Detection, Explanation and Filtering of Cyber Attacks Combining Symbolic and Sub-Symbolic Methods
Anna Himmelhuber, Dominik Dold, Stephan Grimm, Sonja Zillner, Thomas, Runkler
TL;DR
This paper explores combining symbolic and sub-symbolic methods to improve explainability and reduce false positives in graph neural network-based cybersecurity intrusion detection systems.
Contribution
It introduces a novel approach that integrates symbolic knowledge with GNNs to enhance explainability and trust in cybersecurity alerts.
Findings
Generated intuitive explanations for diverse scenarios.
Reduced false positive alerts by 66%.
Achieved a 93% reduction when including the fidelity metric.
Abstract
Machine learning (ML) on graph-structured data has recently received deepened interest in the context of intrusion detection in the cybersecurity domain. Due to the increasing amounts of data generated by monitoring tools as well as more and more sophisticated attacks, these ML methods are gaining traction. Knowledge graphs and their corresponding learning techniques such as Graph Neural Networks (GNNs) with their ability to seamlessly integrate data from multiple domains using human-understandable vocabularies, are finding application in the cybersecurity domain. However, similar to other connectionist models, GNNs are lacking transparency in their decision making. This is especially important as there tend to be a high number of false positive alerts in the cybersecurity domain, such that triage needs to be done by domain experts, requiring a lot of man power. Therefore, we are…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Graph Neural Networks · Explainable Artificial Intelligence (XAI) · Topic Modeling