Advanced cyber threats (e.g., Fileless Malware and Advanced Persistent Threat (APT)) have driven the adoption of provenance-based security solutions. These solutions employ Machine Learning (ML) models for behavioral modeling and critical security tasks such as malware and anomaly detection. However, the opacity of ML-based security models limits their broader adoption, as the lack of transparency in their decision-making processes restricts explainability and verifiability. We tailored our solution towards Graph Neural Network (GNN)-based security solutions since recent studies employ GNNs to comprehensively digest system provenance graphs for security-critical tasks. To enhance the explainability of GNN-based security models, we introduce PROVEXPLAINER, a framework offering instance-level security-aware explanations using an interpretable surrogate model. PROVEXPLAINER's interpretable feature space consists of discriminant subgraph patterns and graph structural features, which can be directly mapped to the system provenance problem space, making the explanations human interpretable. We show how PROVEXPLAINER synergizes with current state-of-the-art (SOTA) GNN explainers to deliver domain and instance-specific explanations. We measure the explanation quality using the Fidelity+/Fidelity- metric as used by traditional GNN explanation literature, we incorporate the precision/recall metric, where we consider the accuracy of the explanation against the ground truth, and we designed a human actionability metric based on graph traversal distance. On real-world Fileless and APT datasets, PROVEXPLAINER achieves up to 29%/27%/25%/1.4x higher Fidelity+, precision, recall, and actionability (where higher values are better), and 12% lower Fidelity- (where lower values are better) when compared against SOTA GNN explainers.

翻译：高级网络威胁（例如无文件恶意软件和高级持续性威胁（APT））推动了基于溯源的安全解决方案的采用。这些解决方案采用机器学习（ML）模型进行行为建模以及恶意软件和异常检测等关键安全任务。然而，基于ML的安全模型的不透明性限制了其更广泛的应用，因为其决策过程缺乏透明度，制约了可解释性和可验证性。我们将解决方案定制于基于图神经网络（GNN）的安全方案，因为近期研究采用GNN来全面分析系统溯源图以执行安全关键任务。为了增强基于GNN的安全模型的可解释性，我们提出了PROVEXPLAINER，这是一个利用可解释的替代模型提供实例级安全感知解释的框架。PROVEXPLAINER的可解释特征空间由判别性子图模式和图表征特征构成，这些特征可以直接映射到系统溯源问题空间，从而使解释易于人类理解。我们展示了PROVEXPLAINER如何与当前最先进的（SOTA）GNN解释器协同工作，以提供领域和实例特定的解释。我们使用传统GNN解释文献中采用的Fidelity+/Fidelity-指标来衡量解释质量，同时引入了精确率/召回率指标（其中我们考虑解释相对于真实情况的准确性），并设计了一种基于图遍历距离的人类可操作性指标。在真实世界的无文件恶意软件和APT数据集上，与SOTA GNN解释器相比，PROVEXPLAINER实现了高达29%/27%/25%/1.4倍的Fidelity+、精确率、召回率和可操作性提升（数值越高越好），以及12%更低的Fidelity-（数值越低越好）。