TY - GEN
T1 - Towards Understanding Alerts raised by Unsupervised Network Intrusion Detection Systems
AU - Lanvin, Maxime
AU - Gimenez, Pierre François
AU - Han, Yufei
AU - Majorczyk, Frédéric
AU - Mé, Ludovic
AU - Totel, Eric
N1 - Publisher Copyright:
© 2023 Copyright held by the owner/author(s).
PY - 2023/10/16
Y1 - 2023/10/16
N2 - The use of Machine Learning for anomaly detection in cyber securitycritical applications, such as intrusion detection systems, has been hindered by the lack of explainability. Without understanding the reason behind anomaly alerts, it is too expensive or impossible for human analysts to verify and identify cyber-attacks. Our research addresses this challenge and focuses on unsupervised network intrusion detection, where only benign network traffic is available for training the detection model. We propose a novel post-hoc explanation method, called AE-pvalues, which is based on the p-values of the reconstruction errors produced by an Auto-Encoder-based anomaly detection method. Our work identifies the most informative network traffic features associated with an anomaly alert, providing interpretations for the generated alerts. We conduct an empirical study using a large-scale network intrusion dataset, CICIDS2017, to compare the proposed AE-pvalues method with two state-of-the-art baselines applied in the unsupervised anomaly detection task. Our experimental results show that the AE-pvalues method accurately identifies abnormal influential network traffic features. Furthermore, our study demonstrates that the explanation outputs can help identify different types of network attacks in the detected anomalies, enabling human security analysts to understand the root cause of the anomalies and take prompt action to strengthen security measures.
AB - The use of Machine Learning for anomaly detection in cyber securitycritical applications, such as intrusion detection systems, has been hindered by the lack of explainability. Without understanding the reason behind anomaly alerts, it is too expensive or impossible for human analysts to verify and identify cyber-attacks. Our research addresses this challenge and focuses on unsupervised network intrusion detection, where only benign network traffic is available for training the detection model. We propose a novel post-hoc explanation method, called AE-pvalues, which is based on the p-values of the reconstruction errors produced by an Auto-Encoder-based anomaly detection method. Our work identifies the most informative network traffic features associated with an anomaly alert, providing interpretations for the generated alerts. We conduct an empirical study using a large-scale network intrusion dataset, CICIDS2017, to compare the proposed AE-pvalues method with two state-of-the-art baselines applied in the unsupervised anomaly detection task. Our experimental results show that the AE-pvalues method accurately identifies abnormal influential network traffic features. Furthermore, our study demonstrates that the explanation outputs can help identify different types of network attacks in the detected anomalies, enabling human security analysts to understand the root cause of the anomalies and take prompt action to strengthen security measures.
KW - explainable AI (XAI)
KW - intrusion detection
KW - machine learning
U2 - 10.1145/3607199.3607247
DO - 10.1145/3607199.3607247
M3 - Conference contribution
AN - SCOPUS:85175697243
T3 - ACM International Conference Proceeding Series
SP - 135
EP - 150
BT - Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023
PB - Association for Computing Machinery
T2 - 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023
Y2 - 16 October 2023 through 18 October 2023
ER -