented as a prototype module for the Floodlight controller and tested on Mininet using Open vSwitch and a remote controller on a single physical machine running Ubuntu 14.04 with an i5 CPU and 16 GB RAM (Rutishauser, 2018). The simulated network contains a connected graph of core switches arranged in an orthogonal grid, edge switches attached to the perimeter, and server and user hosts connected to the edge layer. One host is designated as the server and runs a simple HTTP service via python -m SimpleHTTPServer 80 &, while user and attacker hosts generate traffic through curl-loader (Rutishauser, 2018).
The topology is parameterized by an core grid. The number of edge switches is $2N + 2M - 4$, and if each edge switch attaches to hosts, the total number of hosts is (Rutishauser, 2018). The paper provides a concrete example with a core grid, 10 edge switches, and 30 hosts when (Rutishauser, 2018). The core is effectively a connected Manhattan-style grid with multiple shortest paths between many pairs of edge switches, an important property because routing is computed by shortest path rather than by load-sensitive optimization.
Legitimate traffic and malicious traffic are deliberately generated with different rate distributions. Legitimate client behavior is designed to approximate a triangular distribution of rates, with rates derived from host positions in a arrangement and inter-request delays controlled through TIMER_AFTER_URL_SLEEP in curl-loader configurations (Rutishauser, 2018). Malicious traffic is instead produced with a uniform distribution of rates, making attackers more homogeneous and therefore more distinguishable under the prototype’s clustering assumptions (Rutishauser, 2018). The attack scenario is therefore defined both by volume and by source similarity.
A practical constraint of the experimental platform is that commands issued from the Mininet Python script run only for approximately 60 seconds before the host stops, so all tests are limited to exactly 1 minute (Rutishauser, 2018). This limitation is central to interpreting the prototype: the paper presents an architectural demonstration rather than a long-horizon empirical evaluation.
3. Telemetry, feature extraction, and routing logic
The Floodlight module provides four coupled functions: flow-path computation, flow-rule installation, statistics collection, and analytics for clustering and detection (Rutishauser, 2018). The controller registers a PACKET_IN listener, handles IPv4 and ARP packets, computes routes, and installs OpenFlow rules. Routing is based on Dijkstra’s shortest-path algorithm over a graph whose vertices are switches and hosts and whose edges are the network links (Rutishauser, 2018). Edge weights are not parameterized by capacity or load; the effective objective is minimum hop count.
Flow rules are L3-based, matching on EtherType and IPv4 source and destination. At the source edge switch, rules direct packets toward the core uplink; at core switches, rules depend on destination IP and collectively form a routing tree per destination; at the destination edge switch, rules output traffic toward the destination host (Rutishauser, 2018). For each new pair, the controller installs both directions together along with ARP handling. The “best flow” in the paper therefore means the shortest path under this hop-count metric (Rutishauser, 2018).
The telemetry model is per-flow. Edge switches are periodically polled with FlowStatsRequest, and for each flow entry the collector extracts total packet count, total byte count, and matched source and destination IP addresses before invoking addRate(swid, src, dst, pcts, bytes) (Rutishauser, 2018). For a flow at poll time $2N + 2M - 4$0, the available statistics are the total number of packets $2N + 2M - 4$1 and total number of bytes $2N + 2M - 4$2 (Rutishauser, 2018). From successive polls at times $2N + 2M - 4$3 and $2N + 2M - 4$4, the analytics processor computes interval deltas and implicitly the corresponding per-second rates: $2N + 2M - 4$5
$2N + 2M - 4$6
$2N + 2M - 4$7
with $2N + 2M - 4$8 (Rutishauser, 2018).
The implemented feature vector is four-dimensional and directional. The code constructs 3 which corresponds to
$2N + 2M - 4$9
for a source 0 relative to server 1 at time 2 (Rutishauser, 2018). The upward direction denotes client-to-server traffic and the downward direction server-to-client traffic. Detection of distributed attacks is not done solely at the per-flow level; traffic is also aggregated by destination IP: 3 and this aggregate target rate is compared with a predefined threshold (Rutishauser, 2018).
