Mehrdad Hajizadeh and Pegah Golchin, Technische Universität Chemnitz; Ehsan Nowroozi, Centre for Sustainable Cyber Security (CS2), University of Greenwich; Maria Rigaki, Veronica Valeros, and Sebastian García, Czech Technical University in Prague; Mauro Conti, University of Padua; Thomas Bauschert, Technische Universität Chemnitz
Emerging studies demonstrate that machine learning (ML) has the potential to improve the detection capabilities of network intrusion detection systems (NIDS) against evolving cyber threats. However, recent adversarial ML (AML) studies have revealed critical ML vulnerabilities. This paper presents innovative multistage red-teaming techniques to evaluate the robustness of ML-NIDS in real-world adversarial settings. Although extensive research has been conducted in this area, existing studies have critical shortcomings: (1) relying on unrealistic threat models, (2) focusing on traffic flow perturbation for evasion while neglecting that malicious activity occurs at the packet level, and (3) failing to preserve attack functionality after perturbation.
Guided by offensive security principles, we present DeepRed, an ML-powered Command and Control (C2) framework designed to evade targeted ML-NIDS while maintaining a stealthy post-exploitation communication channel. DeepRed leverages Generative Adversarial Networks (GANs) to generate adversarial examples that comply with TCP/IP constraints and are realizable as packet-level perturbations. We further propose two novel attack strategies, Single-Packet Single-Feature (SPSF) and Single-Feature Perturbation (SFP), to achieve evasion under highly constrained conditions with minimal perturbation. To enable robust evaluation, we built a comprehensive ML-NIDS benchmarking dataset containing benign and malicious traffic from our red-team exercises. Additionally, we introduce pipeline-independent adversarial testing to evaluate state-of-the-art models, such as FlowTransformer and SSCL-IDS, across varying features, training data, and preprocessing pipelines—while preserving attack functionality. Results demonstrate that DeepRed can reduce detection rates by up to 20%, highlighting the framework’s ability to bypass ML-NIDS while maintaining operational integrity.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Mehrdad Hajizadeh and Pegah Golchin and Ehsan Nowroozi and Maria Rigaki and Veronica Valeros and Sebastian Garc{\'\i}a and Mauro Conti and Thomas Bauschert},
title = {{DeepRed}: A Deep {Learning{\textendash}Powered} Command and Control Framework for {Multi-Stage} Red Teaming Against {ML-based} Network Intrusion Detection Systems},
booktitle = {19th USENIX WOOT Conference on Offensive Technologies (WOOT 25)},
year = {2025},
isbn = {978-1-939133-50-2},
address = {Seattle, WA},
pages = {103--127},
url = {https://www.usenix.org/conference/woot25/presentation/hajizadeh},
publisher = {USENIX Association},
month = aug
}
