Conference proceeding
Rules Refine the Riddle: Global Explanation for Deep Learning-Based Anomaly Detection in Security Applications
Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, pp.4509-4523
ACM Conferences
CCS '24: ACM SIGSAC Conference on Computer and Communications Security (Salt Lake City, Utah, United States, 14/10/2024–18/10/2024)
02/12/2024
Metrics
2 Record Views
Abstract
Deep learning (DL) based anomaly detection has shown great promise in the field of security due to its remarkable performance in various tasks. However, the issue of poor interpretability in DL models has significantly impeded their deployment in practical security applications. Despite the progress made in existing studies on DL explanations, the majority of them focus on providing local explanations for individual samples, neglecting the global understanding of the model knowledge. Furthermore, most explanations for supervised models fail to apply to anomaly detection due to their different learning mechanisms.
In this work, we address the gap in the existing research by proposing GEAD, a novel global explanation for DL-based anomaly detection, to extract high-fidelity rules from DL models. We apply GEAD to two security applications, network intrusion detection and system log anomaly detection, and demonstrate the efficacy with three usages: comparing model knowledge with expert knowledge, identifying knowledge discrepancies between models, and combining model and expert knowledge. We provide several case studies to showcase how GEAD can significantly enhance existing anomaly detection systems. Moreover, we provide a real-world deployment in a SCADA system to showcase the potential in practice. Some important insights are drawn to help the community understand and improve anomaly detection systems in security.
Details
- Title
- Rules Refine the Riddle: Global Explanation for Deep Learning-Based Anomaly Detection in Security Applications
- Creators
- Dongqi Han - Tsinghua UniversityZhiliang Wang - Tsinghua UniversityRuitao Feng - Singapore Management UniversityMinghui Jin - State Grid Shanghai Municipal Electric Power Company, Shanghai, ChinaWenqi Chen - Tsinghua UniversityKai Wang - Tsinghua UniversitySu Wang - Zhongguancun Laboratory, Beijing, ChinaJiahai Yang - Tsinghua UniversityXingang Shi - Tsinghua UniversityXia Yin - Tsinghua UniversityYang Liu - Nanyang Technological University
- Publication Details
- Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, pp.4509-4523
- Conference
- CCS '24: ACM SIGSAC Conference on Computer and Communications Security (Salt Lake City, Utah, United States, 14/10/2024–18/10/2024)
- Series
- ACM Conferences
- Publisher
- Association for Computing Machinery (ACM); New York, NY, United States
- Number of pages
- 15
- Grant note
- National Key R&D Program of China: 2022YFB3102902 National Natural Science Foundation of China: 62172251 National Research Foundation, SingaporeCyber Security Agency under its National Cybersecurity RD Programme: NCRP25-P04-TAICeN
We are grateful to all the reviewers for their great effort and all the members from NMGroup, CNPT-Lab, and CSL. This work is supported by the National Key R&D Program of China under Grant 2022YFB3102902, the National Natural Science Foundation of China under Grant 62172251. This work is also partially supported by the National Research Foundation, Singapore, and the Cyber Security Agency under its National Cybersecurity R&D Programme (NCRP25-P04-TAICeN). Any opinions, findings and conclusions, or recommendations expressed in this material are those of the author(s) and do not reflect the views of National Research Foundation, Singapore and Cyber Security Agency of Singapore. Zhiliang Wang is the corresponding author of this paper.
- Identifiers
- 991013245550902368
- Copyright
- © 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.
- Academic Unit
- Faculty of Science and Engineering
- Language
- English
- Resource Type
- Conference proceeding