Abstract

With the advances in computing powers and increasing volumes of data, deep learning’s emergence has helped revitalize artificial intelligence research. There is a growing trend of applying deep learning techniques to image processing, speech recognition, self-driving cars, and even health-care. Recently, several deep learning models have been employed to detect a cyber threat such as network attack, malware infiltration, or phishing website; nevertheless, they suffer from not being explainable to security experts. Security experts not only do need to detect the incoming threat but also need to know the incorporating features that cause that particular security incident. To address this issue, in this paper, we propose a deep embedded neural network expert system (DeNNeS) that extracts refined rules from a trained deep neural network (DNN) architecture to substitute the knowledge base of an expert system. The knowledge base later is used to classify an unseen security incident and inform the final user of the corresponding rule that made that inference. We consider different rule extraction scenarios, and to prove the robustness of DeNNeS, we evaluate it on two cybersecurity datasets including UCI phishing websites dataset and Android malware dataset comprising more than 4000 Android APKs from several sources. The comparison results of DeNNeS with standalone DNN, JRip, and common machine learning algorithms show that DeNNeS with the retraining uncovered samples scenario outperforms other algorithms on both datasets. Furthermore, the extracted rules approximately reproduce the accuracy of the neural network from which they are derived. DeNNeS achieves an outstanding accuracy of \(97.5\%\) and a negligible false positive rate of \(1.8\%\) about \(2.4\%\) higher and \(3.5\%\) lower than the rule learner JRip on the phishing dataset. Moreover, DeNNeS outperforms random forest (RF), which produces the highest results among decision tree (DT), support vector machine, k-nearest neighbor, and Gaussian naive Bayes. Despite smaller training data in the malware dataset, DeNNeS achieves an accuracy of \(95.8\%\) and \({F_{1}\,score}\) of \(91.1\%\), much higher than JRip and RF.

中文翻译：

---

DeNNeS：用于检测网络攻击的深度嵌入式神经网络专家系统

摘要

随着计算能力的提高和数据量的增加，深度学习的出现帮助振兴了人工智能研究。将深度学习技术应用于图像处理，语音识别，自动驾驶汽车甚至医疗保健的趋势正在增长。最近，已经采用了几种深度学习模型来检测网络威胁，例如网络攻击，恶意软件渗透或网络钓鱼网站。但是，它们遭受安全专家无法解释的困扰。安全专家不仅需要检测传入的威胁，还需要了解导致特定安全事件的合并功能。为了解决这个问题，在本文中，我们提出了一种深度嵌入式神经网络专家系统（DeNNeS），该系统从训练有素的深度神经网络（DNN）架构中提取精细规则，以替代专家系统的知识库。以后，知识库将用于对未发现的安全事件进行分类，并将做出该推断的相应规则告知最终用户。我们考虑了不同的规则提取方案，并为了证明DeNNeS的鲁棒性，我们在两个网络安全数据集上对其进行了评估，包括UCI网络钓鱼网站数据集和Android恶意软件数据集，其中包括来自多个来源的4000多个Android APK。DeNNeS与独立DNN，JRip和常见机器学习算法的比较结果表明，在未发现样本的情况下进行重新训练的DeNNeS在这两个数据集上均优于其他算法。此外，提取的规则大致重现了从中得出规则的神经网络的准确性。DeNNeS实现了卓越的精度\（97.5 \％\）和\（1.8 \％\）的假阳性率可忽略不计，大约比网络钓鱼数据集上的规则学习者JRip高\（2.4 \％\）和\（3.5 \％\）。而且，DeNNeS优于随机森林（RF），后者在决策树（DT），支持向量机，k最近邻和高斯朴素贝叶斯中产生最高的结果。尽管恶意软件数据集中的训练数据较小，但DeNNeS的精度为\（95.8 \％\）和\（{F_ {1} \，score} \）为\（91.1 \％\），远高于JRip和RF 。