Malicious Network Traffic Detection via Deep Learning: An Information Theoretic View

TL;DR

This paper investigates how deep learning models for malicious network traffic detection interpret data using an information theoretic approach, revealing invariances and the importance of feature engineering.

Contribution

It introduces an information plane analysis to understand neural network representations and invariances, providing insights into feature engineering and model efficiency.

Findings

Mutual information remains invariant under homeomorphism.

Neural network representations are functionally similar despite coordinate differences.

Feature engineering significantly impacts neural network performance.

Abstract

The attention that deep learning has garnered from the academic community and industry continues to grow year over year, and it has been said that we are in a new golden age of artificial intelligence research. However, neural networks are still often seen as a "black box" where learning occurs but cannot be understood in a human-interpretable way. Since these machine learning systems are increasingly being adopted in security contexts, it is important to explore these interpretations. We consider an Android malware traffic dataset for approaching this problem. Then, using the information plane, we explore how homeomorphism affects learned representation of the data and the invariance of the mutual information captured by the parameters on that data. We empirically validate these results, using accuracy as a second measure of similarity of learned representations. Our results suggest that although the details of learned representations and the specific coordinate system defined over the manifold of all parameters differ slightly, the functional approximations are the same. Furthermore, our results show that since mutual information remains invariant under homeomorphism, only feature engineering methods that alter the entropy of the dataset will change the outcome of the neural network. This means that for some datasets and tasks, neural networks require meaningful, human-driven feature engineering or changes in architecture to provide enough information for the neural network to generate a sufficient statistic. Applying our results can serve to guide analysis methods for machine learning engineers and suggests that neural networks that can exploit the convolution theorem are equally accurate as standard convolutional neural networks, and can be more computationally efficient.