Most of the recent advancements in Artificial Intelligence (AI), and more specifically Machine Learning (ML), have come from complex non-linear models such as Deep Neural Networks, Ensemble Methods, and Support Vector Machines. These models are also known as “black box” models as they are complex to interpret and explain, which arises from their inherent non-linear capabilities, multiple parameters, and very complex transformations. In addition, some algorithms require a very large number of samples (i.e., large training sets) to work efficiently, where it is very difficult to figure out what the model learned from the dataset and which portion of the data set has more influence on the output (Kabul 2018).

Due to these challenges, the black box models lacks explainability and interpretability, ultimately resulting in a lack of trust in the model and prediction, as well as possibly leading to a delayed human response/decision. This limitation also involves ethical issues in a few sensitive domains like finance (e.g., credit approval), health care (e.g., disease diagnosis), and security (e.g., identifying target). For instance, AI and ML are becoming an integral part of security solutions and defense. To mitigate the unethical use of AI as well as to promote the responsible use of AI systems, various governments have started taking different precautionary initiatives. Recently, the European Union implemented the rule of “right of explanation”, where a user can ask an explanation of algorithmic decision (Goodman and Flaxman 2017). In addition, more recently the US government introduced a new bill, the “Algorithmic Accountability Act”, which would require companies to assess their machine learning systems for bias and discrimination, with a need to take corrective measures (Wyden 2019) . The U.S. Department of Defense (DoD) has identified explainability as a key stumbling block in the adoption of AI-based solutions in many of their projects. Their DARPA division has invested $2 billion on an Explainable Artificial Intelligence (XAI) program (Turek 2019; Rankin 2019 ).

Network intrusions are a common cyber-crime activity, estimated to cost around $6 trillion annually in damages by 2021 (Doyle 2019) . In order to combat these attacks, an Intrusion Detection System (IDS) is a security system to monitor network and computer systems (Hodo et al. 2016). Research in AI-based IDS has shown promising results (Hodo et al. 2016), (Shone et al. 2018) , (Kim et al. 2016), (Javaid et al. 2016), (Li, Sun, and Wang 2012), and has become an integral part of security solutions due to its capability of learning complex, nonlinear functions and analyzing large data streams from numerous connected devices. A recent survey by (Dong and Wang 2016) suggests that deep learning-based methods are accurate and robust to a wide range of attacks and sample sizes. However, there are concerns regarding the sustainability of current approaches (e.g., intrusion detection/prevention systems) when faced with the demands of modern networks and the increasing level of human interaction (Shone et al. 2018) . In the age of IoT and Big Data, an increasing number of connected devices and associated streams of network traffic have exacerbated the problem. In addition, the delay in detection/response increases the chance of zero day exploitation, whereby a previously unknown vulnerability is just discovered by the attacker, and the attacker immediately initiates an attack. However, improved explainability of an AI model could quicken interpretation, making it more feasible to accelerate the response.

Explainability is the extent to which the internal working mechanism of the machine or AI system can be explained in human terms. And interpretability is the extent to which a cause and effect (i.e., understanding of what’s happening) can be observed within a system. In other words, interpretability is a form of abstract knowledge about what’s happening and explainability is about the detailed step-bystep knowledge of what is happening (Montavon, Samek, and Mu¨ller 2018) , (Turek 2019). However, while some literature treat interpretability and explainability as the same, they are actually two different traits of a model. Just because a model can be interpreted does not mean that it can be explained, and explainability needs to go beyond the algorithm (Lipton 2016).

Explainability and interpretability of a model could be achieved before, during, and after modeling. From the literature, we find that interpretability in pre-modeling (i.e., before modeling) is under-focused. (Miller 2018) argue that explainability should incorporate knowledge from a different domain such as philosophy, psychology, and cognitive science, so that the explanation is not just based on the researcher’s intuition of what constitutes a good explanation. However, we also find that the use of domain knowledge for explainability is under-focused. In this work, we introduce a novel approach for an AI-based explainable intrusion detection and response system, and demonstrate its effectiveness by infusing a popular network security principle (CIA principle) into the model for better explainability and interpretability of the decision.

