Validating network attack concepts: A TCAV-driven approach

Nowadays, there is extensive research being conducted on the transparency and interpretability of AI algorithms. The explanations of why and how these black-box algorithms make decisions are also important from a legal perspective. The possibility of explaining decisions using human understandable concepts is intuitive but less explored in the field of cybersecurity. Furthermore, within the realm of cybersecurity, concepts exhibit a discrete nature. This study delves into the prospect of formulating concepts to elucidate the identification of attacks. These concepts are articulated concerning the merger of features. In this paper, a novel method for uncovering concepts by combining features obtained from explainable AI techniques, specifically SHAP and CIU has been proposed. A method for validating the concepts using TCAV is also proposed. This is used to prove that the concepts are valid to explain the identification of specific attacks. Various sets of experiments conducted on the KDD Cup 1999 dataset yield consistent results. It is feasible to depict attacks using diverse concepts, and there are concepts that accurately portray the specified attacks. The examination of the TCAV outcomes indicates that representing attacks is achievable through concepts comprising various feature combinations.