Evaluating explainable AI for deep learning-based network intrusion detection system alert classification

TL;DR

This paper evaluates the effectiveness of various explainable AI methods in interpreting deep learning models for network intrusion detection alert classification, demonstrating DeepLIFT's superior performance and aligning explanations with SOC analysts' insights.

Contribution

It introduces a comprehensive framework for assessing XAI methods in NIDS alert classification and validates DeepLIFT as the most effective approach in this context.

Findings

DeepLIFT outperforms other XAI methods in faithfulness and robustness.

The explanations align well with SOC analysts' key features.

The framework effectively evaluates XAI methods for NIDS applications.

Abstract

A Network Intrusion Detection System (NIDS) monitors networks for cyber attacks and other unwanted activities. However, NIDS solutions often generate an overwhelming number of alerts daily, making it challenging for analysts to prioritize high-priority threats. While deep learning models promise to automate the prioritization of NIDS alerts, the lack of transparency in these models can undermine trust in their decision-making. This study highlights the critical need for explainable artificial intelligence (XAI) in NIDS alert classification to improve trust and interpretability. We employed a real-world NIDS alert dataset from Security Operations Center (SOC) of TalTech (Tallinn University Of Technology) in Estonia, developing a Long Short-Term Memory (LSTM) model to prioritize alerts. To explain the LSTM model's alert prioritization decisions, we implemented and compared four XAI methods: Local Interpretable Model-Agnostic Explanations (LIME), SHapley Additive exPlanations (SHAP), Integrated Gradients, and DeepLIFT. The quality of these XAI methods was assessed using a comprehensive framework that evaluated faithfulness, complexity, robustness, and reliability. Our results demonstrate that DeepLIFT consistently outperformed the other XAI methods, providing explanations with high faithfulness, low complexity, robust performance, and strong reliability. In collaboration with SOC analysts, we identified key features essential for effective alert classification. The strong alignment between these analyst-identified features and those obtained by the XAI methods validates their effectiveness and enhances the practical applicability of our approach.