Zhang Mengdi,Sun Jun,Wang Jingyi

DOI: https://doi.org/10.1007/s10515-022-00338-w

IF: 1.677

2022-01-01

Automated Software Engineering

Abstract:Neural networks are getting increasingly popular thanks to their exceptional performance in solving many real-world problems. At the same time, they are shown to be vulnerable to attacks, difficult to debug and subject to fairness issues. To improve people’s trust in the technology, it is often necessary to provide some human-understandable explanation of neural networks’ decisions, e.g., why is that my loan application is rejected whereas hers is approved? That is, the stakeholder would be interested to minimize the chances of not being able to explain the decision consistently and would like to know how often and how easy it is to explain the decisions of a neural network before it is deployed. In this work, we provide two measurements on the decision explainability of neural networks. Afterwards, we develop algorithms for evaluating the measurements of user-provided neural networks automatically. We evaluate our approach on multiple neural network models trained on benchmark datasets. The results show that existing neural networks’ decisions often have low explainability according to our measurements. This is in line with the observation that adversarial samples can be easily generated through adversarial perturbation, which are often hard to explain. Our further experiments show that the decisions of the models trained with robust training are not necessarily easier to explain, whereas decisions of the models retrained with samples generated by our algorithms are easier to explain.

Ayush Kumar,Vrizlynn L.L. Thing

2024-11-07

Abstract:Network Intrusion Detection Systems (NIDSs) which use machine learning (ML) models achieve high detection performance and accuracy while avoiding dependence on fixed signatures extracted from attack artifacts. However, there is a noticeable hesitance among network security experts and practitioners when it comes to deploying ML-based NIDSs in real-world production environments due to their black-box nature, i.e., how and why the underlying models make their decisions. In this work, we analyze state-of-the-art ML-based online NIDS models using explainable AI (xAI) techniques (e.g., TRUSTEE, SHAP). Using the explanations generated for the models' decisions, the most prominent features used by each NIDS model considered are presented. We compare the explanations generated across xAI methods for a given NIDS model as well as the explanations generated across the NIDS models for a given xAI method. Finally, we evaluate the vulnerability of each NIDS model to inductive bias (artifacts learnt from training data). The results show that: (1) some ML-based NIDS models can be better explained than other models, (2) xAI explanations are in conflict for most of the NIDS models considered in this work and (3) some NIDS models are more vulnerable to inductive bias than other models.

Cryptography and Security

Himabindu Lakkaraju,Osbert Bastani

DOI: https://doi.org/10.48550/arXiv.1911.06473

2019-11-15

Abstract:As machine learning black boxes are increasingly being deployed in critical domains such as healthcare and criminal justice, there has been a growing emphasis on developing techniques for explaining these black boxes in a human interpretable manner. It has recently become apparent that a high-fidelity explanation of a black box ML model may not accurately reflect the biases in the black box. As a consequence, explanations have the potential to mislead human users into trusting a problematic black box. In this work, we rigorously explore the notion of misleading explanations and how they influence user trust in black-box models. More specifically, we propose a novel theoretical framework for understanding and generating misleading explanations, and carry out a user study with domain experts to demonstrate how these explanations can be used to mislead users. Our work is the first to empirically establish how user trust in black box models can be manipulated via misleading explanations.