The paper also discusses more elaborate session-oriented attributes such as start time, average idle time, last slope, average slope, maximal slope, average rate, and maximal rate, but these are explicitly future work and are not implemented in the prototype (Rutishauser, 2018). A plausible implication is that AttackNet V2.2, when interpreted as an extensible platform, would preserve the implemented four-dimensional rate features as a core telemetry layer while treating richer temporal descriptors as optional extensions rather than established components.
4. Detection methodology and mitigation workflow
The detection pipeline combines thresholding with unsupervised clustering (Rutishauser, 2018). On each polling interval, the controller updates per-flow and per-source statistics, builds a dataset of source feature vectors, runs K-Means clustering, and makes detection and mitigation decisions in near-real time (Rutishauser, 2018). The Java-ML library is used, and the prototype hard-codes 4 clusters: 4 (Rutishauser, 2018).
The operative assumption is that legitimate traffic is more dispersed, whereas malicious traffic generated by a relatively homogeneous group of attacking hosts forms tighter, lower-variance clusters (Rutishauser, 2018). This motivates a two-stage decision logic. First, aggregate traffic to a target is measured; if the volume exceeds a predefined target threshold, that destination is marked as under attack. Second, the clustered sources associated with that target are inspected for high mean traffic and low variance, and suspicious clusters are selected for mitigation (Rutishauser, 2018). The paper does not provide an explicit formal classifier, but it describes precisely this threshold-plus-clustering heuristic.
The mitigation pathway is implemented through topology modification and rule rewriting. When an attack is detected, the Floodlight module issues a mitigation request via MySQL, and a Mininet-side worker thread polling the database every 5 seconds adds a scrubber switch, creates links between the scrubber and the affected edge switch using TCLink with bw=0.1 and max_queue_size=1000, and restarts the Mininet network (Rutishauser, 2018). Floodlight listens for the appearance of the new switch and then rewrites flow rules so that suspicious traffic is detoured through the scrubber (Rutishauser, 2018). In the simulation, the scrubber acts by throttling or dropping malicious traffic through the constrained link characteristics.
This mitigation design is closely integrated with SDN control. Detection is not a passive reporting function but part of a control loop in which telemetry leads to clustering, clustering leads to suspicious-source identification, and the controller then changes forwarding behavior (Rutishauser, 2018). The paper emphasizes that in a real deployment statistics could be written to a database with fields timestamp, source IP, destination IP, number of packets, number of bytes, and aggregation by target IP could be performed through MapReduce or Spark (Rutishauser, 2018). This suggests an AttackNet V2.2 architecture in which telemetry collection, analytics, and actuation remain logically coupled even if physically distributed.
5. Adversarial machine-learning dimension
The second research line associated with AttackNet V2.2 concerns adversarial attacks against an intrusion detector trained with GAN-generated data (Piplai et al., 2020). The paper uses the IEEE BigData 2019 Cup “Suspicious Network Event Recognition” dataset. After merging primitive alert fields with localized alerts through alert_id, each event becomes a 26-dimensional feature vector,
5
with features normalized approximately to the range 6 (Piplai et al., 2020). The binary label is derived from the notified field: 0 corresponds to non-attack and 1 to attack (Piplai et al., 2020).
The GAN-based classifier comprises a generator and a discriminator-classifier. The generator is a 4-layer fully connected network with layer sizes 7, producing candidate forged attack samples in the 26-dimensional feature space (Piplai et al., 2020). The discriminator-classifier is a 5-layer fully connected network with layer sizes 8, trained with sigmoid cross-entropy and used as the final IDS classifier (Piplai et al., 2020). The generator is optimized to produce attack-class examples that the discriminator predicts as non-attack, while the discriminator is trained to classify real non-attack as class 0, real attack as class 1, and generated adversarial samples as class 1 (Piplai et al., 2020).
The source paper reports the following class-wise performance for the GAN-augmented classifier:
| Dataset setting | Class | Precision / Recall / F-1 |
|---|---|---|
| 500k splits | Non-Attack | 97 / 98 / 98 |
| 500k splits | Attack | 89 / 91 / 90 |
| Entire 6M dataset | Non-Attack | 98 / 96 / 97 |
| Entire 6M dataset | Attack | 85 / 92 / 88 |
These results indicate strong clean-data classification performance, especially given the class imbalance noted in the paper (Piplai et al., 2020). The same paper then demonstrates that such performance does not imply robustness.
