Professional Documents
Culture Documents
XAI For Intrusion Detection System Comparing Explanations Based On Global and Local Scope
XAI For Intrusion Detection System Comparing Explanations Based On Global and Local Scope
https://doi.org/10.1007/s11416-022-00441-2
ORIGINAL PAPER
Received: 6 January 2022 / Accepted: 14 June 2022 / Published online: 31 July 2022
© The Author(s), under exclusive licence to Springer-Verlag France SAS, part of Springer Nature 2022
Abstract
Intrusion Detection System is a device or software in the field of cybersecurity that has become an essential tool in computer
networks to provide a secured network environment. Machine Learning based IDS offers a self-learning solution and provides
better performance when compared to traditional IDS. As the predictive performance of IDS is based on conflicting criteria,
the underlying algorithms are becoming more complex and hence, less transparent. Explainable Artificial Intelligence is a
set of frameworks that help to develop interpretable and inclusive machine learning models. In this paper, we use Permu-
tation Importance, SHapley Additive exPlanation, Local Interpretable Model-Agnostic Explanation algorithms, Contextual
Importance and Utility algorithms, covering both global and local scope of explanation to IDSs on Random Forest, eXtreme
Gradient Boosting and Light Gradient Boosting machine learning models along with a comparison of explanations in terms
of accuracy, consistency and stability. This comparison can help cyber security personnel to have a better understanding of the
predictions of cyber-attacks in the network traffic. A case study focusing on DoS attack variants shows some useful insights
on the impact of features in prediction performance.
Keywords Intrusion detection system · RF · XGBoost · LightGBM · XAI · SHAP · LIME · Permutation importance ·
Contextual importance and utility
1 Introduction
123
218 S. Hariharan et al.
123
XAI for intrusion detection system: comparing explanations based on global and local scope 219
The rest of the paper is organized as follows. Section 2 pro- supporting these black box models have become a necessity
vides the literature review; Sect. 3 provides an exploratory because of certain reasons. Explainable results ensure data-
analysis of the dataset, Sect. 4 describes the explanation driven decision-making and explainable reports facilitate in
methods used, Sect. 5 provides the details of the experiments improving the robustness of the model. Interpretability can
and discussion of results, and Sect. 6 is a case study on NSL- guarantee that only contextually correct variables infer the
KDD DoS attack variants and Sect. 7 is the discussion of output. The need for transparency in the new technology,
results obtained. Sect. 8 concludes the paper. like AI in health care, is discussed in the work of Sharma
et al. [9]. In machine learning, these black box models are
created directly from data by an algorithm. Hence, it is very
difficult to understand how variables are being combined to
2 Literature review
make predictions, even if one has a list of the input variables
[10].
In this section, a background study on the research progress in
Focus is on dependency of accuracy by selecting different
IDS-based security using artificial intelligence and machine
attack grouping options and influence of initial preprocessing
learning is undertaken. The other areas covered in this lit-
on accuracy by using Decision trees, Naive Bayes and Rule-
erature review is the Explainable AI of models built for
Based classifiers with NSL-KDD dataset [11]. Deshmukh
anomaly-based IDSs, which is vital for improving practical
and Padiya [12] describe a set of data preprocessing activ-
deployment of AI-based solutions.
ities including feature selection and discretization by using
Naive Bayes, NBTree and Hidden Naive Bayes on NSL-
2.1 AI and machine learning for IDS KDD dataset.
123
220 S. Hariharan et al.
3 Exploratory data analysis We have used google facets [27], an open-source visu-
alization tool, to understand and analyse datasets. Facets
Two data sets namely, the public network intrusion dataset consist of two visualization techniques:
available on the Kaggle site [25] and the NSL-KDD [26]
dataset are used for experimentation. Kaggle IDS dataset • Facet’s dive – allows exploring a set of observations in
provides a wide variety of intrusions simulated in a military the dataset
network environment. It creates an environment by simulat- • Facets Overview – provides an overview and understand-
ing US Air Force LAN and acquiring raw TCP/IP dump data. ing of the distribution of the various values across the
The LAN was blasted with multiple attacks. A connection features of the dataset.
consists of TCP packets starting and ending time duration,
source IP address and target IP address under some well- Facets helps in identifying common data issues such as
defined protocol. Each connection is classified and named unexpected feature values, features with high percentages of
either as normal or attack. NSL-KDD dataset is the bench- missing values, and features with unbalanced distribution.
mark for modern-day Internet traffic. Both Kaggle IDS and Table 3 shows the facets overview visualization of 7 con-
NSL-KDD data set contain 42 features per record, with 41 tinuous features. The number highlighted in bold indicates
of the features referring to the traffic input, and the last one possible trouble with the values, in this case, a numeric fea-
being the label. ture with a high percentage of values set to ‘0’ is highlighted.
