GEAD
This repository contains artifacts for the paper "Rules Refine the Riddle: Global Explanation for Deep Learning-Based Anomaly Detection in Security Applications" accepted by ACM CCS 2024.
Install / Use
/learn @dongtsi/GEADREADME
Rules Refine the Riddle: Global Explanation for Deep Learning-Based Anomaly Detection in Security Applications. Accepted by CCS'24. Please download the released code from here if you want to reproduce the results in our paper. <span style="color:blue">【中文README】</span>
Introduction
This artifact is the implementation and experiment results of GEAD proposed in CCS'24.
In short, GEAD is a method for extracting rules in deep learning-based anomaly detection models. As shown in the figure below, it contains several core steps:
- Root regression tree generation: leveraging black-box knowledge distillation methods to extract a raw rule tree
- Low-confidence Region Identification: Find regions that cause inconsistencies between the original model and the tree-based explainable model
- Low-confidence augmentation: augmenting data that can lead to inconsistent decisions between the two models
- Low-confidence rule generation: using augmented data to expand original rules
- Tree merging and discretization: simplifying the rules to increase the readability for operators
- Rule generation (optional): Convert the rule tree into readable a rule set
Code Structure
The following is a brief introduction to the directory structure of this artifact:
- baseline/ ; code of baselines
- code/
- gead.py ; code of GEAD
- gead_seq/py ; code of GEAD (for RNN)
- ...
- demo/
- demo.ipynb ; demo to show how to use GEAD
- ...
- experiment/
- results/ ;reproduced experient results
- Fidelity_Evaluation.ipynb ; experiment 1
- Usage 2.ipynb ; experiment 2
- setup/ ;environment setup files
- doc/ ; images used in README
- README.md ; instructions of this artifact
Environment Setup
This implementation has been successfully tested in Ubuntu 16.04 server with Python 3.7.16. To ensure compatibility, this artifact (pytorch-based parts) can be fully run with CPU (GPU/CUDA is not required).
To ensure the proper functioning of this artifact, please follow the commands below:
- Ensure that you have
condainstalled on your system. If you do not haveconda, you can install it as part of the Anaconda distribution or Miniconda. - Open a terminal or command prompt.
- Create a new conda environment with the name of your choice (e.g.,
GEAD) and specify the version of python to configure it:conda create -n GEAD python=3.7.16 - Once the environment is created, activate it by running:
This will switch your command line environment to use the newly created conda environment with all the necessary packages.conda activate GEAD - Run the following command to install all the required packages:
This command tellspip install -r setup/requirements.txtpipto install all the packages listed in therequirements.txtfile.
Below, the experiments or demos in this artifact mainly use jupyter notebook. So make sure you can view and execute the notebook (.ipynb) files.
How to use jupyter notebook can be found on the official website.
In short, select the right kernel (namely, the above GEAD) and then execute all cells (except markdown cells) in sequence. All cells in this artifact have been pre-executed with output shown. If all goes well, you should get consistent output in your environment.
Demo
We provide a step-by-step demo of explaining an autoencoder-based anomaly detection model with GEAD, which is also the result in Section 4.3.1 of our paper.