We use a recent and comprehensive IDS dataset (CICIDS2017) which covers necessary criteria with common updated attacks such as DDoS, Brute Force, XSS, SQL Injection, Infiltration, Portscan, and Botnet. We infuse CIA principle in the model that provides a concise and interpretable set of important features. Computer security rest on CIA principles, C stands for confidentiality—concealment of information or resources, I stands for integrity—trustworthiness of data or resources, and A stands for availability—ability to use the information or resource desired (Matt and others 2006) . For instance, security compromise in confidentiality could happen through eavesdropping unencrypted data, compromise in integrity could happen through an unauthorized attempt to change data, and the compromise in availability could happen through the deliberate arrangement of denial to access data or service.

We also convert the domain knowledge infused features into three features C, I, and A by quantitatively computing compromises associated with each of those for each record. Output expressed as these generalized and newly constructed set of features provides better explainability with negligible compromises in performance. We also found that generalization provides more resiliency against unknown attacks.

In summary, our contributions in this work are as follows: (1) we demonstrate a method for the collection and use of domain knowledge in an intrusion detection/response system; (2) we introduce a way to bring popular security principles (e.g., CIA principles) to aid in interpretability and explainability; (3) our experimental results show that infusing domain knowledge into “black box” models can make them better explainable with little or no compromise in performance ; and (4) domain knowledge infusion increases generalizability, which leads to better resiliency against unknown attack.

We start with a background of related work (Section 2) followed by a description of our proposed approach, an intuitive description of standard supervised algorithms, and an overview of the dataset (Section 3) used in this work. In Section 4, we describe our experiments, followed by Section 5 which contains discussion on results from the experiments. We conclude with limitations and future work in Section 6.

Research in Explainable Artificial Intelligence (XAI) is a reemerging field, after the earlier work of (Chandrasekaran, Tanner, and Josephson 1989), (Swartout and Moore 1993), and (Swartout 1985). Previous work focused on primarily explaining the decision process of knowledge-based systems and expert systems. The classical learning paradigm Explanation-Based Learning (EBL), introduced in the early ’80s, can also be regarded as a precursor of explainability. EBL involves learning a problem-solving technique by observing and analyzing solutions to a specific problem (DeJong 1981) , (Mitchell, Keller, and Kedar-Cabelli 1986). The main reason for the renewed interest in XAI research has stemmed from recent advancements in AI and ML and their application to a wide range of areas, as well as concerns over unethical use and undesired biases in the models. In addition, recent concerns and laws by different governments are necessitating more research in XAI.

(Yang and Shafto 2017) , use Bayesian Teaching, where a smaller subset of examples is used to train the model instead of the whole dataset. The subset of examples is chosen by domain experts as the examples are most relevant to the problem of interest. However, for this purpose, choosing the right subset of examples in the real-world is challenging.

(Lei, Barzilay, and Jaakkola 2016) propose an approach for sentiment analysis where a subset of text from the whole text is selected as the rationale for the prediction. In addition, the selected subset of text is concise and sufficient enough to act as a substitute for the original text, and still capable of making the correct prediction. Although their approach outperforms available attention-based models (from deep learning) with variable-length input (e.g., a model for document summarization) , it is limited to only text analysis.

When the explanation is based on feature importance, it is necessary to keep in mind that features that are globally important may not be important in the local context, and vice versa (Ribeiro, Singh, and Guestrin 2016) . (Ribeiro, Singh, and Guestrin 2016) propose a novel explanation technique capable of explaining the prediction of any classifier (i.e., in the model agnostic way) with a locally interpretable model (i.e., in the vicinity of the instance being predicted) around the prediction. Their concern is on two issues: (1) whether the user should trust the prediction of the model and act on that, and (2) whether the user should trust a model to behave reasonably-well when deployed. In addition, they involve human judgment in their experiment (i.e., human in the loop) to decide whether to trust the model or not.

(Kim et al. 2017) propose a concept attribution-based approach (i.e., sensitivity to concept) that provides an interpretation of the neural network’s internal state in terms of human-friendly concepts. Their approach, Testing with CAV (TCAV), quantifies the prediction’s sensitivity to the high dimensional concept. For example, a user-defined set of examples that defines the concept “striped”, TCAV can quantify the influence of “striped” in the prediction of “zebra” as a single number. To learn the high dimensional concepts they use a Concept Activation Vector (CAV) —CAVs are learned from training a linear classifier that can distinguish between the activations produced by a particular concept’s examples and examples in any layer.

