TY - JOUR
T1 - DEV-ETA
T2 - An Interpretable Detection Framework for Encrypted Malicious Traffic
AU - Yang, Luming
AU - Fu, Shaojing
AU - Wang, Yongjun
AU - Liang, Kaitai
AU - Mo, Fan
AU - Liu, Bo
PY - 2023
Y1 - 2023
N2 - Traffic encrypted technology enables Internet users to protect their data secrecy, but it also brings a challenge to malicious package detection. To tackle this issue, researchers have investigated into encrypted traffic analysis (ETA) in recent years. Existing works, however, only focus on the accuracy of malicious flow identification. Using ETA as a technical black box, they pay little attention to the internal details and explanation of models. In this paper, we, for the first time, introduce interpretable machine learning into ETA. We aim to provide a reasonable explanation for detection results, so as to enable one to understand and further trust network security analysts. We develop a complete analysis framework, named DEV-ETA (detection, explanation and verification of ETA). DEV-ETA applies post hoc interpretation methods to explain the detection results and verify the explanation using the joint distribution of support features on the dataset. We run thorough experiments to explain the detection result using three popular explanation approaches, namely SHAP, LIME and MSS, and we verify the explanation via the feature distribution plot. The experimental results show that our design can interpret the detection result of ETA model instead of just simply treating the model as a black box.
AB - Traffic encrypted technology enables Internet users to protect their data secrecy, but it also brings a challenge to malicious package detection. To tackle this issue, researchers have investigated into encrypted traffic analysis (ETA) in recent years. Existing works, however, only focus on the accuracy of malicious flow identification. Using ETA as a technical black box, they pay little attention to the internal details and explanation of models. In this paper, we, for the first time, introduce interpretable machine learning into ETA. We aim to provide a reasonable explanation for detection results, so as to enable one to understand and further trust network security analysts. We develop a complete analysis framework, named DEV-ETA (detection, explanation and verification of ETA). DEV-ETA applies post hoc interpretation methods to explain the detection results and verify the explanation using the joint distribution of support features on the dataset. We run thorough experiments to explain the detection result using three popular explanation approaches, namely SHAP, LIME and MSS, and we verify the explanation via the feature distribution plot. The experimental results show that our design can interpret the detection result of ETA model instead of just simply treating the model as a black box.
KW - encrypted traffic analysis
KW - interpretable machine learning
KW - malicious traffic detection
KW - support feature
UR - http://www.scopus.com/inward/record.url?scp=85165959755&partnerID=8YFLogxK
U2 - 10.1093/comjnl/bxac008
DO - 10.1093/comjnl/bxac008
M3 - Article
AN - SCOPUS:85165959755
SN - 0010-4620
VL - 66
SP - 1213
EP - 1227
JO - Computer Journal
JF - Computer Journal
IS - 5
ER -