Intrusion detection has been a commonly adopted detective security measures to safeguard systems and networks from various threats. A robust intrusion detection system (IDS) can essentially mitigate threats by providing alerts. In networks based IDS, typically we deal with cyber threats like distributed denial of service (DDoS), spoofing, reconnaissance, brute-force, botnets, and so on. In order to detect these threats various machine learning (ML) and deep learning (DL) models have been proposed. However, one of the key challenges with these predictive approaches is the presence of false positive (FP) and false negative (FN) instances. This FPs and FNs within any black-box intrusion detection system (IDS) make the decision-making task of an analyst further complicated. In this paper, we propose an explainable artificial intelligence (XAI) based visual analysis approach using overlapping SHAP plots that presents the feature explanation to identify potential false positive and false negatives in IDS. Our approach can further provide guidance to security analysts for effective decision-making. We present case study with multiple publicly available network traffic datasets to showcase the efficacy of our approach for identifying false positive and false negative instances. Our use-case scenarios provide clear guidance for analysts on how to use the visual analysis approach for reliable course-of-actions against such threats.

翻译：入侵检测已成为广泛采用的检测性安全措施，用于保护系统和网络免受各类威胁。一个稳健的入侵检测系统（IDS）本质上可通过提供警报来缓解威胁。在网络型IDS中，我们通常需要处理分布式拒绝服务（DDoS）、欺骗、侦察、暴力破解、僵尸网络等网络威胁。为检测这些威胁，学界已提出多种机器学习（ML）与深度学习（DL）模型。然而，这些预测方法面临的关键挑战之一在于存在误报（FP）与漏报（FN）实例。任何黑盒入侵检测系统（IDS）中的误报与漏报都会使分析师的决策任务进一步复杂化。本文提出一种基于可解释人工智能（XAI）的可视化分析方法，通过重叠SHAP图呈现特征解释，以识别IDS中潜在的误报与漏报。该方法能进一步为安全分析师提供有效决策指导。我们通过多个公开网络流量数据集的案例研究，展示了该方法在识别误报与漏报实例方面的有效性。我们的应用场景为分析师提供了清晰指引，说明如何运用该可视化分析方法制定应对此类威胁的可靠行动方案。