The 41 features are classified as: 3 Symbolic features, 6 Table 4 shows the percent of attack distribution in both
Binary features, and 32 Continuous features training and test dataset. The training dataset is made up of 21
different attacks out of the 37 present in the test dataset. The
• Symbolic features: One hot encoder is used to convert attacks in the training dataset belonging to different attack
categorical values to binary. families are:
• Binary features: The binary values remain unchanged.
• Continuous features: Min-Max normalization was used • DOS: back, land, Neptune, pod, smurf, teardrop
to scale the continuous values in the [0-1] range. • Probe: ipsweep, nmap, portsweep, satan
• R2L: Spy, wareclient, ftp-write, guesspasswd, imap, mul-
Table 1 represents the splitting of Kaggle and NSL-KDD tihop, phf, warezmaster
dataset. NSL-KDD dataset is used as a binary classification • U2R: bufferflow, loadmodule, perl, rootkit
as well as a multi classification problem. After preprocessing
the input feature increased from 41 to 122 features [24] for The attacks in the test dataset belonging to different attack
multiclass recognition and the details are given in Table 2. families are:
123
XAI for intrusion detection system: comparing explanations based on global and local scope 221
Table 4 NSL-KDD attack distribution on dataset Algorithm 1: Compute Permutation Importance of fea-
Training dataset Testing dataset ture k
Class Distribution Class Distribution Require: Input: m - Trained Model, y - Target Vector, X - Feature
Matrix
Normal 67343 Normal 9711 Ensure: Estimate the original model error Ori = E(y, m(X ))
DOS 45927 DOS 7458
Probe 11656 Probe 2421 a. Generate feature matrix X per m by permuting feature K
in the data X . This breaks the association between feature k
R2L 995 R2L 2754 and true outcome y.
U2R 52 U2R 200 b. Estimate error Per m = E(Y , m(X per m ) based on the
Total 125973 Total 22544 predictions of the permuted data.
c. Calculate permutation feature importance
P I k = Per m/Ori.Alternatively, the difference can be used:
P I k = Per m − Ori. We are using P I k = Per m/Ori
• DOS: apache2, back, land, Mailbomb, Neptune, pod, pro-
Sort features by descending PI
cesstable, smurf, teardrop, udpstrom
• Probe: ipsweep, mscan, nmap, portsweep, saint, satan
• R2L: Spy, ftp-write, guesspasswd, httptunnel, imap,
multihop, named, phf, sendmail, snmpgetattack, warez-
It is based on the concept that randomly shuffling a single
master, xlock, xsnoop
column should cause a loss of accurate predictions since the
• U2R: bufferflow, loadmodule, perl, ps, rootkit, snmpguess,
resulting data no longer corresponds to the original observed
sqlattack, worm, xterm
target value. Model accuracy especially suffers if we shuffle
a column that the model depended on heavily for predic-
Correctly prepared data for processing guarantees precise tions. For stability of the results, any number from 50 to 100
and reliable results of data analysis. permutations is recommended [16].
123
222 S. Hariharan et al.
Algorithm 2: Compute Shapley value of feature j [30] the model is given with variations of data. It generates a
Result: j , Shapley value for the value of the j-th feature new dataset having perturbed samples and the corresponding
Input: Number of iterations K, instance of interest x, feature predictions of the black box model. This perturbed dataset is
index j, number of features p,data matrix X, and machine used for training the interpretable model, which is weighted
learning model g;
by the proximity of the sampled instances to the instance of
for k=1,...K do
interest. The interpretability of local surrogate models with
end
Draw random instance t from the data matrix X; constraints can be represented as given in Eq. 1.
