Unsupervised Deep Learning (DL) techniques have been widely used in various security-related anomaly detection applications, owing to the great promise of being able to detect unforeseen threats and superior performance provided by Deep Neural Networks (DNN). However, the lack of interpretability creates key barriers to the adoption of DL models in practice. Unfortunately, existing interpretation approaches are proposed for supervised learning models and/or non-security domains, which are unadaptable for unsupervised DL models and fail to satisfy special requirements in security domains. In this paper, we propose DeepAID, a general framework aiming to (1) interpret DL-based anomaly detection systems in security domains, and (2) improve the practicality of these systems based on the interpretations. We first propose a novel interpretation method for unsupervised DNNs by formulating and solving well-designed optimization problems with special constraints for security domains. Then, we provide several applications based on our Interpreter as well as a model-based extension Distiller to improve security systems by solving domain-specific problems. We apply DeepAID over three types of security-related anomaly detection systems and extensively evaluate our Interpreter with representative prior works. Experimental results show that DeepAID can provide high-quality interpretations for unsupervised DL models while meeting the special requirements of security domains. We also provide several use cases to show that DeepAID can help security operators to understand model decisions, diagnose system mistakes, give feedback to models, and reduce false positives.
翻译:在各种与安保有关的异常探测应用中,广泛使用了不受监督的深层学习(DL)技术,原因是极有可能发现意外威胁,深神经网络(DNN)提供了卓越的性能。然而,缺乏可解释性实际上为采用DL模式制造了关键障碍。不幸的是,为受监督的学习模式和(或)非安全领域提出了现有的解释方法,这些模式和(或)非安全领域无法适应未经监督的DL模式,并且未能满足安全领域的特殊要求。在本文件中,我们提议深AID(DeepAID),一个总框架,旨在(1) 解释基于DL的安保领域异常探测系统,(2) 提高这些系统在解释的基础上的实用性。我们首先提出为不受监督的DNNNP制定和解决安全领域特殊限制的精心设计的优化问题提出新的解释方法。然后,我们根据我们的Interpretail提供一些基于模型,通过解决特定领域的问题来改进安全系统。我们将DeepAID用于三种与安保有关的异常探测系统,并广泛评估基于解释这些解释的深层安全要求,同时用高标准显示安全标准案例。我们能够提供特殊的安全分析模型。