multiple samples produced in the same situation. Hence, an accurate ensemble system may be produced through During the last decade, the cybersecurity literature has the fusion of base models that perform decisions which conferred a high-level role in deep learning as a pow- give more importance to diferent sub-areas of the inerful learning paradigm to detect ever-evolving cyber- put feature space. For this purpose, we use the XAI threats in modern security systems. In particular, recent DALEX framework [ 5 ] to explain the global feature imcybersecurity studies have shown that deep learning per- portance in neural models. Specifically, we adopt a comformance can be further strengthened with ensemble bination of XAI and clustering to select ensemble base learning systems [ 1 ] that are able to obtain better gen- models that achieve high explanation diversity. Finally, eralization by reducing the dispersion of predictions of we use a multi-headed neural network architecture that single models and gaining model accuracy. However, se- fine-tunes simultaneously base neural models selected lecting the ensemble member models based on the local through DALEX-based clustering, by taking advantage of model accuracy may lead to the issue of excessive en- a back-propagation strategy to share knowledge among semble because the performance of the ensemble system multiple base models incorporated as sub-network blocks may not be significantly improved by some of the se- in the ensemble system. lected models. Therefore, several scholars encourage the Motivations for adopting this neural ensemble method diversity among individual models of deep ensembles, in in cybersecurity problems can be mainly founded in the addition to the accuracy of individual models, to learn peculiarities of the network intrusion detection problems, diverse aspects of training data [ 2 ]. where samples of diferent attack families commonly

In [ 3, 4 ], we have recently proposed a new XAI-based have signatures involving diferent features. For exammethod, named PANACEA, that is mainly founded on the ple, as illustrated by [ 6 ], “the time between the SYN ACK idea that diferent sub-areas of the input feature space and the ACK response” is relevant for detecting shellcan be equally relevant to achieve a correct decision for code intrusions, while it becomes less important when detecting other types of attacks. Shellcode, in fact, is an Ital-IA 2024: 4th National Conference on Artificial Intelligence, orga- exploiting attack in which the attacker penetrates a piece *nCizoedrrebsypCoInNdIi,nMg aayut2h9o-3r.0, 2024, Naples, Italy of code from a shell to control a target machine using the † These authors contributed equally. standard TCP/IP socket connections. $ malik.alessa@uniba.it (M. Al-Essa); Based upon these considerations, our point of view giuseppina.andresini@uniba.it (G. Andresini); is that being able to fuse deep neural models that give annalisa.appice@uniba.it (A. Appice); donato.malerba@uniba.it relevance to diefrent network trafic feature signatures (D. Malerba) (and, consequently, input feature sub-spaces) may help (G.0A00n0d-r0e0s0in2i-)0;809020-09-7050X01(-M9 8.4A0l--8E4s4sXa)(;A00.0A0p-0p0ic0e2)-;5272-644X in improving the accuracy of a multi-class deep neural 0000-0001-8432-4608 (D. Malerba) ensemble trained to recognize diferent cyber-attack pat© 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License terns such as various categories of network trafic intruAttribution 4.0 International (CC BY 4.0). sions. Our argument is mainly supported by experiments performed with three benchmark network intrusion detection datasets, namely NSL-KDD, UNSW- NB15 and CICIDS17, that comprise multiple real categories of network trafic intrusions (comprising rare attacks). In addition, to explore the adaptability of the proposed method to other cyber-threat detection problems, we also evaluated the efectiveness proposed method in a benchmark malware detection problem, namely CICMalDroid20, since we expect that, similarly to network trafic intrusions, diferent malware categories may have diverse feature signatures.

This paper summarises some of the main results published in [ 3, 4 ]. The PANACEA method is presented in Section 2. Section 3 illustrates the main results achieved in the evaluation of the proposed method. Finally, Section 4 draws conclusions and sketches future research directions.

Let us consider a dataset = {(x, )}=1 of training samples, where x ∈ R is a -dimensional vector of input features that describe cyber-data samples, and ∈ {1, . . . , } is the label variable with classes (benign class and several categories of cyber-threats), according to labels of samples historically collected.

