A Comparative Analysis of DNN-based White-Box Explainable AI Methods in Network Security

TL;DR

This paper evaluates white-box XAI methods like LRP, IG, and DeepLift for neural network-based network intrusion detection, comparing their effectiveness and robustness against black-box methods across multiple datasets.

Contribution

It introduces an end-to-end framework for applying and assessing white-box XAI techniques in NIDS, providing comparative analysis and open-source tools.

Findings

White-box XAI methods show high robustness and completeness.

White-box methods outperform black-box in key security metrics.

Framework and source code are publicly available.

Abstract

New research focuses on creating artificial intelligence (AI) solutions for network intrusion detection systems (NIDS), drawing its inspiration from the ever-growing number of intrusions on networked systems, increasing its complexity and intelligibility. Hence, the use of explainable AI (XAI) techniques in real-world intrusion detection systems comes from the requirement to comprehend and elucidate black-box AI models to security analysts. In an effort to meet such requirements, this paper focuses on applying and evaluating White-Box XAI techniques (particularly LRP, IG, and DeepLift) for NIDS via an end-to-end framework for neural network models, using three widely used network intrusion datasets (NSL-KDD, CICIDS-2017, and RoEduNet-SIMARGL2021), assessing its global and local scopes, and examining six distinct assessment measures (descriptive accuracy, sparsity, stability, robustness, efficiency, and completeness). We also compare the performance of white-box XAI methods with black-box XAI methods. The results show that using White-box XAI techniques scores high in robustness and completeness, which are crucial metrics for IDS. Moreover, the source codes for the programs developed for our XAI evaluation framework are available to be improved and used by the research community.