The attack mechanism is iterative FGSM applied to attack samples with the target label set to non-attack. For input 9, the perturbation is
0
and the sample is updated as
1
with 2, repeated for 500 iterations (Piplai et al., 2020). The maximum per-feature change after 500 iterations is therefore approximately 0.0025 (Piplai et al., 2020). Attack success rate is defined as the fraction of attacked malicious samples whose predicted label changes from attack to non-attack (Piplai et al., 2020).
The reported attack success rates are as follows:
| Candidate features | Attack success rate (%) |
|---|---|
| All features present | 96 |
| Most significant feature not used | 72 |
| Top 2 features not used | 60 |
| Top 3 features not used | 41 |
The paper also introduces feature masking based on gradient magnitude. The most significant features are identified from the 26-dimensional gradient vector, and perturbations on selected features are zeroed out to simulate operational constraints or defender monitoring of critical fields (Piplai et al., 2020). This is important for any AttackNet V2.2 interpretation because it shifts the discussion from unconstrained feature-space perturbation to partially constrained adversarial manipulation. The fact that substantial success remains under masking suggests that the classifier’s decision boundary depends on multiple manipulable directions rather than a single dominant feature.
6. Synthesis, limitations, and interpretive boundaries
Taken together, the two papers imply a bifurcated but coherent conception of AttackNet V2.2. One branch is an SDN-centric L3 volumetric attack detection and mitigation pipeline built on OpenFlow telemetry, Dijkstra routing, per-flow and per-target rate analysis, K-Means clustering, and scrubber-based mitigation (Rutishauser, 2018). The other branch is an adversarial-evaluation framework for learned IDS models, centered on 26-dimensional normalized feature vectors, GAN-augmented training, and iterative FGSM evasion (Piplai et al., 2020). The unifying theme is not a single implementation artifact but a shared emphasis on attack analytics, network telemetry or features, and closed-loop response or evaluation.
Several limitations are explicit and materially constrain what can be claimed. The SDN prototype does not provide full quantitative detection metrics such as precision, recall, false-positive rate, ROC curves, or latency benchmarks (Rutishauser, 2018). The authors state that “The prototype does not simulate and detect real DDoS attacks” and reserve creation of a dedicated lab implementation for future work (Rutishauser, 2018). The attack traffic model is stylized, legitimate traffic is approximately triangular while malicious traffic is uniform, and the runtime is restricted to one minute because of Mininet behavior (Rutishauser, 2018). Any inference that the system is production-grade would therefore exceed the evidence.
The adversarial-ML study also has clear scope limits. It assumes white-box access to gradients, operates in normalized feature space rather than directly on wire-level traffic, and does not fully enforce protocol semantics for perturbed samples (Piplai et al., 2020). Feature masking partially addresses manipulability, but the paper does not demonstrate a full inverse mapping from perturbed vectors to realizable packet streams (Piplai et al., 2020). Thus, the results establish vulnerability of the learned classifier under feature-space adversarial optimization, not guaranteed deployable end-to-end traffic crafting.
A common misconception would be to treat AttackNet V2.2 as a formally published unified framework. The source material does not support that characterization. A more precise statement is that AttackNet V2.2 is a convenient editorial label for a composite design space whose factual grounding lies in two separate studies with distinct objectives (Rutishauser, 2018, Piplai et al., 2020). Another misconception would be to assume that adversarially enriched training by itself guarantees robustness. The reported 96% attack success rate against the GAN-trained IDS directly contradicts that assumption (Piplai et al., 2020). Conversely, it would also be inaccurate to treat the SDN clustering prototype as a mature empirical benchmark; it is primarily architectural and exploratory (Rutishauser, 2018).
Within those bounds, the composite picture is technically clear. AttackNet V2.2 can be understood as an architecture in which SDN provides observability and traffic control, per-flow statistics provide low-level evidence, multidimensional rate features support unsupervised grouping of suspicious sources, thresholds identify overloaded targets, and mitigation is enacted through flow-rule changes and scrubber detours (Rutishauser, 2018). In parallel, machine-learning-based IDS components can be evaluated against GAN-generated and gradient-based adversarial inputs, with feature-importance masking used to examine constrained evasion pathways (Piplai et al., 2020). This suggests a broader research program in which detection, mitigation, and adversarial robustness are treated as coupled rather than isolated problems.