Zhang Mengdi,Sun Jun,Wang Jingyi

DOI: https://doi.org/10.1007/s10515-022-00338-w

IF: 1.677

2022-01-01

Automated Software Engineering

Abstract:Neural networks are getting increasingly popular thanks to their exceptional performance in solving many real-world problems. At the same time, they are shown to be vulnerable to attacks, difficult to debug and subject to fairness issues. To improve people’s trust in the technology, it is often necessary to provide some human-understandable explanation of neural networks’ decisions, e.g., why is that my loan application is rejected whereas hers is approved? That is, the stakeholder would be interested to minimize the chances of not being able to explain the decision consistently and would like to know how often and how easy it is to explain the decisions of a neural network before it is deployed. In this work, we provide two measurements on the decision explainability of neural networks. Afterwards, we develop algorithms for evaluating the measurements of user-provided neural networks automatically. We evaluate our approach on multiple neural network models trained on benchmark datasets. The results show that existing neural networks’ decisions often have low explainability according to our measurements. This is in line with the observation that adversarial samples can be easily generated through adversarial perturbation, which are often hard to explain. Our further experiments show that the decisions of the models trained with robust training are not necessarily easier to explain, whereas decisions of the models retrained with samples generated by our algorithms are easier to explain.

Yiwen Wang,Lei Xu,Wanli Liu,Rongzhen Li,Junjie Gu

DOI: https://doi.org/10.1007/s11277-023-10472-7

IF: 2.017

2023-01-01

Wireless Personal Communications

Abstract:People often use similar methods to invade network traffic, such as flood attacks and Ddos attacks. Early detection of malicious traffic usually uses manual filtering to establish a whitelist, and then uses some artificial intelligence to simply measure some characteristic parameters. The high predictive performance of artificial intelligence will inevitably introduce unknowable decision process into network intrusion detection. When it is applied to the extremely important network environment, human’s doubt on its black box effect will hinder its advancement. Here, we make a propose to come up with a network traffic intrusion detection method (XAI-IDS) on account of interpretable artificial intelligence to detect malicious traffic intrusion in networks. XAI-IDS analyzes network traffic data to predict whether the traffic is malicious intrusion.

Maonan Wang,Kangfeng Zheng,Yanqing Yang,Xiujuan Wang

DOI: https://doi.org/10.1109/access.2020.2988359

IF: 3.9

2020-01-01

IEEE Access

Abstract:In recent years, machine learning-based intrusion detection systems (IDSs) have proven to be effective; especially, deep neural networks improve the detection rates of intrusion detection models. However, as models become more and more complex, people can hardly get the explanations behind their decisions. At the same time, most of the works about model interpretation focuses on other fields like computer vision, natural language processing, and biology. This leads to the fact that in practical use, cybersecurity experts can hardly optimize their decisions according to the judgments of the model. To solve these issues, a framework is proposed in this paper to give an explanation for IDSs. This framework uses SHapley Additive exPlanations (SHAP), and combines local and global explanations to improve the interpretation of IDSs. The local explanations give the reasons why the model makes certain decisions on the specific input. The global explanations give the important features extracted from IDSs, present the relationships between the feature values and different types of attacks. At the same time, the interpretations between two different classifiers, one-vs-all classifier and multiclass classifier, are compared. NSL-KDD dataset is used to test the feasibility of the framework. The framework proposed in this paper leads to improve the transparency of any IDS, and helps the cybersecurity staff have a better understanding of IDSs' judgments. Furthermore, the different interpretations between different kinds of classifiers can also help security experts better design the structures of the IDSs. More importantly, this work is unique in the intrusion detection field, presenting the first use of the SHAP method to give explanations for IDSs.

computer science, information systems,telecommunications,engineering, electrical & electronic

