Research On Intrusion Detection System From A Multidimensional Interpretability Perspective

The network environment has become more complex in recent years,and how to effectively secure the data of critical facilities has become an urgent issue to be solved.The intrusion detection system based on machine learning,as the current defense means against network attacks,has had a lot of relevant research and has shown good detection performance.However,machine learning algorithms themselves act as a black-box model,and researchers cannot fully understand their internal decision-making mechanisms.The problem of opaque decision making also poses a higher challenge to the security of machine learning-based intrusion detection systems.There have been some relevant studies on interpretable intrusion detection systems,but different interpretation methods give different views and also deviate from expert knowledge.Therefore,how to better improve the transparency of intrusion detection systems is a problem that needs further optimization based on the current available research.To address the above issues,in this paper,we propose an intrusion detection algorithm that fuses multiple interpretable methods.We effectively fuse three posterior interpretation methods,SHAP,LIME and DICE,using three evaluation metrics for assessing the performance of the interpretation methods as weight values to give an intrusion detection method with better performance in terms of stability,fidelity and complexity,and the final prediction interpretation is closer to expert knowledge.We conducted experimental evaluations using the NSL-KDD and UNSW-NB15 datasets,respectively,and discussed the performance of the interpretation under the three models of Random Forest,XGBoost and DNN.The experimental results show that for the NSLKDD dataset,the explanations given by our method under the XGBoost model for all four attacks correspond to an expert knowledge overlap of more than 60%,outperforming the SHAP,LIME,and DICE explanations alone.For the UNSW-NB15 dataset,the expert knowledge coincidence of our method for the four attacks under the DNN model is also improved by 38%,34%,55%,and 39% on average,respectively,compared to the other explanatory methods.Overall,our method achieves better explanatory results on both datasets compared to other interpretable intrusion detection methods.We further propose a method to refine the granularity of interpretation.We give correlation ratings of the explanatory quality of the data sample in the three dimensions of fidelity,stability and complexity,and give a refined explanation of the feature contribution for one of the scores that deviates significantly from the normal range,in order to show researchers how each feature affects the explanatory performance of a data sample in the three dimensions of fidelity,stability and complexity.We conducted experimental validation using the NSL-KDD dataset on a DNN model and selected data samples for case studies.The experimental results show that our approach is effective in giving a more granular explanation of the feature contribution to the data sample,describing in detail how each important feature affects the explanation quality.We further propose a method to refine the granularity of interpretation.We give a correlation rating of the explanatory quality of the data sample in three dimensions:fidelity,stability and complexity,and a refined feature contribution explanation for one of the scores that deviates significantly from the normal range,to show researchers how each feature affects the explanatory performance of a data sample in three dimensions:fidelity,stability and complexity.We used the NSL-KDD dataset for experimental validation on Random Forest,DNN and XGBoost and selected data samples for case studies.The experimental results show that our approach is effective in giving a more granular interpretation of the feature contribution to the data sample,describing in detail how each important feature affects the interpretation quality.