DeNNeS: deep embedded neural network expert system for detecting cyber attacks

With the advances in computing powers and increasing volumes of data, deep learning’s emergence has helped revitalize artificial intelligence research. There is a growing trend of applying deep learning techniques to image processing, speech recognition, self-driving cars, and even health-care. Recently, several deep learning models have been employed to detect a cyber threat such as network attack, malware infiltration, or phishing website; nevertheless, they suffer from not being explainable to security experts. Security experts not only do need to detect the incoming threat but also need to know the incorporating features that cause that particular security incident. To address this issue, in this paper, we propose a deep embedded neural network expert system (DeNNeS) that extracts refined rules from a trained deep neural network (DNN) architecture to substitute the knowledge base of an expert system. The knowledge base later is used to classify an unseen security incident and inform the final user of the corresponding rule that made that inference. We consider different rule extraction scenarios, and to prove the robustness of DeNNeS, we evaluate it on two cybersecurity datasets including UCI phishing websites dataset and Android malware dataset comprising more than 4000 Android APKs from several sources. The comparison results of DeNNeS with standalone DNN, JRip, and common machine learning algorithms show that DeNNeS with the retraining uncovered samples scenario outperforms other algorithms on both datasets. Furthermore, the extracted rules approximately reproduce the accuracy of the neural network from which they are derived. DeNNeS achieves an outstanding accuracy of $$97.5\%$$ 97.5 % and a negligible false positive rate of $$1.8\%$$ 1.8 % about $$2.4\%$$ 2.4 % higher and $$3.5\%$$ 3.5 % lower than the rule learner JRip on the phishing dataset. Moreover, DeNNeS outperforms random forest (RF), which produces the highest results among decision tree (DT), support vector machine, k-nearest neighbor, and Gaussian naive Bayes. Despite smaller training data in the malware dataset, DeNNeS achieves an accuracy of $$95.8\%$$ 95.8 % and $${F_{1}\,score}$$ F 1 s c o r e of $$91.1\%$$ 91.1 % , much higher than JRip and RF.

[1]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[2]  Sholom M. Weiss,et al.  Optimized rule induction , 1993, IEEE Expert.

[3]  Joachim Diederich,et al.  Survey and critique of techniques for extracting rules from trained artificial neural networks , 1995, Knowl. Based Syst..

[4]  T. L. McCluskey,et al.  An assessment of features related to phishing websites using an automated technique , 2012, 2012 International Conference for Internet Technology and Secured Transactions.

[5]  Ali A. Ghorbani,et al.  Android Botnets: What URLs are Telling Us , 2015, NSS.

[6]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[7]  Jude W. Shavlik,et al.  Extracting refined rules from knowledge-based neural networks , 2004, Machine Learning.

[8]  Nathan S. Netanyahu,et al.  DeepSign: Deep learning for automatic malware signature generation and classification , 2015, 2015 International Joint Conference on Neural Networks (IJCNN).

[9]  Wenyi Huang,et al.  MtNet: A Multi-Task Neural Network for Dynamic Malware Classification , 2016, DIMVA.

[10]  Valery Naranjo,et al.  Evolving Deep Neural Networks architectures for Android malware classification , 2017, 2017 IEEE Congress on Evolutionary Computation (CEC).

[11]  Tetsuya Ogata,et al.  Audio-visual speech recognition using deep learning , 2014, Applied Intelligence.

[12]  Sheng Chen,et al.  Application of Deep Belief Networks for opcode based malware detection , 2016, 2016 International Joint Conference on Neural Networks (IJCNN).

[13]  Marco Morana,et al.  Malware Detection through Low-level Features and Stacked Denoising Autoencoders , 2018, ITASEC.

[14]  Yao Wang,et al.  A deep learning approach for detecting malicious JavaScript code , 2016, Secur. Commun. Networks.

[15]  Hung-Min Sun,et al.  An Android mutation malware detection based on deep learning using visualization of importance from codes , 2019 .

[16]  Novruz Allahverdi,et al.  Rule extraction from trained adaptive neural networks using artificial immune systems , 2009, Expert Syst. Appl..

[17]  Martín Abadi,et al.  TensorFlow: Large-Scale Machine Learning on Heterogeneous Distributed Systems , 2016, ArXiv.

[18]  Christopher Krügel,et al.  Meerkat: Detecting Website Defacements through Image-based Object Recognition , 2015, USENIX Security Symposium.

[19]  Chang Hoon Kim,et al.  Classifying malware using convolutional gated neural network , 2018, 2018 20th International Conference on Advanced Communication Technology (ICACT).

[20]  LiMin Fu,et al.  Rule Learning by Searching on Adapted Nets , 1991, AAAI.