Diogo Gaspar,Paulo Silva,Catarina Silva

DOI: https://doi.org/10.1109/access.2024.3368377

IF: 3.9

2024-03-02

IEEE Access

Abstract:Machine learning-based systems have presented increasing learning performance, in a wide variety of tasks. However, the problem with some state-of-the-art models is their lack of transparency, trustworthiness, and explainability. To address this problem, eXplainable Artificial Intelligence (XAI) appeared. It is a research field that aims to make black-box models more understandable to humans. The research on this topic has increased in recent years, and many methods, such as LIME (Local Interpretable Model-Agnostic Explanations) and SHAP (SHapley Additive exPlanations) have been proposed. Machine learning-based Intrusion Detection Systems (IDS) are one of the many application domains of XAI. However, most of the works about model interpretation focus on other fields, like computer vision, natural language processing, biology, healthcare, etc. This poses a challenge for cybersecurity professionals tasked with analyzing IDS results, thereby impeding their capacity to make informed decisions. In an attempt to address this problem, we have selected two XAI methods, LIME, and SHAP. Using the methods, we have retrieved explanations for the results of a black-box model, part of an IDS solution that performs intrusion detection on IoT devices, increasing its interpretability. In order to validate the explanations, we carried out a perturbation analysis where we tried to obtain a different classification based on the features present in the explanations. With the explanations and the perturbation analysis we were able to draw conclusions about the negative impact of particular features on the model results when present in the input data, making it easier for cybersecurity experts when analyzing the model results and it serves as an aid to the continuous improvement the model. The perturbations also serve as a comparison of performance between LIME and SHAP. To evaluate the degree of interpretability increase, and the explanations provided by each XAI method of the model and directly compare the XAI methods, we have performed a survey analysis.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shraddha Mane,Dattaraj Rao

DOI: https://doi.org/10.48550/arXiv.2103.07110

2021-03-12

Abstract:Cybersecurity is a domain where the data distribution is constantly changing with attackers exploring newer patterns to attack cyber infrastructure. Intrusion detection system is one of the important layers in cyber safety in today's world. Machine learning based network intrusion detection systems started showing effective results in recent years. With deep learning models, detection rates of network intrusion detection system are improved. More accurate the model, more the complexity and hence less the interpretability. Deep neural networks are complex and hard to interpret which makes difficult to use them in production as reasons behind their decisions are unknown. In this paper, we have used deep neural network for network intrusion detection and also proposed explainable AI framework to add transparency at every stage of machine learning pipeline. This is done by leveraging Explainable AI algorithms which focus on making ML models less of black boxes by providing explanations as to why a prediction is made. Explanations give us measurable factors as to what features influence the prediction of a cyberattack and to what degree. These explanations are generated from SHAP, LIME, Contrastive Explanations Method, ProtoDash and Boolean Decision Rules via Column Generation. We apply these approaches to NSL KDD dataset for intrusion detection system and demonstrate results.

Cryptography and Security,Artificial Intelligence

Pap M. Corea,Yongxin Liu,Jian Wang,Shuteng Niu,Houbing Song

2024-07-03

Abstract:Explainable Artificial Intelligence (XAI) has become a widely discussed topic, the related technologies facilitate better understanding of conventional black-box models like Random Forest, Neural Networks and etc. However, domain-specific applications of XAI are still insufficient. To fill this gap, this research analyzes various machine learning models to the tasks of binary and multi-class classification for intrusion detection from network traffic on the same dataset using occlusion sensitivity. The models evaluated include Linear Regression, Logistic Regression, Linear Support Vector Machine (SVM), K-Nearest Neighbors (KNN), Random Forest, Decision Trees, and Multi-Layer Perceptrons (MLP). We trained all models to the accuracy of 90\% on the UNSW-NB15 Dataset. We found that most classifiers leverage only less than three critical features to achieve such accuracies, indicating that effective feature engineering could actually be far more important for intrusion detection than applying complicated models. We also discover that Random Forest provides the best performance in terms of accuracy, time efficiency and robustness. Data and code available at <a class="link-external link-https" href="https://github.com/pcwhy/XML-IntrusionDetection.git" rel="external noopener nofollow">this https URL</a>

