Título
Federated Explainability for Network Anomaly CharacterizationAutor-a
Autor-a (de otra institución)
Otras instituciones
ttps://ror.org/03hp1m080Versión
Postprint
Derechos
© 2023 ACMAcceso
Acceso abiertoVersión del editor
https://doi.org/10.1145/3607199.3607234Publicado en
Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses (RAID '23) Pp. 346–365. Hong Kong (China), October 16-18Editor
ACMPalabras clave
Computing methodologiesSecurity and privacy
ODS 4 Educación de calidad
ODS 9 Industria, innovación e infraestructura
Resumen
Machine learning (ML) based systems have shown promising results for intrusion detection due to their ability to learn complex patterns. In particular, unsupervised anomaly detection approaches offer ... [+]
Machine learning (ML) based systems have shown promising results for intrusion detection due to their ability to learn complex patterns. In particular, unsupervised anomaly detection approaches offer practical advantages as does not require labeling the training data, which is costly and time-consuming. To further address practical concerns, there is a rising interest in adopting federated learning (FL) techniques as a recent ML model training paradigm for distributed settings (e.g., IoT), thereby addressing challenges such as data privacy, availability and communication cost concerns. However, output generated by unsupervised models provide limited contextual information to security analysts at SOCs, as they usually lack the means to know why a sample was classified as anomalous or cannot distinguish between different types of anomalies, difficulting the extraction of actionable information and correlation with other indicators. Moreover, ML explainability methods have received little attention in FL settings and present additional challenges due to the distributed nature and data locality requirements. This paper proposes a new methodology to characterize and explain the anomalies detected by unsupervised ML-based intrusion detection models in FL settings. We adapt and develop explainability, clustering and cluster validation algorithms to FL settings to mine patterns in the anomalous samples and identify different threats throughout the entire network, demonstrating the results on two network intrusion detection datasets containing real IoT malware, namely Gafgyt and Mirai, and various attack traces. The learned clustering results can be used to classify emerging anomalies, provide additional context that can be leveraged to gain more insight and enable the correlation of the anomalies with alerts triggered by other security solutions. [-]
Sponsorship
Comisión EuropeaFinanciador
European CommissionEusko Jaurlaritza = Gobierno Vasco
Eusko Jaurlaritza = Gobierno Vasco
Programa
H2020Elkartek 2023
Ikertalde Convocatoria 2022-2025
Número
101021911KK-2023-00085
IT1676-22
URI de la ayuda
https://doi.org/10.3030/101021911Sin información
Sin información
Proyecto
A Cognitive Detection System for Cybersecure Operational (IDUNN)cyBErsecure industriAl Computing cONtinuum (BEACON)
Grupo de sistemas inteligentes para sistemas industriales
Colecciones
- Congresos - Ingeniería [378]