[21]  William W. Cohen Fast Effective Rule Induction , 1995, ICML.

[22]  Dong Yu,et al.  Deep Learning and Its Applications to Signal and Information Processing [Exploratory DSP] , 2011, IEEE Signal Processing Magazine.

[23]  Saroj K. Biswas,et al.  A rule generation algorithm from neural network using classified and misclassified data , 2018, Int. J. Bio Inspired Comput..

[24]  Xin Sun,et al.  Detection, Classification and Characterization of Android Malware Using API Data Dependency , 2015, SecureComm.

[25]  Cristiano Giuffrida,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2018, Lecture Notes in Computer Science.

[26]  Byunghan Lee,et al.  Deep learning in bioinformatics , 2016, Briefings Bioinform..

[27]  Jason Weston,et al.  A unified architecture for natural language processing: deep neural networks with multitask learning , 2008, ICML '08.

[28]  Isredza Rahmi A. Hamid,et al.  Android Malware Detection Based on Network Traffic Using Decision Tree Algorithm , 2018, SCDM.

[29]  Sebastian Thrun,et al.  Extracting Provably Correct Rules from Artificial Neural Networks , 1993 .

[30]  Yanfang Ye,et al.  Deep4MalDroid: A Deep Learning Framework for Android Malware Detection Based on Linux Kernel System Call Graphs , 2016, 2016 IEEE/WIC/ACM International Conference on Web Intelligence Workshops (WIW).

[31]  Eneldo Loza Mencía,et al.  DeepRED - Rule Extraction from Deep Neural Networks , 2016, DS.

[32]  Gang Wang,et al.  LEMNA: Explaining Deep Learning based Security Applications , 2018, CCS.

[33]  R. Nakano,et al.  Medical diagnostic expert system based on PDP model , 1988, IEEE 1988 International Conference on Neural Networks.

[34]  Claudia Eckert,et al.  Deep Learning for Classification of Malware System Call Sequences , 2016, Australasian Conference on Artificial Intelligence.

[35]  Jack W. Stokes,et al.  Large-scale malware classification using random projections and neural networks , 2013, 2013 IEEE International Conference on Acoustics, Speech and Signal Processing.

[36]  Dong Yu,et al.  Deep Learning and Its Applications to Signal and Information Processing , 2011 .

[37]  Adam Doupé,et al.  Deep Android Malware Detection , 2017, CODASPY.

[38]  Razvan Pascanu,et al.  Malware classification with recurrent networks , 2015, 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[39]  Andrew Zisserman,et al.  Very Deep Convolutional Networks for Large-Scale Image Recognition , 2014, ICLR.

[40]  Jude W. Shavlik,et al.  Using Sampling and Queries to Extract Rules from Trained Neural Networks , 1994, ICML.

[41]  Ignacio Requena,et al.  Are artificial neural networks black boxes? , 1997, IEEE Trans. Neural Networks.

[42]  Kaoru Ota,et al.  Deep Learning for Mobile Multimedia , 2017, ACM Trans. Multim. Comput. Commun. Appl..

[43]  Xuan Zhang,et al.  Intrusion Detection Based on IDBM , 2016, 2016 IEEE 14th Intl Conf on Dependable, Autonomic and Secure Computing, 14th Intl Conf on Pervasive Intelligence and Computing, 2nd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech).

[44]  Sayak Ray,et al.  Malware detection using machine learning based analysis of virtual memory access patterns , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[45]  Stephen I. Gallant,et al.  Connectionist expert systems , 1988, CACM.

[46]  Abdelouahid Derhab,et al.  MalDozer: Automatic framework for android malware detection using deep learning , 2018, Digit. Investig..

[47]  Yee Whye Teh,et al.  A Fast Learning Algorithm for Deep Belief Nets , 2006, Neural Computation.

[48]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[49]  Larry R. Medsker Expert Systems and Neural Networks , 1995 .

[50]  Li Deng,et al.  A tutorial survey of architectures, algorithms, and applications for deep learning , 2014, APSIPA Transactions on Signal and Information Processing.

[51]  C. L. Giles,et al.  Rule refinement with recurrent neural networks , 1993, IEEE International Conference on Neural Networks.

[52]  Ji Wan,et al.  Deep Learning for Content-Based Image Retrieval: A Comprehensive Study , 2014, ACM Multimedia.

[53]  Siyang Zhang,et al.  A novel hybrid KPCA and SVM with GA model for intrusion detection , 2014, Appl. Soft Comput..

[54]  이상헌,et al.  Deep Belief Networks , 2010, Encyclopedia of Machine Learning.

