Machine learning offers significant potential for enhancing cybersecurity defenses against evolving threats. A major obstacle is the scarcity of realistic cyberattack datasets. Privacy and security concerns limit the sharing of real-world organizational data, resulting in datasets often based on limited simulations or red-blue team exercises. These simulations lack the diversity and realism required to effectively train machine learning models for comprehensive threat detection. To address this, generative models, particularly GANs, are proposed as a method for automatically generating diverse and realistic attack data without compromising operational environments. GANs have shown success in various domains, including image and text generation, raising interest in their application to cybersecurity. However, questions remain about the realism of GAN-generated cyberattack data and the accuracy of deep learning models trained on this synthetic data in detecting real-world attacks. This paper aims to provide a comprehensive review of GANs in generating cyberattack data, comparing generative and discriminative models, detailing GAN architecture and training, reviewing methods for generating synthetic cyberattack data using GANs, and analyzing the value of synthetic attack data through experiments with the NSL-KDD dataset.

The paper begins by differentiating between generative and discriminative models. Generative models learn the underlying data distribution, allowing them to generate new data samples. Discriminative models focus on learning the decision boundary between classes, making them suitable for classification tasks but incapable of data generation. The paper then provides an overview of GANs, highlighting their architecture (generator and discriminator networks) and training process (a minimax game where the generator aims to fool the discriminator into classifying generated data as real). Different techniques and frameworks for data generation using GANs are discussed, including DCGAN for image generation, CGANs (conditional GANs) for improving data quality by incorporating labels, LAPGAN (Laplacian pyramid GAN) for high-resolution image generation, PGGAN (progressive growing GAN) for improved training stability, StackGAN for text-to-image synthesis, and InfoGAN for interpretable representation learning. The review also covers methods for generating tabular data, such as the use of Cramer GANs for airline passenger name record generation and Table-GANs for synthesizing fake tables.

The paper's methodology involves a comprehensive literature review of existing works on GANs and their applications in cybersecurity. This review covers various GAN architectures and their suitability for different data types (images, tabular data). A key part of the methodology is the experimental analysis using the NSL-KDD dataset. This dataset is used to assess the quality of GAN-generated DoS attack data. The authors identify features characteristic of DoS attacks within the NSL-KDD dataset and perform a statistical analysis to establish baseline distributions and correlations. A conditional GAN model is trained to generate synthetic DoS attack data. The quality of this synthetic data is evaluated using multiple approaches: (1) a white-box model (feedforward neural network) trained on the NSL-KDD dataset is used to classify the GAN-generated data; (2) an anomaly detector model, trained only on normal data, is used to identify deviations from normal behavior in the GAN-generated data; and (3) a statistical comparison is made between the distributions and correlations of features in the GAN-generated data and the original NSL-KDD data. The authors also analyze the performance of classifiers trained on the original NSL-KDD data when tested against a mixture of real and GAN-generated data.

The literature review reveals a wide range of GAN-based techniques for synthetic data generation across various domains. The application of GANs to cybersecurity, particularly for generating synthetic attack data, is extensively discussed. The experimental analysis using the NSL-KDD dataset and a conditional GAN model to generate synthetic DoS attack data reveals that while the GAN can generate data that deviates from normal traffic, it doesn't accurately reproduce the characteristics of real DoS attacks. The GAN-generated data, though classified as non-normal by trained models, lacks the essential feature correlations of genuine DoS attacks, suggesting it primarily represents noise rather than a novel or unseen attack. The white-box model, trained on real data, correctly identifies the synthetic data as not belonging to the normal class, but it doesn't classify them as DoS attacks. The anomaly detector also correctly identifies the deviations from normal behavior in the synthetic data. The quantitative analysis of feature distributions and correlations shows significant discrepancies between the generated and real DoS data.

The findings suggest that while GANs show promise in augmenting cybersecurity datasets, their ability to accurately capture the complex characteristics of real-world cyberattacks remains limited. The generated DoS attack data, although different from normal traffic, didn't match the expected characteristics of real DoS attacks, highlighting a potential limitation of current GAN architectures in modeling complex attack behaviors. The study underscores the importance of not solely relying on the 'not normal' classification of synthetic data as a measure of its quality. Future research should focus on improving the fidelity of GAN-generated data by incorporating more sophisticated models capable of capturing intricate temporal and spatial dependencies within attack sequences, and by using more comprehensive cybersecurity datasets with a wider variety of attack vectors. The use of LLMs to generate attack scenarios in conjunction with GANs could also be a promising avenue for future research.

This review demonstrates GANs' potential for generating synthetic attack data in cybersecurity, addressing data scarcity issues. However, the accuracy and realism of GAN-generated data need improvement, especially for complex attacks. The study highlights the need for more sophisticated models and datasets to accurately capture real-world attack dynamics. Future research should focus on integrating LLMs and GANs, exploring novel architectures, and addressing the ethical and privacy considerations related to synthetic data usage in cybersecurity.

The study focuses primarily on DoS attacks using the NSL-KDD dataset, which might not fully represent the diversity of real-world cyberattacks. The analysis is limited to specific GAN models and evaluation metrics, and other models might yield different results. The NSL-KDD dataset, while widely used, has known limitations and might not perfectly capture the characteristics of modern cyberattacks.