基于稀疏自动编码器的可解释性异常流量检测

Explainable Anomaly Traffic Detection Based on Sparse Autoencoders

目前许多深度学习检测模型在各项指标上达到较好的效果,但是由于安全管理者不理解深度学习模型的决策依据,导致一方面无法信任模型的判别结果,另一方面不能很好地诊断和追踪模型的错误,这极大地限制了深度学习模型在该领域的实际应用。面对这样的问题,文章提出了一个基于稀疏自动编码器的可解释性异常流量检测模型(Sparse Autoencoder Based Anomaly Traffic Detection,SAE-ATD)。该模型利用稀疏自动编码器学习正常流量特征,并在此基础上引入了阈值迭代选取最佳阈值,以提高模型的检测率。模型预测完毕后,将预测结果的异常值送入解释器中,通过解释器对参考值进行迭代更新后,返回每个特征参考值和异常值的差值,并结合原始数据进行可解释性分析。文章在CICIDS2017数据集和CIRA-CIC-DoHBrw-2020数据集上进行实验,实验结果表明SAE-ATD在两个数据集上对大部分攻击检测的精确率和召回率达到99%,且能给模型提供可解释性。

Although many deep learning detection models achieve good results in various indicators,security managers do not understand the decision-making basis of deep models,on the one hand,they cannot trust the discrimination results of the model,and on the other hand,they cannot diagnose and track the errors of the model well,which greatly limit the practical application of deep learning models in this field.Faced with such a problem,this paper proposed a Sparse Autoencoder Based Anomaly Traffic Detection(SAE-ATD).The model used the sparse autoencoder to learn the normal traffic characteristics,and on this basis,a threshold was introduced to iteratively select the best threshold to improve the detection rate of the model.After the model was predicted,the outliers in the prediction results were fed into the explainer,and after iteratively updating the reference values through the explainer,the difference between each feature reference value and the outlier was returned,and interpretability analysis was carried out in combination with the original data.In this paper,experiments are carried out on the CICIDS2017 dataset and the CIRA-CICDoHBrw-2020 dataset,and the experimental results show that SAE-ATD has 99%accuracy and recall for most attacks detection on the two datasets,and can also provide explainability for the model.