FINER: Enhancing State-of-the-art Classifiers with Feature Attribution to Facilitate Security Analysis

TL;DR

FINER is a framework that enhances deep learning classifiers for risk detection by generating high-quality explanations, improving transparency, and aiding security analysis through multi-task learning and ensemble feature attribution methods.

Contribution

It introduces a novel explanation-guided multi-task learning approach and ensemble FA techniques to improve explanation fidelity and intelligibility in risk detection classifiers.

Findings

FINER improves explanation quality for risk detection.

FINER outperforms existing tools in malware analysis.

Enhanced transparency aids security experts in analysis.

Abstract

Deep learning classifiers achieve state-of-the-art performance in various risk detection applications. They explore rich semantic representations and are supposed to automatically discover risk behaviors. However, due to the lack of transparency, the behavioral semantics cannot be conveyed to downstream security experts to reduce their heavy workload in security analysis. Although feature attribution (FA) methods can be used to explain deep learning, the underlying classifier is still blind to what behavior is suspicious, and the generated explanation cannot adapt to downstream tasks, incurring poor explanation fidelity and intelligibility. In this paper, we propose FINER, the first framework for risk detection classifiers to generate high-fidelity and high-intelligibility explanations. The high-level idea is to gather explanation efforts from model developer, FA designer, and security experts. To improve fidelity, we fine-tune the classifier with an explanation-guided multi-task learning strategy. To improve intelligibility, we engage task knowledge to adjust and ensemble FA methods. Extensive evaluations show that FINER improves explanation quality for risk detection. Moreover, we demonstrate that FINER outperforms a state-of-the-art tool in facilitating malware analysis.