Machine Learning,Artificial Intelligence,Cryptography and Security

Wei,Sijin Chen,Cen Chen,Heshi Wang,Jing Liu,Zhongyao Cheng,Xiaofeng Zou

DOI: https://doi.org/10.1007/s11432-023-4067-x

2024-01-01

Abstract:With the rapid development of network technology and the automation process for 5G, cyberattacks have become increasingly complex and threatening. In response to these threats, researchers have developed various network intrusion detection systems(NIDS) to monitor network traffic. However, the incessant emergence of new attack techniques and the lack of system interpretability pose challenges to improving the detection performance of NIDS. To address these issues, this paper proposes a hybrid explainable neural network-based framework that improves both the interpretability of our model and the performance in detecting new attacks through the innovative application of the explainable artificial intelligence(XAI)method. We effectively introduce the Shapley additive explanations(SHAP) method to explain a light gradient boosting machine(Light GBM) model. Additionally, we propose an autoencoder long-term short-term memory(AE-LSTM) network to reconstruct SHAP values previously generated. Furthermore, we define a threshold based on reconstruction errors observed during the training phase. Any network flow that surpasses the specified threshold is classified as an attack flow. This approach enhances the framework's ability to accurately identify attacks. We achieve an accuracy of 92.65%, a recall of 95.26%, a precision of 92.57%,and an F1-score of 93.90% on the dataset NSL-KDD. Experimental results demonstrate that our approach generates detection performance on par with state-of-the-art methods.

Osvaldo Arreche,Tanish R. Guntur,Jack W. Roberts,Mustafa Abdallah

DOI: https://doi.org/10.1109/access.2024.3365140

IF: 3.9

2024-02-20

IEEE Access

Abstract:The exponential growth of intrusions on networked systems inspires new research directions on developing artificial intelligence (AI) techniques for intrusion detection systems (IDS). In particular, the need to understand and explain these AI models to security analysts (managing these IDS to safeguard their networks) motivates the usage of explainable AI (XAI) methods in real-world IDS. In this work, we propose an end-to-end framework to evaluate black-box XAI methods for network IDS. We evaluate both global and local scopes for these black-box XAI methods for network intrusion detection. We analyze six different evaluation metrics for two popular black-box XAI techniques, namely SHAP and LIME. These metrics are descriptive accuracy, sparsity, stability, efficiency, robustness, and completeness. They cover main metrics from network security and AI domains. We evaluate our XAI evaluation framework using three popular network intrusion datasets and seven AI methods with different characteristics. We release our codes for the network security community to access it as a baseline XAI framework for network IDS. Our framework shows the limitations and strengths of current black-box XAI methods when applied to network IDS.

computer science, information systems,telecommunications,engineering, electrical & electronic

Thi-Thu-Huong Le,Haeyoung Kim,Hyoeun Kang,Howon Kim

DOI: https://doi.org/10.3390/s22031154

IF: 3.9

2022-02-03

Sensors

Abstract:In recent years, many methods for intrusion detection systems (IDS) have been designed and developed in the research community, which have achieved a perfect detection rate using IDS datasets. Deep neural networks (DNNs) are representative examples applied widely in IDS. However, DNN models are becoming increasingly complex in model architectures with high resource computing in hardware requirements. In addition, it is difficult for humans to obtain explanations behind the decisions made by these DNN models using large IoT-based IDS datasets. Many proposed IDS methods have not been applied in practical deployments, because of the lack of explanation given to cybersecurity experts, to support them in terms of optimizing their decisions according to the judgments of the IDS models. This paper aims to enhance the attack detection performance of IDS with big IoT-based IDS datasets as well as provide explanations of machine learning (ML) model predictions. The proposed ML-based IDS method is based on the ensemble trees approach, including decision tree (DT) and random forest (RF) classifiers which do not require high computing resources for training models. In addition, two big datasets are used for the experimental evaluation of the proposed method, NF-BoT-IoT-v2, and NF-ToN-IoT-v2 (new versions of the original BoT-IoT and ToN-IoT datasets), through the feature set of the net flow meter. In addition, the IoTDS20 dataset is used for experiments. Furthermore, the SHapley additive exPlanations (SHAP) is applied to the eXplainable AI (XAI) methodology to explain and interpret the classification decisions of DT and RF models; this is not only effective in interpreting the final decision of the ensemble tree approach but also supports cybersecurity experts in quickly optimizing and evaluating the correctness of their judgments based on the explanations of the results.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Thulitha Senevirathna,Bartlomiej Siniarski,Madhusanka Liyanage,Shen Wang

