Алгоритм покращення інтерпретованості моделей опорних векторів для виявлення аномалій у мережевому трафіку
This paper is devoted to enhancing the development of an algorithm aimed at improving the interpretability of machine learning models used for detecting anomalies in network traffic, which is critical for modern cybersecurity systems. The focus is on one-class support vector machine (SVM) models, wh...
Збережено в:
| Дата: | 2025 |
|---|---|
| Автори: | , , |
| Формат: | Стаття |
| Мова: | English |
| Опубліковано: |
V.M. Glushkov Institute of Cybernetics of NAS of Ukraine
2025
|
| Теми: | |
| Онлайн доступ: | https://jais.net.ua/index.php/files/article/view/521 |
| Теги: |
Додати тег
Немає тегів, Будьте першим, хто поставить тег для цього запису!
|
| Назва журналу: | Problems of Control and Informatics |
Репозитарії
Problems of Control and Informatics| Резюме: | This paper is devoted to enhancing the development of an algorithm aimed at improving the interpretability of machine learning models used for detecting anomalies in network traffic, which is critical for modern cybersecurity systems. The focus is on one-class support vector machine (SVM) models, which are widely used for their high accuracy in anomaly detection but suffer from a lack of transparency, often being referred to as «black box» models. This opacity limits their practical applicability, especially in high-stakes environments like cybersecurity, where understanding the reasoning behind decisions is crucial. To address this limitation, we present an interpretable system that integrates two popular model-agnostic explanation techniques: SHAP (SHapley Additive exPlanations) for global interpretability and LIME (Local Interpretable Model-Agnostic Explanations) for local interpretability. The system is designed to not only detect anomalous behavior in network traffic but also to explain the model’s reasoning in both general and specific contexts. The one-class SVM is trained on normal network traffic to learn the boundary of normal behavior. Any traffic falling outside this boundary is classified as anomalous. The SHAP module provides insights into the overall importance of traffic attributes (e.g., sbytes, dbytes, dpkts, rate) across the entire dataset, while the LIME module reveals which attributes and their specific values contributed to the classification of particular anomalies. This dual approach allows analysts to understand both the general behavior of the model and the specific causes of individual detections. The results show a marked improvement in model interpretability, helping analysts more effectively identify potential threats and respond appropriately. Although explanation methods introduce additional computational overhead and approximate the model's internal logic, the benefits in transparency and usability outweigh these drawbacks. This research contributes to the broader goal of building trustworthy AI systems and lays the foundation for future work on specialized interpretability techniques tailored to one-class models. |
|---|