Intrusion detection is only the initial part of the security system for an industrial control system. Because of the criticality of the industrial control system, professionals still make the most important security decisions. Therefore, a simple intrusion alarm has a very limited role in the security system, and intrusion detection models based on deep learning struggle to provide more information because of the lack of explanation. This limits the application of deep learning methods to industrial control network intrusion detection. We analyzed the deep neural network (DNN) model and the interpretable classification model from the perspective of information, and clarified the correlation between the calculation process of the DNN model and the classification process. By comparing the normal samples with the abnormal samples, the abnormalities that occur during the calculation of the DNN model compared to the normal samples could be found. Based on this, a layer-wise relevance propagation method was designed to map the abnormalities in the calculation process to the abnormalities of attributes. At the same time, considering that the data set may already contain some useful information, we designed filtering rules for a kind of data set that can be obtained at a low cost, so that the calculation result is presented in a more accurate manner, which should help professionals lock and address intrusion threats more quickly.

中文翻译：

---

解释基于深度学习的工业控制网络入侵检测系统的属性。

入侵检测只是工业控制系统安全系统的初始部分。由于工业控制系统的重要性，专业人员仍然做出最重要的安全决策。因此，简单的入侵警报在安全系统中的作用非常有限，并且由于缺乏解释，基于深度学习的入侵检测模型难以提供更多信息。这限制了深度学习方法在工业控制网络入侵检测中的应用。我们从信息的角度分析了深层神经网络（DNN）模型和可解释的分类模型，并阐明了DNN模型的计算过程与分类过程之间的相关性。通过比较正常样品和异常样品，与正常样本相比，可以发现在DNN模型的计算过程中发生的异常。在此基础上，设计了一种层次相关传播方法，将计算过程中的异常映射到属性的异常。同时，考虑到数据集可能已经包含一些有用的信息，我们针对可以低成本获得的一种数据集设计了过滤规则，从而以更准确的方式呈现计算结果，从而应该可以帮助专业人员更快地锁定并应对入侵威胁。