DOI: https://doi.org/10.1109/ccnc51664.2024.10454633

2024-01-01

Abstract:Artificial Intelligence used in future networks is vulnerable to biases, misclassifications, and security threats, which seeds constant scrutiny in accountability. Explainable AI (XAI) methods bridge this gap in identifying unaccounted biases in black-box AI/ML models. However, scaffolding attacks can hide the internal biases of the model from XAI methods, jeopardizing any auditory or monitoring processes, service provisions, security systems, regulators, auditors, and end-users in future networking paradigms, including Intent-Based Networking (IBN). For the first time ever, we formalize and demonstrate a framework on how an attacker would adopt scaffoldings to deceive the security auditors in Network Intrusion Detection Systems (NIDS). Furthermore, we propose a detection method that auditors can use to detect the attack efficiently. We rigorously test the attack and detection methods using the NSL-KDD. We then simulate the attack on 5G network data. Our simulation illustrates that the attack adoption method is successful, and the detection method can identify an affected model with extremely high confidence.

Peixin Liao,Xvxin Huang,Qiangbo Huang,Yanming Liang,Zhongxiao Wang,Denghui Zhang

DOI: https://doi.org/10.1109/cloudnet59005.2023.10490021

2023-01-01

Abstract:The rapid expansion of the Internet has boosted the widespread adoption of cloud technology across data-center fabrics and generated massive traffic. The emerging intrusion traffic brings new challenges to network security. Despite the remarkable advancements made by deep learning (DL) in fields including computer vision (CV) and natural language processing (NLP), its effectiveness in handling discrete time-series data, particularly in anomaly traffic, remains poor. It also fails to offer interpretability for prediction results, impeding its practicability to guide subsequent steps such as intrusion detection and prevention. This paper presents an interpretable intrusion detection system (IDS) based on feature importance. The approach first extracts significant features by methods including the Principal Component Analysis (PCA) and decision tree (DT). Then it converts important features into 2D feature images so that integrating with existing convolutional neural networks (CNNs) for predictions. Comparative experiments with more than 10 existing methods demonstrate this proposed method enhances detection capabilities and enable the intuitive interpretability of the analysis procedure.

Ayush Kumar,Vrizlynn L.L. Thing

2024-11-07

Abstract:Network Intrusion Detection Systems (NIDSs) which use machine learning (ML) models achieve high detection performance and accuracy while avoiding dependence on fixed signatures extracted from attack artifacts. However, there is a noticeable hesitance among network security experts and practitioners when it comes to deploying ML-based NIDSs in real-world production environments due to their black-box nature, i.e., how and why the underlying models make their decisions. In this work, we analyze state-of-the-art ML-based online NIDS models using explainable AI (xAI) techniques (e.g., TRUSTEE, SHAP). Using the explanations generated for the models' decisions, the most prominent features used by each NIDS model considered are presented. We compare the explanations generated across xAI methods for a given NIDS model as well as the explanations generated across the NIDS models for a given xAI method. Finally, we evaluate the vulnerability of each NIDS model to inductive bias (artifacts learnt from training data). The results show that: (1) some ML-based NIDS models can be better explained than other models, (2) xAI explanations are in conflict for most of the NIDS models considered in this work and (3) some NIDS models are more vulnerable to inductive bias than other models.

