With the rise of fifth-generation (5G) networks in critical applications, it is urgent to move from detection of malicious activity to systems capable of providing a reliable verdict suitable for mitigation. In this regard, understanding and interpreting machine learning (ML) models' security alerts is crucial for enabling actionable incident response orchestration. Explainable Artificial Intelligence (XAI) techniques are expected to enhance trust by providing insights into why alerts are raised. Under the umbrella of XAI, interpretability of outcomes is crucially dependent on understanding the influence of specific inputs, referred to as feature attribution. {A dominant approach to feature attribution statistically associates feature sets that can be correlated to a given alert. This paper investigates its merits against the backdrop of criticism from recent literature, in comparison with feature attribution based on logic. We extensively study two methods, SHAP and VoTE-XAI, as representatives of each feature attribution approach by analyzing their interpretations of alerts generated by an XGBoost model across three 5G-relevant datasets (5G-NIDD, MSA, and PFCP) covering multiple attack scenarios. We identify three metrics for assessing explanations: sparsity, how concise they are; stability, how consistent they are across samples from the same attack type; and efficiency, how fast an explanation is generated. Our results reveal that logic-based attributions are consistently more sparse and stable across alerts. More importantly, we found a significant divergence between features selected by SHAP and VoTE-XAI. However, none of the top-ranked features selected by SHAP were missed by VoTE-XAI. Finally, we analyze the efficiency of both methods, discussing their suitability for real-time security monitoring even in high-dimensional 5G environments (478 features).

翻译：随着第五代（5G）网络在关键应用中的兴起，亟需从恶意活动检测转向能够提供适用于缓解措施的可靠判定的系统。在这方面，理解和解释机器学习（ML）模型的安全警报对于实现可操作的事件响应编排至关重要。可解释人工智能（XAI）技术通过提供警报触发原因的洞察，有望增强信任。在XAI框架下，结果的可解释性关键取决于对特定输入影响的理解，即特征归因。主流特征归因方法通过统计关联与给定警报可能相关的特征集来实现。本文结合近期文献中的批评意见，探讨了该方法相对于基于逻辑的特征归因的优势。我们以SHAP和VoTE-XAI作为两类特征归因方法的代表，通过分析它们对XGBoost模型在三个5G相关数据集（5G-NIDD、MSA和PFCP）上生成的警报的解释，进行了深入研究，这些数据集覆盖了多种攻击场景。我们确定了评估解释的三项指标：稀疏性（解释的简洁程度）、稳定性（相同攻击类型样本间解释的一致性）以及效率（解释生成的速度）。我们的结果表明，基于逻辑的归因在各类警报中始终具有更高的稀疏性和稳定性。更重要的是，我们发现SHAP与VoTE-XAI选择的特征存在显著差异。然而，SHAP选出的所有高排名特征均未被VoTE-XAI遗漏。最后，我们分析了两类方法的效率，并讨论了它们在高维5G环境（478个特征）中实时安全监测的适用性。