了解基于图像的网络入侵检测系统的行为

IF 7.7 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of Network and Computer Applications Pub Date : 2025-07-11 DOI:10.1016/j.jnca.2025.104254

Ayah Abdel-Ghani, Jezia Zakraoui, Abdulaziz Al-Ali, Abdelhak Belhi, Sandy Rahme, Abdelaziz Bouras

{"title":"了解基于图像的网络入侵检测系统的行为","authors":"Ayah Abdel-Ghani, Jezia Zakraoui, Abdulaziz Al-Ali, Abdelhak Belhi, Sandy Rahme, Abdelaziz Bouras","doi":"10.1016/j.jnca.2025.104254","DOIUrl":null,"url":null,"abstract":"Network Intrusion Detection Systems play a pivotal role in preventing cyber attacks by identifying threats within computer networks. Recent advancements in deep learning techniques positioned them as highly effective methods in detecting a diverse range of cyber attacks. However, the ”Black-Box” nature of deep models makes understanding their decisions very challenging, and renders them susceptible to adversarial attacks. In this paper, we propose the use of Explainable AI (XAI) approaches in deep-learning-based network traffic classifiers to validate their decisions’ rationale and soundness. In particular, we combine the popular Grad-CAM technique with a reverse lookup algorithm to explain models trained using image-transformed raw network traffic sessions, encompassing general, malware, and encrypted traffic data. Model behaviors were analyzed by mapping the highly impacting pixels to their corresponding raw features, to facilitate investigating the meaningfulness of the features learned by the model. Experimental results indicate cases of consistent highlighting of pixels associated with network layers across specific traffic types. However, models occasionally used unexpected features during the classification process, raising security vulnerability concerns that merit serious investigation. The proposed approach serves as a valid method to explain the behavior of general black-box image-based network traffic classification models and assess their robustness.","PeriodicalId":54784,"journal":{"name":"Journal of Network and Computer Applications","volume":"4 1","pages":""},"PeriodicalIF":7.7000,"publicationDate":"2025-07-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Towards understanding the behavior of image-based network intrusion detection systems\",\"authors\":\"Ayah Abdel-Ghani, Jezia Zakraoui, Abdulaziz Al-Ali, Abdelhak Belhi, Sandy Rahme, Abdelaziz Bouras\",\"doi\":\"10.1016/j.jnca.2025.104254\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Network Intrusion Detection Systems play a pivotal role in preventing cyber attacks by identifying threats within computer networks. Recent advancements in deep learning techniques positioned them as highly effective methods in detecting a diverse range of cyber attacks. However, the ”Black-Box” nature of deep models makes understanding their decisions very challenging, and renders them susceptible to adversarial attacks. In this paper, we propose the use of Explainable AI (XAI) approaches in deep-learning-based network traffic classifiers to validate their decisions’ rationale and soundness. In particular, we combine the popular Grad-CAM technique with a reverse lookup algorithm to explain models trained using image-transformed raw network traffic sessions, encompassing general, malware, and encrypted traffic data. Model behaviors were analyzed by mapping the highly impacting pixels to their corresponding raw features, to facilitate investigating the meaningfulness of the features learned by the model. Experimental results indicate cases of consistent highlighting of pixels associated with network layers across specific traffic types. However, models occasionally used unexpected features during the classification process, raising security vulnerability concerns that merit serious investigation. The proposed approach serves as a valid method to explain the behavior of general black-box image-based network traffic classification models and assess their robustness.\",\"PeriodicalId\":54784,\"journal\":{\"name\":\"Journal of Network and Computer Applications\",\"volume\":\"4 1\",\"pages\":\"\"},\"PeriodicalIF\":7.7000,\"publicationDate\":\"2025-07-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Network and Computer Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1016/j.jnca.2025.104254\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Network and Computer Applications","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1016/j.jnca.2025.104254","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

摘要

网络入侵检测系统通过识别计算机网络中的威胁，在防止网络攻击方面发挥着关键作用。深度学习技术的最新进展使其成为检测各种网络攻击的高效方法。然而，深度模型的“黑盒”特性使得理解它们的决策非常具有挑战性，并使它们容易受到对抗性攻击。在本文中，我们建议在基于深度学习的网络流量分类器中使用可解释的AI （XAI）方法来验证其决策的合理性和合理性。特别是，我们将流行的Grad-CAM技术与反向查找算法相结合，以解释使用图像转换的原始网络流量会话训练的模型，包括一般，恶意软件和加密的流量数据。通过将高影响像素映射到相应的原始特征来分析模型行为，以方便研究模型学习到的特征的意义。实验结果表明，在特定流量类型中，与网络层相关的像素一致高亮。然而，在分类过程中，模型偶尔会使用意想不到的特征，这引起了值得认真调查的安全漏洞问题。该方法是一种有效的方法来解释一般的基于黑盒图像的网络流量分类模型的行为，并评估其鲁棒性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Towards understanding the behavior of image-based network intrusion detection systems

Network Intrusion Detection Systems play a pivotal role in preventing cyber attacks by identifying threats within computer networks. Recent advancements in deep learning techniques positioned them as highly effective methods in detecting a diverse range of cyber attacks. However, the ”Black-Box” nature of deep models makes understanding their decisions very challenging, and renders them susceptible to adversarial attacks. In this paper, we propose the use of Explainable AI (XAI) approaches in deep-learning-based network traffic classifiers to validate their decisions’ rationale and soundness. In particular, we combine the popular Grad-CAM technique with a reverse lookup algorithm to explain models trained using image-transformed raw network traffic sessions, encompassing general, malware, and encrypted traffic data. Model behaviors were analyzed by mapping the highly impacting pixels to their corresponding raw features, to facilitate investigating the meaningfulness of the features learned by the model. Experimental results indicate cases of consistent highlighting of pixels associated with network layers across specific traffic types. However, models occasionally used unexpected features during the classification process, raising security vulnerability concerns that merit serious investigation. The proposed approach serves as a valid method to explain the behavior of general black-box image-based network traffic classification models and assess their robustness.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Network and Computer Applications 工程技术-计算机：跨学科应用

CiteScore

21.50

自引率

3.40%

发文量

142

审稿时长

37 days

期刊介绍： The Journal of Network and Computer Applications welcomes research contributions, surveys, and notes in all areas relating to computer networks and applications thereof. Sample topics include new design techniques, interesting or novel applications, components or standards; computer networks with tools such as WWW; emerging standards for internet protocols; Wireless networks; Mobile Computing; emerging computing models such as cloud computing, grid computing; applications of networked systems for remote collaboration and telemedicine, etc. The journal is abstracted and indexed in Scopus, Engineering Index, Web of Science, Science Citation Index Expanded and INSPEC.