A novel approach to the use of explainability to mine network intrusion detection rules [preprint]

In the realm of the growing number of cyber-threats and the following expansion of the cybersecurity market, the demand for more effective and efficient intrusion detection methods is on the rise. This circumstance has become critical as organizations around the globe continue to confront emerging and evolving threats. Availability attacks such as Distributed Denial of Service constitute a continuous hazard as they can have disastrous consequences. To address these concerns, this paper presents an innovative approach to explore the potential of Explainable Artificial Intelligence in enhancing the performance of traditional Security Information and Event Management detection rules. This study applies these cutting- edge technologies to mine applicable rules from a fully trained Random Forest (RF) used to classify network traffic, specifically focusing on distinguishing Distributed Denial of Service attacks from benign traffic. The experiments conducted show that Security Information and Event Management (SIEM) rules derived from RF through xAI can significantly outperform traditional, manually set SIEM detection rules.

---

Disclaimer:

This is a preprint version of the article.

The content here is for view-only purposes. This is not the final published version and may differ from the version of record.

Please refer to the official version for citation and authoritative use.