Most of these approaches try to find out how the prediction deviates from the base/average scenario. Lime (Ribeiro, Singh, and Guestrin 2016) tries to generate an explanation by locally (i.e., using local behavior) approximating the model with an interpretable model (e.g., decision trees, linear model). However, it is limited by the use of the only linear model to approximate the local behavior. (Lundberg and Lee 2017) propose “SHAP” which unifies seven previous approaches: LIME (Ribeiro, Singh, and Guestrin 2016) , DeepLIFT (Shrikumar, Greenside, and Kundaje 2017) , Tree Interpreter (Ando 2019) , QII (Datta, Sen, and Zick 2016) , Shapley sampling values (Sˇ trumbelj and Kononenko 2014), Shapley regression values (Lipovetsky and Conklin 2001), and Layer-wise relevance propagation (Bach et al. 2015) to make the explanation of prediction for any machine learning model. While SHAP comes with theoretical guarantees about consistency and local accuracy from game theory, it needs to run many evaluations of the original model to estimate a single vector of feature importance (Lundberg 2019). ELI5 also uses the LIME algorithm internally for explanations. In addition, ELI5 is not truly model agnostic, mostly limited to tree-based and other parametric or linear models. Furthermore, Tree Interpreter is limited to only tree-based approaches (e.g., Random Forest, Decision Trees).

AI-based IDSs have continued to show promising performance (Hodo et al. 2016), (Shone et al. 2018) ,(Kim et al. 2016),(Javaid et al. 2016),(Li, Sun, and Wang 2012). (Shone et al. 2018) propose an approach in combination of both shallow (Random Forest) and deep learning (Auto Encoder), capable of analyzing a wide range of network traffic, outperforming mainstream Deep Belief Networks (DBN). In a literature survey on traditional IDS vs deep learning IDS by (Dong and Wang 2016) , they suggest deep learning-based methods provide better accuracy for a wide range of samples sizes and a variety of network traffic or attacks (Dong and Wang 2016) . However, in all of the previous work, there are still long training times and a reliance on a human operator (Shone et al. 2018) .

However, incorporating domain knowledge for explainability has garnered little attention. Previously, we introduced the concept of infusing domain knowledge (Islam et al. 2019), albeit for bankruptcy prediction with a limited focus. (Miller 2018) have argued that incorporating knowledge from different domains will provide better explainability. In addition, (Kim et al. 2017) use the prediction’s sensitivity to high dimensional concepts (e.g., the concept “striped” to “Zebra”) for explaining the prediction. Furthermore, both LIME (Ribeiro, Singh, and Guestrin 2016) and SHAP (Lundberg and Lee 2017) use a simplified input mapping—mapping the original input to a simplified set of input. To the best of our knowledge, none of the models incorporate domain knowledge with a focus towards better explainability and interpretability. Although our proposed conceptual model comes with a negligible compromise in accuracy, it comes with better explainability and interpretibility, and scalability to big data problems.

3

The proposed approach consists of two components: a feature generalizer, which gives a generalized feature set with the help of domain knowledge in two different ways; and an evaluator that produces and compares the results from the “black box” model for multiple configurations of features: domain knowledge infused features, newly constructed features from domain knowledge infused features, selected features, and all features. The feature generalizer (Figure 1, top portion), takes original features of the dataset (X1, X2, .... Xn 2 X where X is the set of all features) and infuse domain knowledge to produce/re-construct a concise and better interpretable feature set (X1’, X2’, ..... Xk’ 2 X’ where X’ is the universal set of original/transformed/constructed features, but here k is much smaller than n) in two different ways: Feature Mapping As stated earlier, we use CIA principles as domain knowledge, which stands for confidentiality, integrity, and availability. We analyze all types of attacks for associated compromises in each component of CIA principles (see Table 1). The Heartbleed vulnerability is related to a compromise in confidentiality as an attacker could gain access to the memory of the systems protected by the vulnerable version of the OpenSSL. A Web attack (e.g., Sql injection) is related to a compromise in confidentiality and integrity (e.g., read/write data using injected query), and availability (e.g., flooding the database server with injected complex queries like a cross join). Infiltration attack is related to a compromise in confidentiality as it normally exploits software vulnerability (e.g., Adobe Acrobat Reader) to create a backdoor and reveal information (e.g., IP’s). Port scan attack is related to a compromise in confidentiality as the attacker sends packets with varying destination ports to learn the services and operating systems from the reply. All DoS and DDoS attacks are related to a compromise in availability as it aims to hamper the availability of service or data. Furthermore, SSH patator and FTP patator are brute force attacks and are usually responsible for a compromise in confidentiality. Botnet (i.e., robot network—a network of malwareinfected computers) could provide a remote shell, file upload/download option, screenshot capture option, and key logging options which has potential for all of the confidentiality, integrity, and availability related compromises.