Choose a random permutation λ of the feature values;
Order instance x :
E p(x) = arg min L( f , g, πx ) + (g) (1)
xλ = (x(1) , . . . , x( j) , . . . , x( p) ); g∈G
Order the feature values of instance x according to the random
permutation λ
Order instance t : E p(x) is the function representing explanation of our sample
of interest x and it tries to minimise the loss L due to mean
tλ = (t(1) , . . . , t( j) , . . . , t( p) );
Order the feature values of random instance t according
squared error. On the other hand we can say that, it measures
to the random permutation λ how close the explanation model g, is to the prediction of the
Construct two new instances: original model f , while maintaining the model complexity
(g) low. πx is the proximity measure, representing how
With feature j:
large the neighborhood around instance x is.
x+ j = (x(1) , . . . , x( j−1) , x( j) , t( j+1) , . . . , t( p) );
New instance formed which contains the feature values of x
upto jth feature and the remaining feature values from instance t, 4.4 Contextual importance and utility (CIU)
while keeping the order of permutation
Without feature j: The Contextual Importance and Utility (CIU) algorithm com-
x− j = (x(1) , . . . , x( j−1) , t( j) , t( j+1) , . . . , t( p) ); prises of two algorithms to explain the model predictions, and
New instance formed which contains the feature values of x its working is based on decision-making theory [30], [31].
upto ( j − 1)th feature and from jth feature copy the values from This algorithm is based on the fact that the significance of a
instance t, while keeping the order of permutation feature and its utility changes with respect to other feature
Compute marginal contribution
kj = ĝ(x+ j ) − ĝ(x− j ); values. So, the Contextual Importance (CI) approximates the
ĝ(.) is the output of machine learning model overall importance of a feature in the current context, and
the Contextual Utility (CU) provides an estimation of how
Compute Shapley value as the average: favorable or not the current feature value is for a given output
j (x) = K1 1K kj class. A Context C defines the input values x that describe
the current situation or instance to be explained. CI and CU
are defined as follows:
Two new feature vectors are created by combining values
of the instance of interest x and the random instance t. The max x (Ci ) − min x (Ci )
CI = (2)
instance x+ j is the instance of interest, but all feature values in AB Smax x − AB Smin x
the order after the jth feature are replaced by feature values yi − min x (Ci )
CU = (3)
from the sample t. The instance x− j is same as x+ j , but max x (Ci ) − min x (Ci )
feature j and other features in order are replaced by the value
for feature j and the values of other features in order from
the sample t. The difference in the prediction from the black • max x (Ci ) and min x (Ci ) are the highest and the lowest
box is computed and all the differences are averaged. This prediction values observed by varying the value of the
process is repeated for each and every feature, to find out its features, x
Shapley value. • AB Smax x and AB Smin x specifies the value range over
all predictions,
4.3 Local interpretable model-agnostic explanations • Ci is the context such as the feature or set of features
(LIME) being studied, where i is the prediction value.
• yi is the instance-specific prediction value.
LIME, proposed by Ribeiro et al. [17] uses a surrogate model
to provide local explanations. LIME explains a model by
inspecting the changes that happen to the predictions when The CIU algorithm is given as Algorithm 3:
123
XAI for intrusion detection system: comparing explanations based on global and local scope 223
Algorithm 3: Compute Contextual Importance and Util- Table 5 Permutation importance score using RF model on NSL-KDD
Binary classification dataset
ity [27]
Result: C I , CU Contextual Importance and Utility Weight Feature
Initialization: C is Context of the input values x, prediction value i,
data matrix K, and machine learning model g for k=1,...K do 0.0192 ± 0.0014 src_bytes
end 0.0153 ± 0.0007 Protocal_type_icmp
compute the prediction gk (x); 0.0092 ± 0.0014 logged_in
0.0081 ± 0.0006 Protocal_type_tcp
compute max x (Ci );
computemin x (Ci ); 0.0079 ± 0.0005 hot
compute AB Smax x ; 0.0071 ± 0.0008 dst_host_same_src_port_rate
compute AB Smin x ; 0.0061 ± 0.0007 srv_serror_rate
max x (Ci )−min x (Ci )
C I = AB Smax x −AB Smin x ; 0.0053 ± 0.0009 dst_bytes
yi −min x (Ci )
CU = max x (Ci )−min x (Ci ) ; 0.0051 ± 0.0006 dst_host_srv_serror_rate
0.0041 ± 0.0002 serror_rate
0.0039 ± 0.0006 dst_host_serror_rate
0.0038 ± 0.0015 dst_host_same_srv_rate
4.5 Methodology to compare explanations
0.0037 ± 0.0006 srv_count
0.0027 ± 0.0010 count
Both the global explanation methods, PI and SHAP, provide
the feature importance of all the input features. We have con- 0.0023 ± 0.0011 dst_host_srv_rerror_rate
sidered the top 15 features from the list, and compared the
accuracy by applying them to the RF model and XGBoost
model. The list of libraries used in ML algorithm and XAI methods
Both the local explanation methods, SHAP and LIME pro- are included here:
vide instance-based feature importance. For comparison of Machine Learning Algorithm:
local explanation, we are using Lipschitz continuity [32], a
robustness measure for a local explanation, by considering
• Random Forest classifier - Scikit learn
not just the single point, but also its neighbourhood. The
• XGBoost - Scikit learn
method to obtain the Lipschitz constant is given in equations
• Light Gradient Boosting - Scikit learn
4 and 5. We quantify the explanation model f in terms of its
Lipschitz constant L, Test data set X for every point xi of
interest as an optimization problem: XAI methods:
X = {xi }i=1
n denotes a sample of input.
