Explaining Tree Model Decisions in Natural Language for Network Intrusion Detection

TL;DR

This paper explores using large language models to generate explanations for decision tree-based network intrusion detection systems, improving interpretability and understanding of decision boundaries.

Contribution

It introduces a novel LLM-based explanation method for decision trees in NID and a human evaluation framework using quiz questions to assess explanation quality.

Findings

LLM explanations correlate highly with human ratings of readability and quality

LLM explanations enhance understanding of decision boundaries

Proposed evaluation framework effectively measures explanation interpretability

Abstract

Network intrusion detection (NID) systems which leverage machine learning have been shown to have strong performance in practice when used to detect malicious network traffic. Decision trees in particular offer a strong balance between performance and simplicity, but require users of NID systems to have background knowledge in machine learning to interpret. In addition, they are unable to provide additional outside information as to why certain features may be important for classification. In this work, we explore the use of large language models (LLMs) to provide explanations and additional background knowledge for decision tree NID systems. Further, we introduce a new human evaluation framework for decision tree explanations, which leverages automatically generated quiz questions that measure human evaluators' understanding of decision tree inference. Finally, we show LLM generated decision tree explanations correlate highly with human ratings of readability, quality, and use of background knowledge while simultaneously providing better understanding of decision boundaries.