One of the most common causes of lack of continuity of online systems stems from a widely popular Cyber Attack known as Distributed Denial of Service (DDoS), in which a network of infected devices (botnet) gets exploited to flood the computational capacity of services through the commands of an attacker. This attack is made by leveraging the Domain Name System (DNS) technology through Domain Generation Algorithms (DGAs), a stealthy connection strategy that yet leaves suspicious data patterns. To detect such threats, advances in their analysis have been made. For the majority, they found Machine Learning (ML) as a solution, which can be highly effective in analyzing and classifying massive amounts of data. Although strongly performing, ML models have a certain degree of obscurity in their decision-making process. To cope with this problem, a branch of ML known as Explainable ML tries to break down the black-box nature of classifiers and make them interpretable and human-readable. This work addresses the problem of Explainable ML in the context of botnet and DGA detection, which at the best of our knowledge, is the first to concretely break down the decisions of ML classifiers when devised for botnet/DGA detection, therefore providing global and local explanations.
翻译:造成在线系统缺乏连续性的最常见原因之一是广泛流行的网络攻击,称为分散拒绝服务(DDoS),在这种攻击中,一个被感染装置网络(电脑网)被利用,通过攻击者的命令,使服务计算能力充斥。这次攻击是通过利用域名系统技术(DNS)进行的,这是隐性连接战略,这种战略仍然留下可疑的数据模式。为了发现这种威胁,在分析方面取得了进展。对于大多数人来说,他们发现机器学习(ML)是一种解决办法,在分析和分类大量数据方面可能非常有效。虽然ML模型在决策过程中表现很强,但在决策过程中具有一定程度的不精确性。为了解决这个问题,被称为可解释的ML的ML分支试图打破分类器的黑箱性质,使其可以解释和人能读。这项工作解决了在机器人网和DGA探测器的探测中可解释的ML问题,在最佳情况下,ML模型是用来对本地数据系统作出最精确的解释。