• Permutation Importance - eli5 library
N (xi ) = {x j ∈X | xi − x j ≤} (4) • SHapley Additive exPlanations - shap python package
• Local Interpretable Model Agnostic Explanations - lime
where N (xi ) is a ball of radius centered at xi , for every python package
xi ∈X . • Contextual Importance and Utility - Py-CIU python
library
f (xi ) − f (x j )
L̂(xi ) = argmax (5)
x j ∈N (xi )≤ xi − x j 5.1 Global interpretability
123
224 S. Hariharan et al.
Table 6 Permutation importance score using RF model on Kaggle reliable technique without the need to retrain the model at
Binary classification dataset each modification of the dataset. However, it is more compu-
Weight Feature tationally expensive than the default feature importance and
permutation importance, and is known to overestimate the
0.0058 ± 0.0008 dst_host_count
importance of correlated predictors.
0.0040 ± 0.0012 dst_bytes
We have iterated the permutation ranging from 10 to 500,
0.0032 ± 0.0010 dst_host_same_src_port_rate for the three datasets individually, to obtain a stabilized top
0.0029 ± 0.0005 src_bytes 15 features, which will be used in the comparison.
0.0026 ± 0.0011 service_private Figures 2 and 3 are the SHAP summary plots on NSL-
0.0010 ± 0.0003 dst_host_diff_srv_rate KDD dataset with multiclass classification and binary clas-
0.0008 ± 0.0002 hot sification respectively, where the X-axis is marked with
0.0008 ± 0.0006 dst_host_srv_count the mean SHAP value and the Y-axis lists the features in
0.0005 ± 0.0004 count the ascending order of importance. The top 3 features for
0.0005 ± 0.0006 dst_host_same_srv_rate binary classification dataset using RF model are logged_in,
0.0005 ± 0.0004 srv_count dst_host_error_rate and dst_host_diff_srv_rate. The top 3
0.0004 ± 0.0001 service_ftp_data features for multiclass classification dataset using RF model
0.0004 ± 0.0001 num_compromised are flag_S0, dst_host_rerror_rate and logged_in.
0.0004 ± 0.0001 Protocal_type_icmp Figure 4 shows tha SHAP summary plots on Kaggle binary
0.0003 ± 0.0003 dst_host_rerror_rate classification dataset. The top 3 features using RF Model are
src_bytes, dst_bytes and flag_s0.
123
XAI for intrusion detection system: comparing explanations based on global and local scope 225
123
226 S. Hariharan et al.
5.2 Local interpretablility length of the gray bars, it equals the distance from the base
value to the output.