Furthermore, from the feature ranking of the original dataset provider (Sharafaldin, Lashkari, and Ghorbani 2018) , for each type of attack, we take the top three features according to their importance (i.e., feature importance from Random Forest Regressor) and calculate the mapping (Table 2) with related compromises under CIA principles. For example, the feature Average Packet Size is renamed as Avg Packet Size - A where -A indicates that it is a key feature for the compromise of availability (see Table 2). To get this mapping between feature and associated compromises, we first find the mapping between an attack and related compromises (from Table 1, formulated as Equation 2). In other words, Formula 1 gives the name of the associated attack where the feature is in the top three feature to identify that particular attack and Formula 2 gives associated compromises in C, I, or A from the attack name. Thus, with the help of domain knowledge, we keep 22 features (see Table 2) out of a total of 78 features. We will refer to these features as the domain features. The feature descriptions in Table 2 are taken from the data processing software’s website (net 2019).

f (f eature) ! attack f (attack) ! C; I; orA (1) (2) Feature Construction We also construct three new features, C, I, and A, from the domain features by quantitatively calculating compromises associated with each of the domain features. For that purpose, we calculate the correlation coefficient vector of the dataset to understand whether the increase in the value of a feature has a positive or negative impact on the target variable. We then convert the correlation coefficient (a.k.a coeff ) vector V in to a 1 or -1 based on whether the correlation coefficient is positive or negative accordingly. We also group the domain features and corresponding coeff tuple into three groups. Using formula 3, 4, and 5, we aggregate each group (from C, I, and A) of domain features into the three new features C, I, and A. We also scale all feature values from 0 to 1 before starting the aggregation process. During the aggregation for a particular group (e.g., C), if the correlation coefficient vector (e.g., Vi) for a feature (e.g., Ci) of that group has a negative value, then the product of the feature value and the correlation coefficient for that feature is deducted, and vice-versa if positive. In addition, when a feature is liable for more than one compromise, the feature value is split between the associated elements of CIA principles.

n C = X I =

CiV i i=0 n X IiV i i=0 n A = X i=0

AiV i (3) (4) (5) 3.3

4.1

The following sections discuss results from the two categories of experiments previously described. 5.1

AI-based approaches have become an integral part of security solutions due to the potential for handling “Big Data” and handling diverse network traffic data. Cybercrimerelated damages continue to rise, and network intrusions are a key tactic. Although AI-based IDS provides accelerated speeds in intrusion detection, response is still at a human speed where there is human in the loop. The lack of explainability of an AI-based model is a key reason for this bottleneck. To mitigate this problem, we infuse the CIA principle (i.e., domain knowledge) in the AI-based black box model for better explainability and generalizability of the model. Our experimental results show realizable successes in better explainability with a comprehensive, up to date, and realworld network intrusion dataset. In addition, the infused domain knowledge helps in detecting an unknown attack as it generalizes the problem, which ultimately opens the door to accommodate big data.

Going forward, finding an optimal solution to segregate the contribution of each participating feature (sample wise) considering interactions (i.e., correlations among features complicate explanations) among features will aid in better explainability of an individual prediction (i.e., per sample). Besides, to ensure trust, estimating the level of uncertainty in the model will be another extension of this work. There are some open challenges surrounding explainability and interpretability such as an agreement of what an explanation is and to whom, a formalism for the explanation, and quantifying the human comprehensibility of the explanation.

Thanks to Tennessee Tech’s Cyber-security Education, Research and Outreach Center (CEROC) for supporting this research. forests. 2019. Ensemble methods. ble/modules/ensemble.html. https://scikit-learn.org /staFriedman, J. H. 2001. Greedy function approximation: a gradient boosting machine. Annals of statistics 1189–1232. Geurts, P.; Ernst, D.; and Wehenkel, L. 2006. Extremely randomized trees. Machine learning 63(1):3–42. Goodman, B., and Flaxman, S. 2017. European union regulations on algorithmic decision-making and a “right to explanation”. AI Magazine 38(3):50–57.