The PANACEA method, illustrated in Figure 1, is based on the following steps:

Notice that the performance of PANACEA may depend on the input parameters:(1) that represents the amount of data perturbation considered to generate adversarial samples; (2) that defines the number of adversarial samples randomly selected for learning each neural model candidate with the adversarial training strategy; (3) • The training of an initial neural model that is the number of distinct neural model candidates : R ↦→ with parameter learned from . learned with the adversarial training strategy. In general, • The generation of an adversarial set produced by with data perturbation threshold by using . The adversarial samples are produced using the FGSM algorithm. • The training of neural model candidates learned from , augmented with subsets of adversarial samples randomly selected from . • The use of a post-hoc global XAI technique, namely DALEX, to explain the decisions of neural model candidates and generate a feature-vector explanation of each neural model candidate. • A clustering stage (-medoids method) to group neural model candidates with similar feature explanation vectors in the same clusters, and neural model candidates with dissimilar feature explanation vectors in separate clusters. Since each cluster medoid is a neural model candidate that acts as the cluster’s prototype, medoids (chosen using the Elbow method) are selected as the base neural models for the ensemble fusion. • A multi-headed neural network that fuses together base neural models selected through clustering. the perturbation is selected as a small value in the range BASELINE also in this configuration. In addition, there is between 0 and 0.1 [ 7 ], to scale the noise and ensure that at least one tested configuration of PANACEA that outperperturbations are small enough to remain undetected to forms BASELINE in NSL-KDD. Finally, also in NSL-KDD the human eye, but large enough to fool the attacked the gain in accuracy is observed along WeightedF1 and neural model. In PANACEA the value of is automati- OA, but not along MacroF1. This is due to the presence cally selected based on the characteristics of adversarial of minority classes in both NSL-KDD and UNSW-NB15. samples. This is based on the idea that the value at which In fact, in both datasets, the ensemble strategy allows us a lower stops perturbing training samples, by dimin- to gain accuracy by better classifying samples of majorishing the number of misclassified adversarial training ity classes, while we may lose accuracy by classifying samples, may correspond to an adequate value of for samples of minority classes. This intuition is confirmed gaining accuracy with the adversarial training strategy. by the analysis of detailed F1 per class, reported [ 4 ]. NoBased on this idea, for each in the range [0, 0.1], the tably [ 4 ] also reports an extensive analysis of the accuracy adversarial set , produced from the original training performance of PANACEA compared to several, recent set with initial neural model as target model, is con- state-of-the-art competitors, as well as the analysis of the sidered. The Overall Accuracy (OA) of is computed accuracy performance achieved by PANACEA by using on each and the Elbow method is used to pick the PGD, DeepFool and LowProFool in place of FGSM. knee of the OA( ) curve as the value of . Notably, this To examine in-depth diversity, Figure 2 depicts the topprocedure for the automatic selection of is independent 15 relevant features on the global decisions of the base of both and that remain user-defined parameters neural models selected in NSL-KDD. Feature ranking maps show how diverse input features play prominent roles in explaining the decisions of the base neural mod3. Evaluation study els selected for the ensemble fusion in PANACEA. For example, the input feature “serror_rate", that is ranked Four benchmark multi-class datasets, i.e., NSL-KDD, in third place for the neural model medoids of clusters UNSW-NB15, CICIDS17 (network security datasets) and 2, 3 and 7 of NSL-KDD, is not even in the top-15 for CICMalDroid20 (malware security dataset) were consid- the medoid of cluster 6. Notably, humans may inspect ered to evaluate the performance of PANACEA. Exper- this explanation result to confirm the selection of neural iments were conducted by dividing each dataset into model candidates automatically selected by PANACEA or training set and testing set. The detailed description of perform a manual update of the automatic selection (with the experimental set-up is reported in [ 4 ]. model deletions or additions) according to background

The most of experiments were conducted with = 5% knowledge. and 10% of the training set size, considering the values We complete this article by illustrating an example of elbow automatically selected with the Elbow method that shows how the ensemble model of PANACEA gains and fixing = 100 for all datasets. However, further accuracy in a cyber-threat detection task compared to experiments exploring the sensitivity of the performance the single model of BASELINE. For this purpose, we conof PANACEA to the number of models are illustrated sider an R2L sample of the test set of NSL-KDD that in [ 4 ]. was wrongly classified by BASELINE in the class Nor