Artificial Intelligence

Omer Subasi,Johnathan Cree,Joseph Manzano,Elena Peterson

2024-07-04

Abstract:There has been a large number of studies in interpretable and explainable ML for cybersecurity, in particular, for intrusion detection. Many of these studies have significant amount of overlapping and repeated evaluations and analysis. At the same time, these studies overlook crucial model, data, learning process, and utility related issues and many times completely disregard them. These issues include the use of overly complex and opaque ML models, unaccounted data imbalances and correlated features, inconsistent influential features across different explanation methods, the inconsistencies stemming from the constituents of a learning process, and the implausible utility of explanations. In this work, we empirically demonstrate these issues, analyze them and propose practical solutions in the context of feature-based model explanations. Specifically, we advise avoiding complex opaque models such as Deep Neural Networks and instead using interpretable ML models such as Decision Trees as the available intrusion datasets are not difficult for such interpretable models to classify successfully. Then, we bring attention to the binary classification metrics such as Matthews Correlation Coefficient (which are well-suited for imbalanced datasets. Moreover, we find that feature-based model explanations are most often inconsistent across different settings. In this respect, to further gauge the extent of inconsistencies, we introduce the notion of cross explanations which corroborates that the features that are determined to be impactful by one explanation method most often differ from those by another method. Furthermore, we show that strongly correlated data features and the constituents of a learning process, such as hyper-parameters and the optimization routine, become yet another source of inconsistent explanations. Finally, we discuss the utility of feature-based explanations.

Cryptography and Security,Machine Learning

Basim Mahbooba,Mohan Timilsina,Radhya Sahal,Martin Serrano

DOI: https://doi.org/10.1155/2021/6634811

IF: 2.3

2021-01-28

Complexity

Abstract:Despite the growing popularity of machine learning models in the cyber-security applications (e.g., an intrusion detection system (IDS)), most of these models are perceived as a black-box. The eXplainable Artificial Intelligence (XAI) has become increasingly important to interpret the machine learning models to enhance trust management by allowing human experts to understand the underlying data evidence and causal reasoning. According to IDS, the critical role of trust management is to understand the impact of the malicious data to detect any intrusion in the system. The previous studies focused more on the accuracy of the various classification algorithms for trust in IDS. They do not often provide insights into their behavior and reasoning provided by the sophisticated algorithm. Therefore, in this paper, we have addressed XAI concept to enhance trust management by exploring the decision tree model in the area of IDS. We use simple decision tree algorithms that can be easily read and even resemble a human approach to decision-making by splitting the choice into many small subchoices for IDS. We experimented with this approach by extracting rules in a widely used KDD benchmark dataset. We also compared the accuracy of the decision tree approach with the other state-of-the-art algorithms.

mathematics, interdisciplinary applications,multidisciplinary sciences

Noah Ziems,Gang Liu,John Flanagan,Meng Jiang

2023-10-30

Abstract:Network intrusion detection (NID) systems which leverage machine learning have been shown to have strong performance in practice when used to detect malicious network traffic. Decision trees in particular offer a strong balance between performance and simplicity, but require users of NID systems to have background knowledge in machine learning to interpret. In addition, they are unable to provide additional outside information as to why certain features may be important for classification. In this work, we explore the use of large language models (LLMs) to provide explanations and additional background knowledge for decision tree NID systems. Further, we introduce a new human evaluation framework for decision tree explanations, which leverages automatically generated quiz questions that measure human evaluators' understanding of decision tree inference. Finally, we show LLM generated decision tree explanations correlate highly with human ratings of readability, quality, and use of background knowledge while simultaneously providing better understanding of decision boundaries.

Computation and Language,Artificial Intelligence

Mohanad Sarhan,Siamak Layeghy,Marius Portmann

DOI: https://doi.org/10.1016/j.bdr.2022.100359

2021-08-29

Abstract:Machine Learning (ML)-based network intrusion detection systems bring many benefits for enhancing the cybersecurity posture of an organisation. Many systems have been designed and developed in the research community, often achieving a close to perfect detection rate when evaluated using synthetic datasets. However, the high number of academic research has not often translated into practical deployments. There are several causes contributing towards the wide gap between research and production, such as the limited ability of comprehensive evaluation of ML models and lack of understanding of internal ML operations. This paper tightens the gap by evaluating the generalisability of a common feature set to different network environments and attack scenarios. Therefore, two feature sets (NetFlow and CICFlowMeter) have been evaluated in terms of detection accuracy across three key datasets, i.e., CSE-CIC-IDS2018, BoT-IoT, and ToN-IoT. The results show the superiority of the NetFlow feature set in enhancing the ML models detection accuracy of various network attacks. In addition, due to the complexity of the learning models, SHapley Additive exPlanations (SHAP), an explainable AI methodology, has been adopted to explain and interpret the classification decisions of ML models. The Shapley values of two common feature sets have been analysed across multiple datasets to determine the influence contributed by each feature towards the final ML prediction.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Shraddha Mane,Dattaraj Rao

