FINER: Enhancing State-of-the-art Classifiers with Feature Attribution to Facilitate Security Analysis
It addresses the problem of facilitating security analysis for experts by making classifiers more interpretable, though it is incremental as it builds on existing feature attribution methods.
The paper tackles the lack of transparency in deep learning classifiers for risk detection by proposing FINER, a framework that generates high-fidelity and high-intelligibility explanations through fine-tuning and feature attribution adjustments, resulting in improved explanation quality and outperforming a state-of-the-art tool in malware analysis.
Deep learning classifiers achieve state-of-the-art performance in various risk detection applications. They explore rich semantic representations and are supposed to automatically discover risk behaviors. However, due to the lack of transparency, the behavioral semantics cannot be conveyed to downstream security experts to reduce their heavy workload in security analysis. Although feature attribution (FA) methods can be used to explain deep learning, the underlying classifier is still blind to what behavior is suspicious, and the generated explanation cannot adapt to downstream tasks, incurring poor explanation fidelity and intelligibility. In this paper, we propose FINER, the first framework for risk detection classifiers to generate high-fidelity and high-intelligibility explanations. The high-level idea is to gather explanation efforts from model developer, FA designer, and security experts. To improve fidelity, we fine-tune the classifier with an explanation-guided multi-task learning strategy. To improve intelligibility, we engage task knowledge to adjust and ensemble FA methods. Extensive evaluations show that FINER improves explanation quality for risk detection. Moreover, we demonstrate that FINER outperforms a state-of-the-art tool in facilitating malware analysis.