Table 1 reports the number of neural models () that mal, while it was correctly recognised in the class R2L the clustering step of PANACEA selected for the ensem- by PANACEA. We analyse this sample by using SHAP ble fusion, as well as WeightedF1, MacroF1 and OA of that is a local algorithm to measure the efect of an input PANACEA in the considered experimental setting. All the feature on the assignment of a sample to a class with a accuracy metrics were measured on the testing set of each neural model. Figure 3 shows the five most important dataset. As BASELINE, we considered the deep neural net- input features identified by SHAP to see the sample in the work that was trained in the first step of PANACEA as the class R2L with the models learned by both BASELINE and initial neural model for the adversarial sample production. PANACEA. Let us consider that only PANACEA predicted We recall that the number of clusters was automatically this sample in the class R2L. identified during the clustering step of PANACEA. The Both BASELINE and PANACEA share the same results show that PANACEA outperforms BASELINE, independently of the number of adversarial samples pro- top-3 features, i.e., service_http, service_ftp_data and dst_host_srv_count. Notably, these three features are cessed in UNSW-NB15, CICIDS17 and CICMalDroid20. recognised as important to detect R2L attacks also in In these three datasets, the gain in accuracy is commonly [ 8 ]. The input feature in the fourth place of the feature observed equally along WeightedF1, MacroF1 and OA. ranking of PANACEA is protocol_type_tcp that does not The only exception is the MacroF1 of PANACEA with appear in the feature ranking of BASELINE. The authors = 5% in UNSW-NB15. However, both WeightedF1 of [ 9 ] report that the simultaneous use of the TCP protoand OA of PANACEA outperform WeightedF1 and OA of col and the FTP service is to be considered a symptom of described a deep learning method for multi-class classification of cyber-data. 1 The proposed method trains an ensemble of base neural models, whose weights are initialised with an adversarial training strategy. We use an XAI-based approach to increase the diversity of the neural models selected to be fused together through the ensemble system.

Notably, this article delves into one of the current research directions carried out by Laboratory KDDE (https://kdde.di.uniba.it/) at the University of Bari "Aldo Moro", which aims at exploring a Symbiotic AI approach to Cybersecurity. The team has recently published several papers in this field (e.g., [ 10, 11, 6, 12, 13 ]). In particular, the newest studies [ 3, 4 ] stay under the umbrella of Symbiotic AI, as they explore how Explainability of AI systems can be leveraged as a valuable means to allow deep neural models to gain accuracy under critical conditions commonly occurring in cybersecurity problems, e.g., class imbalance, attack signature diversity. They provide a mechanism that can explain to humans how the candidate models are selected for ensemble systems.

Figure 2: Top-15 feature ranking map of the base neural On the other side, these studies stay under the umbrella NmSoLd-eKlsDsDelected through the clustering step of PANACEA in of Cybersecurity, as XAI is used to improve the performance of a cyber-threat detection ensemble model on multiple attack categories by allowing us to identify and use the multiple input sub-space that can help in detecta possible Warez Master attack in network trafic. Warez ing attacks with diverse signature. In addition, the use Master is a subcategory of R2L attacks, where attackers of XAI tools allows us to perform a step forward to gain exploit a system bug associated with FTP to send packets the trust of stakeholders in AI decisions. In fact, it allows of illegal software to a target host [ 9 ]. We note that FTP us to disclose cyber-data patterns that are hidden in how is a service based on the TCP protocol. Therefore, this the AI models achieve a decision and explain why a black example shows how the ensemble model of PANACEA box model can actually achieve higher performance than manages to bring out the existence of feature patterns another one in cyber-threat detection. useful for the recognition of attack classes that are often By continuing along this research direction, the team ignored by the single model of BASELINE. These conclu- is working on the use of XAI to examine and explain sions are also supported by the study of [ 8 ], that identifies the evasion ability of state-of-the-art attack methods forboth service_ftp_data and protocol_type_tcp features as mulated for Windows PE malware detection problems. the most important features to detect R2L attacks. In ad- In addition, the team is investigating emerging learning dition, BASELINE, diferently from PANACEA, identifies frameworks (such as distillation) to leverage explanations serror_rate as one of the most relevant features for recog- disclosed through attention layers to improve the pernizing the sample as an R2L attack. However, neither [ 8 ] formance of deep neural models trained for cyber-threat nor [ 9 ] identify this feature as one of the most prominent detection. features for this type of attack.

In short, the emergence of protocol_type_tcp can be considered as an important input feature instead of ser- 5. Acknowledgments ror_rate motivates the ability of PANACEA in correctly recognising the considered R2L sample and, in general, the ability of outperforming BASELINE in the recognition of R2L attacks (that passes from F1(R2L)=0.55 for BASELINE to F1(R2L)=0.64 for PANACEA.