Cryptography and Security

Anli Yan,Ruitao Hou,Xiaozhang Liu,Hongyang Yan,Teng Huang,Xianmin Wang

DOI: https://doi.org/10.1002/int.23022

IF: 8.993

2022-01-01

International Journal of Intelligent Systems

Abstract:One key factor able to boost the applications of artificial intelligence (AI) in security-sensitive domains is to leverage them responsibly, which is engaged in providing explanations for AI. To date, a plethora of explainable artificial intelligence (XAI) has been proposed to help users interpret model decisions. However, given its data-driven nature, the explanation itself is potentially susceptible to a high risk of exposing privacy. In this paper, we first show that the existing XAI is vulnerable to model extraction attacks and then present an XAI-aware dual-task model extraction attack (DTMEA). DTMEA can attack a target model with explanation services, that is, it can extract both the classification and explanation tasks of the target model. More specifically, the substitution model extracted by DTMEA is a multitask learning architecture, consisting of a sharing layer and two task-specific layers for classification and explanation. To reveal which explanation technologies are more vulnerable to expose privacy information, we conduct an empirical evaluation of four major explanation types in the benchmark data set. Experimental results show that the attack accuracy of DTMEA outperforms the predicted-only method with up to 1.25%, 1.53%, 9.25%, and 7.45% in MNIST, Fashion-MNIST, CIFAR-10, and CIFAR-100, respectively. By exposing the potential threats on explanation technologies, our research offers the insights to develop effective tools that are able to trade off security-sensitive relationships.

Usman Ahmed,Zheng Jiangbin,Ahmad Almogren,Muhammad Sadiq,Ateeq Ur Rehman,M. T. Sadiq,Jaeyoung Choi

DOI: https://doi.org/10.1038/s41598-024-81151-1

IF: 4.6

2024-12-19

Scientific Reports

Abstract:The novelty and growing sophistication of cyber threats mean that high accuracy and interpretable machine learning models are needed more than ever before for Intrusion Detection and Prevention Systems. This study aims to solve this challenge by applying Explainable AI techniques, including Shapley Additive explanations feature selection, to improve model performance, robustness, and transparency. The method systematically employs different classifiers and proposes a new hybrid method called Hybrid Bagging-Boosting and Boosting on Residuals. Then, performance is taken in four steps: the multistep evaluation of hybrid ensemble learning methods for binary classification and fine-tuning of performance; feature selection using Shapley Additive explanations values retraining the hybrid model for better performance and reducing overfitting; the generalization of the proposed model for multiclass classification; and the evaluation using standard information metrics such as accuracy, precision, recall, and F1-score. Key results indicate that the proposed methods outperform state-of-the-art algorithms, achieving a peak accuracy of 98.47% and an F1 score of 96.19%. These improvements stem from advanced feature selection and resampling techniques, enhancing model accuracy and balancing precision and recall. Integrating Shapley Additive explanations-based feature selection with hybrid ensemble methods significantly boosts the predictive and explanatory power of Intrusion Detection and Prevention Systems, addressing common pitfalls in traditional cybersecurity models. This study paves the way for further research on statistical innovations to enhance Intrusion Detection and Prevention Systems performance.

multidisciplinary sciences

Wanshuang Lin,Chunhe Xia,Tianbo Wang,Yuan Zhao,Liang Xi,Song Zhang

DOI: https://doi.org/10.1109/mnet.2024.3481045

IF: 10.294

2024-01-01

IEEE Network

Abstract:Deep learning-based models demonstrate a remarkable level of accuracy in network traffic identification. However, the black-box nature of neural networks often makes the identification results difficult to explain. Although some eXplainable Artificial Intelligence (XAI) methods have been applied to network traffic identification, most of them focus on model explainability and do not provide sufficient credibility. In emerging network systems that use proprietary protocols, low-credibility malicious traffic detection can result in severe consequences. Therefore, it is imperative to deeply understand network traffic features and trust the detection results. In this paper, we propose an explainable architecture for emerging network systems. This architecture enhances the explainability of malicious traffic detection from both input and output perspectives, aiming to understand network traffic data and improve the reliability of the results. The effectiveness of explaining inputs and outputs is verified through experimental analysis in case studies. Furthermore, we review the research on explainable models in the field of network traffic identification and summarize research opportunities.

