Explaining Tree Model Decisions in Natural Language for Network Intrusion Detection
This work addresses the need for more interpretable machine learning in network security, making intrusion detection systems accessible to users without ML expertise, though it is incremental in applying LLMs to an existing domain.
The paper tackled the problem of interpreting decision tree models in network intrusion detection by using large language models to generate natural language explanations, and introduced a human evaluation framework with quiz questions to measure understanding. They found that LLM-generated explanations correlated highly with human ratings for readability and quality while improving comprehension of decision boundaries.
Network intrusion detection (NID) systems which leverage machine learning have been shown to have strong performance in practice when used to detect malicious network traffic. Decision trees in particular offer a strong balance between performance and simplicity, but require users of NID systems to have background knowledge in machine learning to interpret. In addition, they are unable to provide additional outside information as to why certain features may be important for classification. In this work, we explore the use of large language models (LLMs) to provide explanations and additional background knowledge for decision tree NID systems. Further, we introduce a new human evaluation framework for decision tree explanations, which leverages automatically generated quiz questions that measure human evaluators' understanding of decision tree inference. Finally, we show LLM generated decision tree explanations correlate highly with human ratings of readability, quality, and use of background knowledge while simultaneously providing better understanding of decision boundaries.