📝 SummarXiv

Abstract

State-of-the-art deep learning (DL)-based network intrusion detection systems (NIDSs) offer limited "explainability". For example, how do they make their decisions? Do they suffer from hidden correlations? Prior works have applied eXplainable AI (XAI) techniques to ML-based security systems such as conventional ML classifiers trained on public network intrusion datasets, Android malware detection and malicious PDF file detection. However, those works have not evaluated XAI methods on state-of-the-art DL-based NIDSs and do not use latest XAI tools. In this work, we analyze state-of-the-art DL-based NIDS models using conventional as well as recently proposed XAI techniques through extensive experiments with different attack datasets. Furthermore, we introduce a criteria to evaluate the level of agreement between global- and local-level explanations generated for an NIDS. Using this criteria in addition to other security-focused criteria, we compare the explanations generated across XAI methods. The results show that: (1) the decisions of some DL-based NIDS models can be better explained than other models, (2) XAI explanations generated using different tools are in conflict for most of the NIDS models considered in this work and (3) there are significant differences between XAI methods in terms of some security-focused criteria. Based on our results, we make recommendations on how to achieve a balance between explainability and model detection performance.