DeepAID is the first Deep Learning Interpretation method dedicated for Anomaly Detection models in Security Domains. There are three superiorities of DeepAID Interpretations:

• Unsupervised. DeepAID is dedicated to interpreting anomaly detection models, which are usually built with only normal data. In DeepAID, not any knowledge of anomaly data is necessary for the interpretation.

• High Quality. DeepAID is dedicated to interpreting DL models in security-related domains, where errors are with low tolerance. In DeepAID, the interpretation results are high-quality and satisfies several elegant properties, including fidelity, robustness, stability, conciseness, and efficiency.

• Versatile. DeepAID not only provides the implementation of certain DL models and anomaly detection systems, but also a general interpretation framework for various types of DL models and security domains.

Implementation Notes

1. Current implementation of DeepAID only supports interpreting DL models built with Pytorch. We'll consider extending DeepAID Interpreter to other DL frameworks such as tensorflow. We also provide instructions for building a customized interpreter if your DL model is not yet supported by our implementation.

2. Environmental Setup:

   pip install -r requirement.txt

   • For Tabular Interpreter only:

   pip install -r requirement_tab.txt

   • For Univariate Time-Series Interpreter only:

   pip install -r requirement_units.txt

   • For Multivariate Time-Series Interpreter only:

   pip install -r requirement_multits.txt

Examples

We provide several cases to show how to interpret your own anomaly detection models, including:

• Tabular Data, Auto-Encoder, Synthetic Data
• Tabular Data, Kitsune (NDSS'18), Network Intrusion Detection
• Time Series (Univariate), DeepLog (CCS'17), Log Anomaly Detection
• Time Series (Multivariate), LSTM, Network Anomaly Detection
• Graph Data (Link Prediction, Embedding), GL-GV (RAID'20), APT Lateral Movement Detection

Customizing Interpreters

DeepAID follows a general interpretation framework for various types of DL models and security domains. The core idea of interpreting anomalies in DeepAID is searching a reference and interpreting through the difference between the reference and anomaly. The searching process is limited by several considerations (i.e., constraints) to generate high-qulity results. Here is an illustration:

See our paper for more technical details and the instruction of building Interpreters for your own models.

Citation & Paper

This source code is part of our work accepted by CCS'21:

DeepAID: Interpreting and Improving Deep Learning-based Anomaly Detection in Security Applications

Its pre-print version is available at here.

You can find more details in this paper, and if you use the source code, please cite the paper.

(Here is the BibTex:)

@inproceedings{10.1145/3460120.3484589,
author = {Han, Dongqi and Wang, Zhiliang and Chen, Wenqi and Zhong, Ying and Wang, Su and Zhang, Han and Yang, Jiahai and Shi, Xingang and Yin, Xia},
title = {DeepAID: Interpreting and Improving Deep Learning-Based Anomaly Detection in Security Applications},
year = {2021},
isbn = {9781450384544},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3460120.3484589},
doi = {10.1145/3460120.3484589},
booktitle = {Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security},
pages = {3197–3217},
numpages = {21},
location = {Virtual Event, Republic of Korea},
series = {CCS '21}
}