LIME and SHAP are used to provide a local scope of expla- LIME explanation of a correctly classified sample as
nation for any specific instance. Figure 6 shows the SHAP normal is shown in Figs. 7 and 8 for NSL-KDD and Kag-
explanation of a misclassified sample, where an attack is clas- gle dataset respectively. The feature value that contributes
sified as normal. in the prediction to be normal are shown in black. while
Figure 5 shows the SHAP explanation of a misclassified the features that contributes for predicting as an anomaly
sample, which is anomaly. It is observed that the predicted are shown in gray. In Fig. 7 service_provider, logged_in
SHAP value for an instance misclassified as anomaly in the and wrong_fragment here contributes to normal prediction
validation dataset is 0.89. Figure 6 shows the SHAP expla- and flag_S3, flag_SF and service_Idap here contributes to
nation of a correctly classified sample, which is normal. It anomaly prediction. In Fig. 8 service_pop_2, logged_in
is observed that the predicted SHAP value for an instance and dst_bytes here contributes to normal prediction and
classified as normal in the validation dataset is 0.89, whereas service_printer and count here contributes to anomaly pre-
the base value is 0.568. Feature values that cause an increase diction.
in predictions are shown in black. Their visual size shows the
magnitude of the feature’s effect. Feature values that cause a
decrease in the prediction are in gray. The biggest impact is
5.2.1 Contextual importance and utility local explanation
for features logged_in = 1. Also, the service_http value has
a meaningful effect in decreasing the prediction. It can be
This section provides explanations for a decision made by
noted that if we subtract the length of the black bars from the
a Random forest model on NSL-KDD dataset, for binary
123
XAI for intrusion detection system: comparing explanations based on global and local scope 227
classification. A specific instance or group of instances can differently both the instances change with the new_impact
be taken from the dataset to represent current outcome of the feature.
model or a specific context. The Figs. 9 and 10 explain the
model based on CIU algorithm. For this particular example
5.2.2 Comparison of SHAP and LIME based on consistency
we have selected the features such as src_bytes and dst_bytes
and stability
to quantify the influence of interaction between these two
features. The two features are combined and represented as
We define consistency by comparing explanations between
a new feature called new_impact. Both the figures show how
similar instances for two different models. Figures 11
123
228 S. Hariharan et al.
123
XAI for intrusion detection system: comparing explanations based on global and local scope 229
be better explored using global explanation based on binary tions such as LIME and CIU contribute to study the feature
and multiclass classification. The most important features importance of specific DoS attacks such as land and nep-
selected using SHAP and Permutation Importance as global tune. The security analysts can make use of the explanations
methods in-turn reduce the complexity of classification algo- to explore the relationship between the values of features and
rithms. Comparison of detection of same attack variant using specific attack types. Furthermore, analysis of explanations
two different models namely Random forest and LightGBM regarding a particular DoS attack variant in terms of stability
increases the trustworthiness of the system. Local explana-
123
230 S. Hariharan et al.
and consistency has been done to keep the trust of the end ond phase global and local explanations are generated using
users of the Internet. PI, SHAP and LIME. Then these Explanation methods are
We have formed a subset of training as well as test data set compared based on the aspect of global and local explana-
from the NSL-KDD train and test data respectively by select- tions generated. Global explanations mainly highlight the
ing the instances of normal and DoS attack variants only. feature importance of predictions caused by the correspond-
Table 11 explains the information regarding NSL-KDD DoS ing model. Hence, we use the important features recognised
attack only dataset. In the training set, 67343 connections by these methods to retrain the model and the performance
are labeled as ‘normal’and the rest of 45927 connections are metrics are evaluated. It is done for both binary and multi-
labeled as ‘DoS’attack. In the test set, 9711 connections are class classification using LightGBM and Random forest.
‘normal’and 7460 connections are ‘DoS’. Experiments are Then the local explanations generated by LIME and SHAP
done in three different phases based on the abstract diagram are compared based on consistency and stability aspects. In
shown in Fig. 1. In the first phase, two class and multi-class the third phase, we have used CIU to generate explanations
classifications are performed using Random forest and Light- as justifications that can be produced before intended clients
GBM algorithms. The performance metrics such as accuracy, who wish to know the details of predictions of DoS attacks.
