The current state of the art systems in Artificial Intelligence (AI) enabled intrusion detection use a variety of black box methods. These black box methods are generally trained using Error Based Learning (EBL) techniques with a focus on creating accurate models. These models have high performative costs and are not easily explainable. A white box Competitive Learning (CL) based eXplainable Intrusion Detection System (X-IDS) offers a potential solution to these problem. CL models utilize an entirely different learning paradigm than EBL approaches. This different learning process makes the CL family of algorithms innately explainable and less resource intensive. In this paper, we create an X-IDS architecture that is based on DARPA's recommendation for explainable systems. In our architecture we leverage CL algorithms like, Self Organizing Maps (SOM), Growing Self Organizing Maps (GSOM), and Growing Hierarchical Self Organizing Map (GHSOM). The resulting models can be data-mined to create statistical and visual explanations. Our architecture is tested using NSL-KDD and CIC-IDS-2017 benchmark datasets, and produces accuracies that are 1% - 3% less than EBL models. However, CL models are much more explainable than EBL models. Additionally, we use a pruning process that is able to significantly reduce the size of these CL based models. By pruning our models, we are able to increase prediction speeds. Lastly, we analyze the statistical and visual explanations generated by our architecture, and we give a strategy that users could use to help navigate the set of explanations. These explanations will help users build trust with an Intrusion Detection System (IDS), and allow users to discover ways to increase the IDS's potency.

翻译：当前基于人工智能的入侵检测系统通常采用多种黑箱方法。这些黑箱方法主要基于误差学习技术进行训练，侧重于构建高精度模型。然而，这类模型不仅计算成本高昂，且难以实现可解释性。基于白箱竞争学习的可解释入侵检测系统为这些问题提供了潜在解决方案。竞争学习模型采用与误差学习方法完全不同的学习范式，其独特的训练机制使竞争学习算法家族天然具备可解释性且资源消耗更低。本文基于DARPA对可解释系统的建议，构建了X-IDS架构。在该架构中，我们采用了自组织映射（SOM）、生长型自组织映射（GSOM）及层次化生长型自组织映射（GHSOM）等竞争学习算法。通过数据挖掘技术，可从生成的模型中提取统计与可视化解释。基于NSL-KDD和CIC-IDS-2017基准数据集的测试表明，虽然本模型准确率比误差学习模型低1%-3%，但其可解释性显著优于后者。此外，我们引入剪枝技术大幅缩减竞争学习模型的规模，从而提升预测速度。最后，通过分析架构生成的统计与可视化解释，我们提出了帮助用户导航解释集的策略。这些解释将增强用户对入侵检测系统的信任，并为其发现提升系统效能的方法提供支持。