DOI: https://doi.org/10.48550/arXiv.2103.07110

2021-03-12

Abstract:Cybersecurity is a domain where the data distribution is constantly changing with attackers exploring newer patterns to attack cyber infrastructure. Intrusion detection system is one of the important layers in cyber safety in today's world. Machine learning based network intrusion detection systems started showing effective results in recent years. With deep learning models, detection rates of network intrusion detection system are improved. More accurate the model, more the complexity and hence less the interpretability. Deep neural networks are complex and hard to interpret which makes difficult to use them in production as reasons behind their decisions are unknown. In this paper, we have used deep neural network for network intrusion detection and also proposed explainable AI framework to add transparency at every stage of machine learning pipeline. This is done by leveraging Explainable AI algorithms which focus on making ML models less of black boxes by providing explanations as to why a prediction is made. Explanations give us measurable factors as to what features influence the prediction of a cyberattack and to what degree. These explanations are generated from SHAP, LIME, Contrastive Explanations Method, ProtoDash and Boolean Decision Rules via Column Generation. We apply these approaches to NSL KDD dataset for intrusion detection system and demonstrate results.

Cryptography and Security,Artificial Intelligence

Ana Rosa Cavalli,Manh-Dung Nguyen,Edgardo Montes de Oca,Valeria Valdés,Anis Bouaziz,Wissam Mallouli

DOI: https://doi.org/10.1145/3600160.3605052

2023-08-29

Abstract:The prevalence of encrypted Internet traffic has resulted in a pressing need for advanced analysis techniques for traffic analysis and classification. Traditional rule-based and signature-based approaches have been hindered by the introduction of network encryption methods. With the emergence of machine learning (ML) and deep learning (DL), several preliminary works have been developed for anomaly detection in encrypted network traffic. However, complex Artificial Intelligence (AI) models like neural networks lack explainability, limiting the understanding of their predictions. To address this limitation, eXplainable Artificial Intelligence (XAI) has emerged, aiming to provide users with a rationale for understanding AI system outputs and fostering trust. However, existing explainable frameworks still lack comprehensive support for adversarial attacks and defenses. In this paper, we present Montimage AI Platform (MAIP), a new GUI-based deep learning framework for malicious traffic detection and classification combined with its ability of explaining the decision of the model. We employ popular XAI methods to interpret the prediction of the developed deep learning model. Furthermore, we perform adversarial attacks to assess the accountability and robustness of our model via different quantifiable metrics. We perform extensive experiments with both public and private network traffic. The experimental results demonstrate that our model achieves high performance and robustness, and its outcomes align closely with the domain knowledge.

Computer Science

Boyang Zhang,Zheng Li,Ziqing Yang,Xinlei He,Michael Backes,Mario Fritz,Yang Zhang

2023-10-19

Abstract:While advanced machine learning (ML) models are deployed in numerous real-world applications, previous works demonstrate these models have security and privacy vulnerabilities. Various empirical research has been done in this field. However, most of the experiments are performed on target ML models trained by the security researchers themselves. Due to the high computational resource requirement for training advanced models with complex architectures, researchers generally choose to train a few target models using relatively simple architectures on typical experiment datasets. We argue that to understand ML models' vulnerabilities comprehensively, experiments should be performed on a large set of models trained with various purposes (not just the purpose of evaluating ML attacks and defenses). To this end, we propose using publicly available models with weights from the Internet (public models) for evaluating attacks and defenses on ML models. We establish a database, namely SecurityNet, containing 910 annotated image classification models. We then analyze the effectiveness of several representative attacks/defenses, including model stealing attacks, membership inference attacks, and backdoor detection on these public models. Our evaluation empirically shows the performance of these attacks/defenses can vary significantly on public models compared to self-trained models. We share SecurityNet with the research community. and advocate researchers to perform experiments on public models to better demonstrate their proposed methods' effectiveness in the future.

