CapsRule: Explainable Deep Learning for Classifying Network Attacks

Despite the potential deep learning (DL) algorithms have shown, their lack of transparency hinders their widespread application. Extracting if-then rules from deep neural networks is a powerful explanation method to capture nonlinear local behaviors. However, existing rule extraction methods suffer from inefficiency, incomprehensibility, infidelity, and not scaling well. Concerning security applications, they are not optimized regarding the decision boundary, data types and ranges, classification tasks, and dataset size. In this article, we propose CapsRule, an effective and efficient rule-based DL explanation method dedicated to classifying network attacks. It extracts high-fidelity rules from the feed-forward capsule network that explains how an input sample is classified. Using precomputed coupling coefficients, the training phase overlaps the rule extraction process to increase efficiency. The activation vector of a capsule can represent semantic intelligence about the attributes of the input sample. The rules extracted from CapsRule address the major concerns of network attack detection. The rules: 1) approximate the nonlinear decision boundary of the underlying data; 2) reduce the number of false positives significantly; 3) increase transparency; and 4) help find errors and noise in the data. We evaluate CapsRule on the CICDDoS2019 dataset that contains over a million of the most advanced Distributed Denial-of-Service (DDoS) attacks. The extensive evaluation shows that it generates accurate, high-fidelity, and comprehensible rules. CapsRule achieves an average accuracy of 99.0% and a false positive rate of 0.70% for reflection-and exploitation-based attacks. We verify that the learned features from the rulesets match our domain-specific knowledge. They also help find flaws in the dataset generation process and erroneous patterns caused by attack simulators.