DDoS attacks involve overwhelming a target system with a large number of requests or traffic from multiple sources, disrupting the normal traffic of a targeted server, service, or network. Distinguishing between legitimate traffic and malicious traffic is a challenging task. It is possible to classify legitimate traffic and malicious traffic and analysis the network traffic by using machine learning and deep learning techniques. However, an inter-model explanation implemented to classify a traffic flow whether is benign or malicious is an important investigation of the inner working theory of the model to increase the trustworthiness of the model. Explainable Artificial Intelligence (XAI) can explain the decision-making of the machine learning models that can be classified and identify DDoS traffic. In this context, we proposed a framework that can not only classify legitimate traffic and malicious traffic of DDoS attacks but also use SHAP to explain the decision-making of the classifier model. To address this concern, we first adopt feature selection techniques to select the top 20 important features based on feature importance techniques (e.g., XGB-based SHAP feature importance). Following that, the Multi-layer Perceptron Network (MLP) part of our proposed model uses the optimized features of the DDoS attack dataset as inputs to classify legitimate and malicious traffic. We perform extensive experiments with all features and selected features. The evaluation results show that the model performance with selected features achieves above 99\% accuracy. Finally, to provide interpretability, XAI can be adopted to explain the model performance between the prediction results and features based on global and local explanations by SHAP, which can better explain the results achieved by our proposed framework.

翻译：DDoS攻击通过多源发送大量请求或流量淹没目标系统，扰乱目标服务器、服务或网络的正常通信。区分合法流量与恶意流量是一项具有挑战性的任务。利用机器学习和深度学习技术，可以对合法流量和恶意流量进行分类并分析网络流量。然而，在分类流量是否为良性或恶意的过程中，实施跨模型解释对于探究模型内部工作机制、提升模型可信度至关重要。可解释人工智能（XAI）能够解释用于分类和识别DDoS流量的机器学习模型的决策过程。针对此问题，我们提出一个框架，该框架不仅能够对DDoS攻击的合法流量与恶意流量进行分类，还利用SHAP方法来解释分类器模型的决策机理。为解决此问题，我们首先采用特征选择技术，基于特征重要性方法（如基于XGB的SHAP特征重要性）筛选出前20个重要特征。随后，我们提出的模型中的多层感知器网络（MLP）部分将DDoS攻击数据集优化后的特征作为输入，对合法流量和恶意流量进行分类。我们基于全部特征和选定特征进行了广泛实验。评估结果表明，使用选定特征的模型性能达到了99%以上的准确率。最后，为提供可解释性，采用XAI通过SHAP的全局与局部解释，阐明预测结果与特征之间的模型性能关系，从而更好地解释所提框架获得的结果。