precision, recall and F- measure are evaluated. In the sec-
123
XAI for intrusion detection system: comparing explanations based on global and local scope 231
for comparison and the figure lists the top twelve fea-
SHAP
both the cases that positively and nagatively impact the pre-
ML model
123
232
123
Table 9 Comparison of NSL-KDD instances with SHAP and LIME Explainable method using RF Model
Case 2
ML model XAI methods Same instance Conclusion
Random forest SHAP Actual Classification: normal Model Prediction:-normal The features that have a positive
effect on RF Model using the
LIME explanation for prediction
is 71% of the RF model using the
SHAP explanation with the
positive effect on prediction.The
features that have a negative
effect on RF Model using the
LIME explanation for the
prediction is 75% of the RF
model using the SHAP
explanation with the negative
effect on prediction
Prediction Probability: 89%
Number of features having positive effect: 46 Number of features having Negative effect:12 Number of
features having No effect: 64
Top 3 features with positive effect:logged_in, dst_host_srv _count, dst_host _serror_rate
Top 3 features with negative effect: service_http, flag_RSTOS0, flag_SF
Random forest LIME Actual Classification: normal Model Prediction:-normal
Prediction Probability: 89%
Number of features having positive effect: 60 Number of features having Negative effect:48 Number of
features having No effect: 14
Top 3 feature with positive effect:service_private, logged_in, service_IRC
Top 3 feature with negative effect:flag_SF, flag_S2, service_domain_u
S. Hariharan et al.
Table 10 Comparison of NSL-KDD instances with LIME Explainable method using RF Model and XGBoost
Case 3
ML model XAI methods Same instance Conclusion
Random forest LIME Actual Classification: normal Model Prediction: normal The features that have a positive
effect using LIME explanation
on RF Model for prediction is
61% of the LIME explanation
with positive effect on prediction
using XGBoost model. The
features that have a negative
effect using LIME explanation
on RF Model for prediction is
50% of the LIME explanation
with negative effect on prediction
using XGBoost model
Prediction Probability: 89%
Number of features having positive effect: 60 Number of features having Negative effect:48 Number of
features having No effect: 14
XAI for intrusion detection system: comparing explanations based on global and local scope
123
233
234 S. Hariharan et al.
Table 11 Description of
Type of classification Train Test Total Target
NSL-KDD DoS attack only
dataset along with encoded label Binary 113270 17171 130441 DoS: 0, normal: 1
details
Multi-class 113270 17171 130441 apache2 : 0, back: 1, land:
2, mailbomb : 3, neptune:
4, normal: 5, pod : 6,
processtable: 7, smurf: 8,
teardrop: 9, udpstorm: 10,
worm: 11
Table 12 PI of features on NSL-KDD DoS attack variants using Light- Consistency of LIME and SHAP describes, how much
GBM Binary classification explanations agree with each other regarding LightGBM
Weight Feature and Random forest. Figures 18 and 19 represent the con-
sistency in explanations for making predictions of similar
0.2220 ± 0.0038 src_bytes
instances labeled as normal. The scale here represents model
0.0321 ± 0.0011 protocol
prediction. The output value is the calculated prediction for
0.0088 ± 0.0005 serror_rate a particular instance. The base value is the value that would
0.0080 ± 0.0006 flag be predicted if we do not know any features for the current
0.0037 ± 0.0011 count output [15]. This is the mean of the predictions of test data.
0.0034 ± 0.0009 dst_bytes Features shown in gray push the prediction to higher values
0.0028 ± 0.0010 same_srv_rate but the features shown in black push the prediction to lower
0.0016 ± 0.0005 srv_count values. The width of the coloured arrows show how much
0.0012 ± 0.0008 wrong_fragment influential the feature is.
0.0005 ± 0.0002 dst_host_srv_rerror_rate In Fig. 18 the base value of prediction is around 0.6
0.0004 ± 0.0003 dst_host_srv_serr_rate and the actual prediction value is 1.19. The feature value,
0.0003 ± 0.0003 dst_host_rerror_rate diff_srv_rate=0.0 influences the prediction positively. How-
0.0002 ± 0.0005 dst_host_serror_rate ever, the feature in black, ie serror_rate=0.0 pushes the
0.0002 ± 0.0002 dst_host_same_src_port_rate prediction in opposite direction. The Fig. 19 explains the
0.0001 ± 0.0001 num_compromised model LightGBM in predicting the same instance. The fea-
tures positively impact the predictions are almost same in
both the cases. Figures 16 and 17 explain the consistency of
Table 13 PI of features on NSL-KDD DoS attack variants using Light- LIME regarding Random forest and LightGBM respectively.