Khushnaseeb Roshan,Aasim Zafar

DOI: https://doi.org/10.5121/ijcnc.2021.13607

2021-09-30

Abstract:Machine learning (ML) and Deep Learning (DL) methods are being adopted rapidly, especially in computer network security, such as fraud detection, network anomaly detection, intrusion detection, and much more. However, the lack of transparency of ML and DL based models is a major obstacle to their implementation and criticized due to its black-box nature, even with such tremendous results. Explainable Artificial Intelligence (XAI) is a promising area that can improve the trustworthiness of these models by giving explanations and interpreting its output. If the internal working of the ML and DL based models is understandable, then it can further help to improve its performance. The objective of this paper is to show that how XAI can be used to interpret the results of the DL model, the autoencoder in this case. And, based on the interpretation, we improved its performance for computer network anomaly detection. The kernel SHAP method, which is based on the shapley values, is used as a novel feature selection technique. This method is used to identify only those features that are actually causing the anomalous behaviour of the set of attack/anomaly instances. Later, these feature sets are used to train and validate the autoencoderbut on benign data only. Finally, the built SHAP_Model outperformed the other two models proposed based on the feature selection method. This whole experiment is conducted on the subset of the latest CICIDS2017 network dataset. The overall accuracy and AUC of SHAP_Model is 94% and 0.969, respectively.

English Else

Feng Wei,Hongda Li,Ziming Zhao,Hongxin Hu

2023-01-01

Abstract:While Deep Learning-based Network Intrusion Detection Systems (DL-NIDS) have recently been significantly explored and shown superior performance, they are insufficient to actively respond to the detected intrusions due to the semantic gap between their detection results and actionable interpretations. Furthermore, their high error costs make network operators unwilling to respond solely based on their detection results. The root cause of these drawbacks can be traced to the lack of explainability of DL-NIDS. Although some methods have been developed to explain deep learning-based systems, they are incapable of handling the history inputs and complex feature dependencies of structured data and do not perform well in explaining DL-NIDS. In this paper, we present XNIDS, a novel framework that facilitates active intrusion responses by explaining DL-NIDS. Our explanation method is highlighted by: (1) approximating and sampling around history inputs; and (2) capturing feature dependencies of structured data to achieve a high-fidelity explanation. Based on the explanation results, XNIDS can further generate actionable defense rules. We evaluate XNIDS with four state-of-the-art DL-NIDS. Our evaluation results show that XNIDS outperforms previous explanation methods in terms of fidelity, sparsity, completeness, and stability, all of which are important to active intrusion responses. Moreover, we demonstrate that XNIDS can efficiently generate practical defense rules, help understand DL-NIDS behaviors, and troubleshoot detection errors.

Yuanyuan Wei,Julian Jang-Jaccard,Amardeep Singh,Fariza Sabrina,Seyit Camtepe

DOI: https://doi.org/10.48550/arXiv.2306.17190

2023-06-27

Abstract:DDoS attacks involve overwhelming a target system with a large number of requests or traffic from multiple sources, disrupting the normal traffic of a targeted server, service, or network. Distinguishing between legitimate traffic and malicious traffic is a challenging task. It is possible to classify legitimate traffic and malicious traffic and analysis the network traffic by using machine learning and deep learning techniques. However, an inter-model explanation implemented to classify a traffic flow whether is benign or malicious is an important investigation of the inner working theory of the model to increase the trustworthiness of the model. Explainable Artificial Intelligence (XAI) can explain the decision-making of the machine learning models that can be classified and identify DDoS traffic. In this context, we proposed a framework that can not only classify legitimate traffic and malicious traffic of DDoS attacks but also use SHAP to explain the decision-making of the classifier model. To address this concern, we first adopt feature selection techniques to select the top 20 important features based on feature importance techniques (e.g., XGB-based SHAP feature importance). Following that, the Multi-layer Perceptron Network (MLP) part of our proposed model uses the optimized features of the DDoS attack dataset as inputs to classify legitimate and malicious traffic. We perform extensive experiments with all features and selected features. The evaluation results show that the model performance with selected features achieves above 99\% accuracy. Finally, to provide interpretability, XAI can be adopted to explain the model performance between the prediction results and features based on global and local explanations by SHAP, which can better explain the results achieved by our proposed framework.

