ACE -- An Anomaly Contribution Explainer for Cyber-Security Applications
This work addresses the need for interpretability in cybersecurity anomaly detection for analysts, though it is incremental as it builds on existing explanation methods.
The authors tackled the problem of explaining security anomaly detection models by introducing ACE and ACE-KL, which use a regression framework to identify features contributing to anomalies, and demonstrated their effectiveness on synthetic and real datasets, including CERT insider threat and Android malware, with results showing correct feature identification in synthetic data and practical insights like uncovering network scanning activity.
In this paper, we introduce Anomaly Contribution Explainer or ACE, a tool to explain security anomaly detection models in terms of the model features through a regression framework, and its variant, ACE-KL, which highlights the important anomaly contributors. ACE and ACE-KL provide insights in diagnosing which attributes significantly contribute to an anomaly by building a specialized linear model to locally approximate the anomaly score that a black-box model generates. We conducted experiments with these anomaly detection models to detect security anomalies on both synthetic data and real data. In particular, we evaluate performance on three public data sets: CERT insider threat, netflow logs, and Android malware. The experimental results are encouraging: our methods consistently identify the correct contributing feature in the synthetic data where ground truth is available; similarly, for real data sets, our methods point a security analyst in the direction of the underlying causes of an anomaly, including in one case leading to the discovery of previously overlooked network scanning activity. We have made our source code publicly available.