GBM multi-class classification
Weight Feature
123
XAI for intrusion detection system: comparing explanations based on global and local scope 235
123
236 S. Hariharan et al.
NSL-KDD(DoS) Binary dataset on RF Model All features 0.884 0.90 0.88 0.88
Top 15 features from PI 0.908 0.92 0.91 0.91
Top 15 features from SHAP 0.902 0.91 0.90 0.90
NSL-KDD(DoS) Binary dataset on LightGBM Model All features 0.90 0.91 0.90 0.90
Top 15 features from PI 0.92 0.93 0.92 0.92
Top 15 features from SHAP 0.902 0.91 0.90 0.90
NSL-KDD(DoS) Multiclass dataset on RF Model All features 0.886 0.81 0.89 0.85
Top 15 features from PI 0.894 0.81 0.89 0.85
Top 15 features from SHAP 0.893 0.81 0.89 0.85
NSL-KDD(DoS) Multiclassdataset on LightGBM Model All features 0.89 0.81 0.89 0.84
Top 15 features from PI 0.894 0.81 0.89 0.85
Top 15 features from SHAP 0.893 0.81 0.89 0.85
plots show the features, with influence above 50%. A specific “Why it is not categorised as attack?”. Figure 20 shows that
instance or group of instances can be taken from the dataset to the interdependent effects of src_bytes and dst_bytes have
represent current outcome of the model or a specific context. greater importance on the prediction. The importance of fea-
CIU can assess the effects of feature interaction. For this ture interaction between src_bytes and dst_bytes is around
particular example we have selected the features such as 54.72% and flag is 51.25% in the context of predicting land
src_bytes and dst_bytes to quantify the influence of inter- attack as neptune. The feature dst_host_srv_serror_rate has
action between these two features. The two features are an importance of 93.23% in the context of making prediction
combined and represented as a new feature called Fea- of land attack as normal.
ture_int1. Similarly the features such as wrong_fragment The contextual utility shows that the the grouped features
and num_failed_logins are selected for assessing the feature demonstrating the feature interactions, such as Feature_int
interaction and is represented as Feature_int2. This bar plot 1 and Feature_int 2 are giving nearly 100% utility in the
can answer “why this sample is categorised as normal?” or context of predicting land attack as neptune. In predicting
123
XAI for intrusion detection system: comparing explanations based on global and local scope 237
123
238 S. Hariharan et al.
8 Conclusion
References
1. Hu, X., Li, T., Wu, Z., Gao, X., Wang, Z.: Research and application
of intelligent intrusion detection system with accuracy analysis
methodology. Infrared Phys. Technol. 88, 245–253 (2018)
2. Holzinger, A.: From machine learning to explainable AI. In:
World symposium on digital intelligence for systems and machines
(DISA), pp. 55–66 (2018)
3. National Academies of Sciences, Engineering, and Medicine et al.:
Implications of artificial intelligence for cybersecurity. In: Proceed-
ings of a Workshop. National Academies Press (2019)
Fig. 23 Contextual utility of land attack predicted as normal
4. Othman, S.M., Ba-Alwi, F.M., Alsohybe, N.T., Al-Hashida, A.Y.:
Intrusion detection model using machine learning algorithm on big
data environment. J. Big Data 5(1), 1–12 (2018)
• Case 2: Compare same instance using SHAP and LIME 5. Da Costa, K.A., Papa, J.P., Lisboa, C.O., Munoz, R., de Albu-
querque, V.H.C.: Internet of things: a survey on machine learning-
interpretability method on RF model: based intrusion detection approaches. Comput. Netw. 151, 147–
We observed that there is an 71% match in the feature that 157 (2019)
affects the prediction positively and 75% match in the feature 6. Hodo, E. et al.: Threat analysis of IoT networks using artificial
that affects the prediction negatively. neural network intrusion detection system, pp. 1–6. IEEE (2016)
7. Peng, K., et al.: Intrusion detection system based on decision tree
• Case 3: Compare same instance using LIME interpretability over big data in fog environment. Wirel. Commun. Mob. Comput.
method on RF and XGBoost model: 2018 (2018)
We observed that there is an 61% match in the feature that 8. Zhang, Z., Shen, H.: Application of online-training SVMs for real-
affects the prediction positively and 50% match in the feature time intrusion detection with different considerations. Comput.
Commun. 28(12), 1428–1442 (2005)
that affects 9. Sharma, Y., Verma, A., Rao, K., Eluri, V.: Reasonable explainability
the prediction negatively. for regulating AI in health. ORF occasional paper (261) (2020)
Our future work focuses on assessing the robustness of 10. Rudin, C., Radin, J.: Why are we using black box models in ai when
explanations on models from different family and inspire we don’t need to? A lesson from an explainable AI competition.