Cryptography and Security,Machine Learning

Chathuranga Sampath Kalutharage,Xiaodong Liu,Christos Chrysoulas

DOI: https://doi.org/10.1007/978-3-031-21311-3_8

2022-01-01

Abstract:Over the past few decades, Machine Learning (ML)-based intrusion detection systems (IDS) have become increasingly popular and continue to show remarkable performance in detecting attacks. However, the lack of transparency in their decision-making process and the scarcity of attack data for training purposes pose a major challenge for the development of ML-based IDS systems for Internet of Things (IoT). Therefore, employing anomaly detection methods and interpreting predicted results in terms of feature contribution or performing feature-based impact analysis can increase stakeholders confidence. To this end, this paper presents a novel framework for IoT security monitoring, combining deep autoencoder models with Explainable Artificial Intelligence (XAI), to verify the credibility and certainty of attack detection by ML-based IDSs. Our proposed approach reduces the number of black boxes in the ML decision-making process in IoT security monitoring by explaining why a prediction is made, providing quantifiable data on which features influence the prediction and to what extent, which are generated from SHaply Adaptive values exPlanations (SHAP) linking optimal credit allocation to local explanations. This was tested using the USB-IDS benchmark dataset and a detection accuracy of 84% (benign) and 100% (attack) was achieved. Our experimental results show that integrating XAI with the autoencoder model obviates the need of malicious data for training purposes, but can provide attack certainty for detected anomalies, proving the validity of the proposed methodology.

Zakaria Abou El Houda,Bouziane Brik,Lyes Khoukhi

DOI: https://doi.org/10.1109/ojcoms.2022.3188750

2022-01-01

IEEE Open Journal of the Communications Society

Abstract:Internet of Things (IoT) is an emerging paradigm that is turning and revolutionizing worldwide cities into smart cities. However, this emergence is accompanied with several cybersecurity concerns due mainly to the data sharing and constant connectivity of IoT networks. To address this problem, multiple Intrusion Detection Systems (IDSs) have been designed as security mechanisms, which showed their efficiency in mitigating several IoT-related attacks, especially when using deep learning (DL) algorithms. Indeed, Deep Neural Networks (DNNs) significantly improve the detection rate of IoT-related intrusions. However, DL-based models are becoming more and more complex, and their decisions are hardly interpreted by users, especially companies’ executive staff and cybersecurity experts. Hence, the corresponding users cannot neither understand and trust DL models decisions, nor optimize their decisions (users) based on DL models outputs. To overcome these limits, Explainable Artificial Intelligence (XAI) is an emerging paradigm of Artificial Intelligence (AI), that provides a set of techniques to help interpreting and understanding predictions made by DL models. Thus, XAI enables to explain the decisions of DL-based IDSs to make them interpretable by cybersecurity experts. In this paper, we design a new XAI-based framework to give explanations to any critical DL-based decisions for IoT-related IDSs. Our framework relies on a novel IDS for IoT networks, that we also develop by leveraging deep neural network, to detect IoT-related intrusions. In addition, our framework uses three main XAI techniques ($i.e.$ , RuleFit, Local Interpretable Model-Agnostic Explanations (LIME), and SHapley Additive exPlanations (SHAP)), on top of our DNN-based model. Our framework can provide both local and global explanations to optimize the interpretation of DL-based decisions. The local explanations target a single/particular DL output, while global explanations focus on deducing the most important features that have conducted to each made decision (e.g., intrusion detection). Thus, our proposed framework introduces more transparency and trust between the decisions made by our DL-based IDS model and cybersecurity experts. Both NSL-KDD and UNSW-NB15 datasets are used to validate the feasibility of our XAI framework. The experimental results show the efficiency of our framework to improve the interpretability of the IoT IDS against well-known IoT attacks, and help the cybersecurity experts get a better understanding of IDS decisions.