Visually Analyze SHAP Plots to Diagnose Misclassifications in ML-based Intrusion Detection

TL;DR

This paper introduces a visual analysis method using overlapping SHAP plots to help security analysts diagnose false positives and negatives in ML-based intrusion detection systems, improving decision-making accuracy.

Contribution

It presents a novel explainable AI approach with visual SHAP plot analysis to identify misclassifications in intrusion detection, aiding analyst decision-making.

Findings

Effective identification of false positives and negatives using SHAP plots

Guidance for analysts on interpreting visual explanations

Validated on multiple network traffic datasets

Abstract

Intrusion detection has been a commonly adopted detective security measures to safeguard systems and networks from various threats. A robust intrusion detection system (IDS) can essentially mitigate threats by providing alerts. In networks based IDS, typically we deal with cyber threats like distributed denial of service (DDoS), spoofing, reconnaissance, brute-force, botnets, and so on. In order to detect these threats various machine learning (ML) and deep learning (DL) models have been proposed. However, one of the key challenges with these predictive approaches is the presence of false positive (FP) and false negative (FN) instances. This FPs and FNs within any black-box intrusion detection system (IDS) make the decision-making task of an analyst further complicated. In this paper, we propose an explainable artificial intelligence (XAI) based visual analysis approach using overlapping SHAP plots that presents the feature explanation to identify potential false positive and false negatives in IDS. Our approach can further provide guidance to security analysts for effective decision-making. We present case study with multiple publicly available network traffic datasets to showcase the efficacy of our approach for identifying false positive and false negative instances. Our use-case scenarios provide clear guidance for analysts on how to use the visual analysis approach for reliable course-of-actions against such threats.