Harvard Data Sci. Rev. 1(2) (2019)
further exploration in the same area. 11. Paulauskas, N., Auskalnis, J.: Analysis of data pre-processing influ-
ence on intrusion detection using NSL-KDD dataset. In: Open
123
XAI for intrusion detection system: comparing explanations based on global and local scope 239
Conference of Electrical, Electronic and Information Sciences 23. Arya, V., et al.: One explanation does not fit all: a toolkit
(eStream), pp. 1–5. IEEE (2017) and taxonomy of ai explainability techniques. arXiv preprint
12. Datta, H., Deshmukh, T.G., Puja Padiya, Y.: International Con- arXiv:1909.03012 (2019)
ference on Communication, Information & Computing Technol- 24. Maonan Wang, Y.Y., Kangfeng Zheng, W.X.: An explainable
ogy (ICCICT). Improving classification using preprocessing and machine learning framework for intrusion detection systems. IEEE
machine learning algorithms on NSL-KDD dataset Access 8(2020), 73127–73141 (2020)
13. Lipton, Z.: The mythos of model interpretability. arXiv preprint 25. Kaggle dataset. https://www.kaggle.com/sampadab17/network-
arXiv:1606.03490 (2016) intrusion-detection
14. Freitas, A.A.: Comprehensible classification models: a position 26. NSL-KDD data set for network-based intrusion detection systems.
paper. ACM SIGKDD Explor. Newsl. 15(1), 1–10 (2014) https://www.unb.ca/cic/datasets/nsl.html
15. Lundberg, S.M., Lee, S.-I.: A unified approach to interpreting 27. https://pair-code.github.io/facets/
model predictions, 4768–4777 (2017) 28. Carvalho, D.V., Pereira, E.M., Cardoso, J.S.: Machine learning
16. Altmann, A., Toloşi, L., Sander, O., Lengauer, T.: Permutation interpretability: a survey on methods and metrics. Electronics 8(8),
importance: a corrected feature importance measure. Bioinformat- 832 (2019)
ics 26(10), 1340–1347 (2010) 29. Fisher, A., Rudin, C., Dominici, F.: All models are wrong, but many
17. Ribeiro, M.T., Singh, S., Guestrin, C.: Why should i trust you? are useful: learning a variable’s importance by studying an entire
Explaining the predictions of any classifier, 1135–1144 (2016) class of prediction models simultaneously. J. Mach. Learn. Res.
18. Goode, K., Hofmann, H.: Visual diagnostics of an explainer model: 20(177), 1–81 (2019)
tools for the assessment of lime explanations. Stat. Anal. Data Min. 30. Anjomshoae, S., Främling, K., Najjar, A.: Explanations of Black–
ASA Data Sci. J. 14(2), 185–200 (2021) Box Model Predictions by Contextual Importance and Utility, pp.
19. Doshi-Velez, F., Kim, B.: Towards a rigorous science of inter- 95–109. Springer, New York (2019)
pretable machine learning. arXiv preprint arXiv:1702.08608 31. Främling, K.: Decision Theory Meets Explainable AI, pp. 57–74.
(2017) Springer, New York (2020)
20. Zhao, Q., Hastie, T.: Causal interpretations of black-box models. 32. Alvarez-Melis, D., Jaakkola, T.S.: On the robustness of inter-
J. Bus. Econ. Stat. 39(1), 272–281 (2021) pretability methods. arXiv preprint arXiv:1806.08049 (2018)
21. Goldstein, A., Kapelner, A., Bleich, J., Pitkin, E.: Peeking inside
the black box: visualizing statistical learning with plots of individ-
ual conditional expectation. J. Comput. Graph. Stat. 24(1), 44–65
Publisher’s Note Springer Nature remains neutral with regard to juris-
(2015)
dictional claims in published maps and institutional affiliations.
22. Apley, D.W., Zhu, J.: Visualizing the effects of predictor variables
in black box supervised learning models. J. R. Stat. Soc. Ser. B
Springer Nature or its licensor holds exclusive rights to this article
(Stat. Methodol.) 82(4), 1059–1086 (2020)
under a publishing agreement with the author(s) or other rightsholder(s);
author self-archiving of the accepted manuscript version of this article
is solely governed by the terms of such publishing agreement and appli-
cable law.
123