Hodo, E.; Bellekens, X.; Hamilton, A.; Dubouilh, P.-L.; Iorkyase, E.; Tachtatzis, C.; and Atkinson, R. 2016. Threat analysis of iot networks using artificial neural network intrusion detection system. In 2016 International Symposium on Networks, Computers and Communications (ISNCC), 1–6. IEEE.

Hooman, A.; Marthandan, G.; Yusoff, W. F. W.; Omid, M.; and Karamizadeh, S. 2016. Statistical and data mining methods in credit scoring. The Journal of Developing Areas 50(5):371–381.

Islam, S. R.; Eberle, W.; Bundy, S.; and Ghafoor, S. K. 2019. Infusing domain knowledge in ai-based” black box” models for better explainability with application in bankruptcy prediction. arXiv preprint arXiv:1905.11474.

Islam, S. R.; Eberle, W.; and Ghafoor, S. K. 2018. Credit default mining using combined machine learning and heuristic approach. arXiv preprint arXiv:1807.01176.

Islam, S. R.; Ghafoor, S. K.; and Eberle, W. 2018. Mining illegal insider trading of stocks: A proactive approach. In 2018 IEEE International Conference on Big Data (Big Data), 1397–1406. IEEE.

Islam, S. R. 2018. An efficient technique for mining bad credit accounts from both olap and oltp. Ph.D. Dissertation, Tennessee Technological University.

Javaid, A.; Niyaz, Q.; Sun, W.; and Alam, M. 2016. A deep learning approach for network intrusion detection system. In Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), 21–26. ICST (Institute for Computer Sciences, Social-Informatics and . . . .

Kabul, I. K. 2018. Explainable ai. https://www.kdnuggets. com/2018/11/interpretability-trust-ai-machinelearning.html.

Kim, J.; Kim, J.; Thu, H. L. T.; and Kim, H. 2016. Long short term memory recurrent neural network classifier for intrusion detection. In 2016 International Conference on Platform Technology and Service (PlatCon), 1–5. IEEE. Kim, B.; Wattenberg, M.; Gilmer, J.; Cai, C.; Wexler, J.; Viegas, F.; and Sayres, R. 2017. Interpretability beyond feature attribution: Quantitative testing with concept activation vectors (tcav). arXiv preprint arXiv:1711.11279.

Lashkari, A. H.; Draper-Gil, G.; Mamun, M. S. I.; and Ghorbani, A. A. 2017. Characterization of tor traffic using time based features. In ICISSP, 253–262.

Lei, T.; Barzilay, R.; and Jaakkola, T. 2016. Rationalizing neural predictions. arXiv preprint arXiv:1606.04155. Li, Z.; Sun, W.; and Wang, L. 2012. A neural network based distributed intrusion detection system on cloud platform. In 2012 IEEE 2nd international conference on Cloud Computing and Intelligence Systems, volume 1, 75–79. IEEE. Lipovetsky, S., and Conklin, M. 2001. Analysis of regression in game theory approach. Applied Stochastic Models in Business and Industry 17(4):319–330.

Lipton, Z. C. 2016. The mythos of model interpretability. arXiv preprint arXiv:1606.03490.

Lundberg, S. M., and Lee, S.-I. 2017. A unified approach to interpreting model predictions. In Advances in Neural Information Processing Systems, 4765–4774.

Lundberg, S. 2019. Shap vs lime. https://github.com /slundberg/shap/issues/19.

Manning, C.; Raghavan, P.; and , H. 2010. Introduction to information retrieval. Natural Language Engineering 16(1):100–103. Sˇ trumbelj, E., and Kononenko, I. 2014. Explaining prediction models and individual predictions with feature contributions. Knowledge and information systems 41(3):647–665. Swartout, W. R., and Moore, J. D. 1993. Explanation in second generation expert systems. In Second generation expert systems. Springer. 543–585.

Swartout, W. R. 1985. Rule-based expert systems: The mycin experiments of the stanford heuristic programming project: Bg buchanan and eh shortliffe,(addison-wesley, reading, ma, 1984); 702 pages. 2019. Tensorflow. https://www.tensorflow.org/.

Turek, M. 2019. Explainable ai. https://www.darpa.mil/ program/explainable-artificial-intelligence.