Cryptography and Security,Machine Learning

Irfan Siddavatam,Ashwini Dalvi,Viraj Thakkar,Aditya Vedpathak,Smit Moradiya,Apoorva Jain

DOI: https://doi.org/10.2139/ssrn.3868707

2021-01-01

SSRN Electronic Journal

Abstract:The prominence of AI algorithms has reached new heights in todays world. Algorithms are implemented in each and every aspect of our life with the primary intention of improving it. However, the working of most of these AIs is not entirely understood, this causes the problem. Since the models are not understood, the researchers do not know how to manually improve on it, creating an artificial ceiling. Understanding these algorithms is the key to realize how these machines think and not only learn from them but also teach it to understand better. The primary idea put forward in this paper is to explain a black-box model using a mimicking simulation, rather than the usual calculative approaches. The primary idea put forward is to understand how an AI works using a decision tree that will be designed to mimic the AI. It proposes the use of a Decision Tree based approach along with randomization using Monte Carlo simulations for a more precise simulation of the black-box.

Rajesh Kalakoti,Hayretdin Bahsi,Sven Nõmm

DOI: https://doi.org/10.1109/jiot.2024.3360626

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Detecting botnets is an essential task to ensure the security of IoT systems. Machine learning-based approaches have been widely used for this purpose, but the lack of interpretability and transparency of the models often limits their effectiveness. In this research paper, our aim is to improve the transparency and interpretability of high-performance machine learning models for IoT botnet detection by selecting higher-quality explanations using explainable artificial intelligence (XAI) techniques. We used three datasets to induce binary and multiclass classification models for IoT botnet detection, with Sequential Backward Selection employed as the feature selection technique. We then use two post hoc XAI techniques such as LIME and SHAP, to explain the behaviour of the models. To evaluate the quality of explanations generated by XAI methods, we employed faithfulness, monotonicity, complexity, and sensitivity metrics. ML models employed in this work achieve very high detection rates with a limited number of features. Our findings demonstrate the effectiveness of XAI methods in improving the interpretability and transparency of machine learning-based IoT botnet detection models. Specifically, explanations generated by applying LIME and SHAP to the XGBoost model yield high faithfulness, high Consistency, low complexity, and low sensitivity. Furthermore, SHAP outperforms LIME by achieving better results in these metrics.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sebastian Ordyniak,Giacomo Paesani,Mateusz Rychlicki,Stefan Szeider

2024-07-23

Abstract:This paper presents a comprehensive theoretical investigation into the parameterized complexity of explanation problems in various machine learning (ML) models. Contrary to the prevalent black-box perception, our study focuses on models with transparent internal mechanisms. We address two principal types of explanation problems: abductive and contrastive, both in their local and global variants. Our analysis encompasses diverse ML models, including Decision Trees, Decision Sets, Decision Lists, Ordered Binary Decision Diagrams, Random Forests, and Boolean Circuits, and ensembles thereof, each offering unique explanatory challenges. This research fills a significant gap in explainable AI (XAI) by providing a foundational understanding of the complexities of generating explanations for these models. This work provides insights vital for further research in the domain of XAI, contributing to the broader discourse on the necessity of transparency and accountability in AI systems.

