| The development of the Internet has brought profound impacts on various aspects of modern life.While providing convenience for production and life,it has also brought many problems and challenges,making network security of great importance.Intrusion detection systems,as an important line of defense behind firewalls,have been vigorously developed.Deep neural networks have played an important role in anomaly detection tasks such as graph topology and sequence flow data.However,deep neural networks have a black box property,and their learning process is difficult for humans to understand.It is difficult to determine whether the knowledge learned by the model conforms to human cognition,which is not conducive to the continued development of the model and the trust of important practitioners in the field.This article proposes an interpretability method for black box intrusion detection systems based on graph neural networks and sequence models,in order to determine the important information that the model focuses on during the learning process and to improve the model’s transparency,thereby guiding the design of the model structure.The main research contents are as follows:For the lack of interpretability in the graph convolution-based zombie network detection model,this article proposes a lightweight interpretability method called GNN-Explainer,which identifies important edges in the topology graph structure to reflect the model’s focus information.The interpretability method can determine the model’s ability to recognize attacking edges in the botnet through subgraph decomposition of the input topology graph.Experimental results show that the proposed method can effectively reflect the model’s information focus,and the quantifiable interpretability indicators can guide the design of the model structure.For the black box property of sequence model-based intrusion detection systems,this article proposes an interpretability method for sequence models and conducts interpretability analysis on commonly used deep learning networks for sequence flow classification tasks.The interpretability method determines the important input byte positions through the activation values of the hidden layers.The experiments cover classification and interpretability tasks and compare the relationship between the model’s accuracy and interpretability ability.The results show that the current models cannot balance the classification task and the interpretability ability.In response to the current phenomenon that sequence models cannot balance the ability of classification tasks and interpretability,this paper proposes an abnormal traffic detection algorithm,called P-Trans,which enhances interpretability.The algorithm improves the model’s interpretability by learning the important position information of the teacher network without the need for manually annotated prior knowledge.Through qualitative and quantitative analysis,the experiment confirms that the proposed model performs better in both classification and interpretability tasks. |