[55]  Jianfeng Ma,et al.  A Combination Method for Android Malware Detection Based on Control Flow Graphs and Machine Learning Algorithms , 2019, IEEE Access.

[56]  Wee Kheng Leow,et al.  FERNN: An Algorithm for Fast Extraction of Rules from Neural Networks , 2004, Applied Intelligence.

[57]  Stephen I. Gallant,et al.  Neural network learning and expert systems , 1993 .

[58]  Azizur Rahman,et al.  Malware analysis and detection using data mining and machine learning classification , 2017 .

[59]  D. K. Mishra,et al.  KDRuleEx: A Novel Approach for Enhancing User Comprehensibility Using Rule Extraction , 2012, 2012 Third International Conference on Intelligent Systems Modelling and Simulation.

[60]  LiMin Fu,et al.  Rule Generation from Neural Networks , 1994, IEEE Trans. Syst. Man Cybern. Syst..

[61]  Tara N. Sainath,et al.  Deep Neural Networks for Acoustic Modeling in Speech Recognition: The Shared Views of Four Research Groups , 2012, IEEE Signal Processing Magazine.

[62]  Howon Kim,et al.  Long Short Term Memory Recurrent Neural Network Classifier for Intrusion Detection , 2016, 2016 International Conference on Platform Technology and Service (PlatCon).

[63]  Wei Wang,et al.  Effective android malware detection with a hybrid model based on deep autoencoder and convolutional neural network , 2018, Journal of Ambient Intelligence and Humanized Computing.

[64]  Chih-Fong Tsai,et al.  CANN: An intrusion detection system based on combining cluster centers and nearest neighbors , 2015, Knowl. Based Syst..

[65]  Dong Yu,et al.  Deep Learning: Methods and Applications , 2014, Found. Trends Signal Process..

[66]  Guigang Zhang,et al.  Deep Learning , 2016, Int. J. Semantic Comput..

[67]  Yanfang Ye,et al.  DroidDelver: An Android Malware Detection System Using Deep Belief Network Based on API Call Blocks , 2016, WAIM Workshops.

[68]  Saroj K. Biswas,et al.  Recursive Rule Extraction from NN using Reverse Engineering Technique , 2018, New Generation Computing.

[69]  Jimmy Ba,et al.  Adam: A Method for Stochastic Optimization , 2014, ICLR.

[70]  Jude W. Shavlik,et al.  Extracting Refined Rules from Knowledge-Based Neural Networks , 1993, Machine Learning.

[71]  Lorrie Faith Cranor,et al.  P3P: Making Privacy Policies More Useful , 2003, IEEE Secur. Priv..

[72]  Mike Preuss,et al.  Planning chemical syntheses with deep neural networks and symbolic AI , 2017, Nature.

[73]  Sankardas Roy,et al.  Deep Ground Truth Analysis of Current Android Malware , 2017, DIMVA.

[74]  Rudy Setiono,et al.  Extracting -of- Rules from Trained Neural Networks , 2000 .

[75]  Yuefei Zhu,et al.  A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks , 2017, IEEE Access.

[76]  H. Tsukimoto,et al.  Rule extraction from neural networks via decision tree induction , 2001, IJCNN'01. International Joint Conference on Neural Networks. Proceedings (Cat. No.01CH37222).

[77]  Bart Baesens,et al.  Recursive Neural Network Rule Extraction for Data With Mixed Attributes , 2008, IEEE Transactions on Neural Networks.

[78]  Kevin Jones,et al.  Early Stage Malware Prediction Using Recurrent Neural Networks , 2017, Comput. Secur..

[79]  Wenjie Lu,et al.  Regional deep learning model for visual tracking , 2016, Neurocomputing.

[80]  Chia-Mu Yu,et al.  R2-D2: ColoR-inspired Convolutional NeuRal Network (CNN)-based AndroiD Malware Detections , 2017, 2018 IEEE International Conference on Big Data (Big Data).

[81]  Andrew Y. Ng,et al.  Parsing Natural Scenes and Natural Language with Recursive Neural Networks , 2011, ICML.

[82]  Ali A. Ghorbani,et al.  Application of deep learning to cybersecurity: A survey , 2019, Neurocomputing.

[83]  T. Kathirvalavakumar,et al.  Reverse Engineering the Neural Networks for Rule Extraction in Classification Problems , 2011, Neural Processing Letters.

[84]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[85]  Lakhmi C. Jain,et al.  Connectionist expert systems , 1993, Proceedings 1993 The First New Zealand International Two-Stream Conference on Artificial Neural Networks and Expert Systems.

[86]  Michael C. Mozer,et al.  The Connectionist Scientist Game: Rule Extraction and Refinement in a Neural Network , 1991 .