Creating an Explainable Intrusion Detection System Using Self Organizing Maps

TL;DR

This paper develops an explainable intrusion detection system using Self Organizing Maps that provides visual explanations for predictions, aiding security analysts in understanding AI-based alerts.

Contribution

It introduces a SOM-based X-IDS that offers both global and local explanations, enhancing interpretability of intrusion detection models.

Findings

Effective global explanations for IDS predictions.

Local explanations clarify individual data point decisions.

Comparable accuracy to traditional IDS models.

Abstract

Modern Artificial Intelligence (AI) enabled Intrusion Detection Systems (IDS) are complex black boxes. This means that a security analyst will have little to no explanation or clarification on why an IDS model made a particular prediction. A potential solution to this problem is to research and develop Explainable Intrusion Detection Systems (X-IDS) based on current capabilities in Explainable Artificial Intelligence (XAI). In this paper, we create a Self Organizing Maps (SOMs) based X-IDS system that is capable of producing explanatory visualizations. We leverage SOM's explainability to create both global and local explanations. An analyst can use global explanations to get a general idea of how a particular IDS model computes predictions. Local explanations are generated for individual datapoints to explain why a certain prediction value was computed. Furthermore, our SOM based X-IDS was evaluated on both explanation generation and traditional accuracy tests using the NSL-KDD and the CIC-IDS-2017 datasets.