Artificial Intelligence,Computational Complexity

Abdullah Caglar Oksuz,Anisa Halimi,Erman Ayday

DOI: https://doi.org/10.56553/popets-2024-0137

2024-07-09

Abstract:Explainable Artificial Intelligence (XAI) aims to uncover the decision-making processes of AI models. However, the data used for such explanations can pose security and privacy risks. Existing literature identifies attacks on machine learning models, including membership inference, model inversion, and model extraction attacks. These attacks target either the model or the training data, depending on the settings and parties involved. XAI tools can increase the vulnerability of model extraction attacks, which is a concern when model owners prefer black-box access, thereby keeping model parameters and architecture private. To exploit this risk, we propose AUTOLYCUS, a novel retraining (learning) based model extraction attack framework against interpretable models under black-box settings. As XAI tools, we exploit Local Interpretable Model-Agnostic Explanations (LIME) and Shapley values (SHAP) to infer decision boundaries and create surrogate models that replicate the functionality of the target model. LIME and SHAP are mainly chosen for their realistic yet information-rich explanations, coupled with their extensive adoption, simplicity, and usability. We evaluate AUTOLYCUS on six machine learning datasets, measuring the accuracy and similarity of the surrogate model to the target model. The results show that AUTOLYCUS is highly effective, requiring significantly fewer queries compared to state-of-the-art attacks, while maintaining comparable accuracy and similarity. We validate its performance and transferability on multiple interpretable ML models, including decision trees, logistic regression, naive bayes, and k-nearest neighbor. Additionally, we show the resilience of AUTOLYCUS against proposed countermeasures.

Machine Learning,Cryptography and Security

Maede Zolanvari,Zebo Yang,Khaled Khan,Raj Jain,Nader Meskin

DOI: https://doi.org/10.48550/arXiv.2205.01232

2022-05-03

Abstract:Despite AI's significant growth, its "black box" nature creates challenges in generating adequate trust. Thus, it is seldom utilized as a standalone unit in IoT high-risk applications, such as critical industrial infrastructures, medical systems, and financial applications, etc. Explainable AI (XAI) has emerged to help with this problem. However, designing appropriately fast and accurate XAI is still challenging, especially in numerical applications. Here, we propose a universal XAI model named Transparency Relying Upon Statistical Theory (TRUST), which is model-agnostic, high-performing, and suitable for numerical applications. Simply put, TRUST XAI models the statistical behavior of the AI's outputs in an AI-based system. Factor analysis is used to transform the input features into a new set of latent variables. We use mutual information to rank these variables and pick only the most influential ones on the AI's outputs and call them "representatives" of the classes. Then we use multi-modal Gaussian distributions to determine the likelihood of any new sample belonging to each class. We demonstrate the effectiveness of TRUST in a case study on cybersecurity of the industrial Internet of things (IIoT) using three different cybersecurity datasets. As IIoT is a prominent application that deals with numerical data. The results show that TRUST XAI provides explanations for new random samples with an average success rate of 98%. Compared with LIME, a popular XAI model, TRUST is shown to be superior in the context of performance, speed, and the method of explainability. In the end, we also show how TRUST is explained to the user.

Artificial Intelligence,Information Theory

Hangsheng Zhang,Dongqi Han,Yinlong Liu,Zhiliang Wang,Jiyan Sun,Shangyuan Zhuang,Jiqiang Liu,Jinsong Dong

2024-01-19

Abstract:espite being widely used in network intrusion detection systems (NIDSs), machine learning (ML) has proven to be highly vulnerable to adversarial attacks. White-box and black-box adversarial attacks of NIDS have been explored in several studies. However, white-box attacks unrealistically assume that the attackers have full knowledge of the target NIDSs. Meanwhile, existing black-box attacks can not achieve high attack success rate due to the weak adversarial transferability between models (e.g., neural networks and tree models). Additionally, neither of them explains why adversarial examples exist and why they can transfer across models. To address these challenges, this paper introduces ETA, an Explainable Transfer-based Black-Box Adversarial Attack framework. ETA aims to achieve two primary objectives: 1) create transferable adversarial examples applicable to various ML models and 2) provide insights into the existence of adversarial examples and their transferability within NIDSs. Specifically, we first provide a general transfer-based adversarial attack method applicable across the entire ML space. Following that, we exploit a unique insight based on cooperative game theory and perturbation interpretations to explain adversarial examples and adversarial transferability. On this basis, we propose an Important-Sensitive Feature Selection (ISFS) method to guide the search for adversarial examples, achieving stronger transferability and ensuring traffic-space constraints.

