| Autor: |
Mukherjee, Kunal, Wiedemeier, Joshua, Wang, Tianhao, Kim, Muhyun, Chen, Feng, Kantarcioglu, Murat, Jee, Kangkook |
| Rok vydání: |
2023 |
| Předmět: |
|
| Druh dokumentu: |
Working Paper |
| Popis: |
The opaqueness of ML-based security models hinders their broad adoption and consequently restricts transparent security operations due to their limited verifiability and explainability. To enhance the explainability of ML-based security models, we introduce PROVEXPLAINER, a framework offering security-aware explanations by translating an ML model's decision boundary onto the interpretable feature space of a surrogate DT. Our PROVEXPLAINER framework primarily focuses on explaining security models that are built using GNNs since recent studies employ GNNs to comprehensively digest system provenance graphs for security critical tasks. PROVEXPLAINER uses graph structural features based on security domain knowledge gained from extensive data analysis, utilizing public and private system provenance datasets. PROVEXPLAINER's interpretable feature space can be directly mapped to the system provenance problem space, making the explanations human understandable. Because the security landscape is constantly changing, PROVEXPLAINER can be easily extended with new explanatory features as they are identified in the wild. By considering prominent GNN architectures (e.g., GAT and GraphSAGE) for program classification and anomaly detection tasks, we show how PROVEXPLAINER synergizes with current SOTA GNN explainers to deliver domain-specific explanations. On malware and APT datasets, PROVEXPLAINER achieves up to 9.14% and 6.97% higher precision and recall, respectively, compared to SOTA GNN explainers. When combined with a general-purpose SOTA GNN explainer, PROVEXPLAINER shows a further improvement of 7.22% and 4.86% precision and recall over the best individual explainer. |
| Databáze: |
arXiv |
| Externí odkaz: |
|
