Abstract
Malware detection is a constant challenge in cybersecurity due to the rapid development of new attack techniques. Traditional signature-based approaches struggle to keep pace with the sheer volume of malware samples. Machine learning offers a promising solution, but faces issues of generalization to unseen samples and a lack of explanation for the instances identified as malware. However, human-understandable explanations are especially important in security-critical fields, where understanding model decisions is crucial for trust and legal compliance. While deep learning models excel at malware detection, their black-box nature hinders explainability. Conversely, interpretable models often fall short in performance. To bridge this gap in this application domain, we propose the use of Logic Explained Networks (LENs), which are a recently proposed class of interpretable neural networks providing explanations in the form of First-Order Logic (FOL) rules. This paper extends the application of LENs to the complex domain of malware detection, specifically using the large-scale EMBER dataset. In the experimental results we show that LENs achieve robustness that exceeds traditional interpretable methods and that are rivaling black-box models. Moreover, we introduce a tailored version of LENs that is shown to generate logic explanations with higher fidelity with respect to the model's predictions.
Abstract (translated)
恶意检测是网络安全领域的一个持续挑战,因为新型攻击技术的快速发展。传统的基于签名的方法很难跟上恶意软件样品的数量。机器学习提供了一个有前景的解决方案,但面临着对未见过的样本的泛化问题和确认恶意实例的缺乏解释。然而,在安全关键领域,人类可解释的解释尤为重要,理解模型决策对于信任和法律合规至关重要。虽然深度学习模型在恶意检测方面表现出色,但它们的黑盒性质阻碍了可解释性。相反,可解释的模型通常在性能上不足。为了在应用领域中弥合这一差距,我们提出了使用可解释神经网络(LENs)的方法,这是一种最近提出的类可解释神经网络,以First-Order Logic(FOL)规则的形式提供解释。本文将LENs的应用扩展到了恶意检测的复杂领域,特别是使用大型EMBER数据集。在实验结果中,我们证明了LENs实现了比传统可解释方法更稳健的性能,并与黑盒模型相媲美。此外,我们引入了一种专用的LEN版本,该版本在模型预测的逻辑解释方面具有更高的精确性。
URL
https://arxiv.org/abs/2405.03009