Cryptography and Security

Gabriel Deza,Adelin Travers,Colin Rowat,Nicolas Papernot

DOI: https://doi.org/10.48550/arXiv.2109.15112

2021-09-25

Abstract:Sophisticated machine learning (ML) models to inform trading in the financial sector create problems of interpretability and risk management. Seemingly robust forecasting models may behave erroneously in out of distribution settings. In 2020, some of the world's most sophisticated quant hedge funds suffered losses as their ML models were first underhedged, and then overcompensated. We implement a gradient-based approach for precisely stress-testing how a trading model's forecasts can be manipulated, and their effects on downstream tasks at the trading execution level. We construct inputs -- whether in changes to sentiment or market variables -- that efficiently affect changes in the return distribution. In an industry-standard trading pipeline, we perturb model inputs for eight S&P 500 stocks. We find our approach discovers seemingly in-sample input settings that result in large negative shifts in return distributions. We provide the financial community with mechanisms to interpret ML forecasts in trading systems. For the security community, we provide a compelling application where studying ML robustness necessitates that one capture an end-to-end system's performance rather than study a ML model in isolation. Indeed, we show in our evaluation that errors in the forecasting model's predictions alone are not sufficient for trading decisions made based on these forecasts to yield a negative return.

Machine Learning,Cryptography and Security

Nicolas Papernot,Patrick McDaniel,Arunesh Sinha,Michael Wellman

DOI: https://doi.org/10.48550/arXiv.1611.03814

2016-11-11

Cryptography and Security

Abstract:Advances in machine learning (ML) in recent years have enabled a dizzying array of applications such as data analytics, autonomous systems, and security diagnostics. ML is now pervasive---new systems and models are being deployed in every domain imaginable, leading to rapid and widespread deployment of software based inference and decision making. There is growing recognition that ML exposes new vulnerabilities in software systems, yet the technical community's understanding of the nature and extent of these vulnerabilities remains limited. We systematize recent findings on ML security and privacy, focusing on attacks identified on these systems and defenses crafted to date. We articulate a comprehensive threat model for ML, and categorize attacks and defenses within an adversarial framework. Key insights resulting from works both in the ML and security communities are identified and the effectiveness of approaches are related to structural elements of ML algorithms and the data used to train them. We conclude by formally exploring the opposing relationship between model accuracy and resilience to adversarial manipulation. Through these explorations, we show that there are (possibly unavoidable) tensions between model complexity, accuracy, and resilience that must be calibrated for the environments in which they will be used.

Yacine Izza,Xuanxiang Huang,Antonio Morgado,Jordi Planes,Alexey Ignatiev,Joao Marques-Silva

2024-05-14

Abstract:The uses of machine learning (ML) have snowballed in recent years. In many cases, ML models are highly complex, and their operation is beyond the understanding of human decision-makers. Nevertheless, some uses of ML models involve high-stakes and safety-critical applications. Explainable artificial intelligence (XAI) aims to help human decision-makers in understanding the operation of such complex ML models, thus eliciting trust in their operation. Unfortunately, the majority of past XAI work is based on informal approaches, that offer no guarantees of rigor. Unsurprisingly, there exists comprehensive experimental and theoretical evidence confirming that informal methods of XAI can provide human-decision makers with erroneous information. Logic-based XAI represents a rigorous approach to explainability; it is model-based and offers the strongest guarantees of rigor of computed explanations. However, a well-known drawback of logic-based XAI is the complexity of logic reasoning, especially for highly complex ML models. Recent work proposed distance-restricted explanations, i.e. explanations that are rigorous provided the distance to a given input is small enough. Distance-restricted explainability is tightly related with adversarial robustness, and it has been shown to scale for moderately complex ML models, but the number of inputs still represents a key limiting factor. This paper investigates novel algorithms for scaling up the performance of logic-based explainers when computing and enumerating ML model explanations with a large number of inputs.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition,Distributed, Parallel, and Cluster Computing