Towards Interpretable Machine-Learning-Based DDoS Detection

Abstract

The Internet is the most complex machine humankind has ever built, and thus, it is difficult to defend it from attacks. The most common attack to the Internet is DDoS attacks. With the growing popularity for QUIC protocol, DDoS detection tasks are increasingly rely on machine learning (ML), which is based on black-box model and cannot explain its decision. A interpretable and transparent ML model is the foundation of a trustworthy ML-based DDoS attack detection. Current ML interpretation methodologies in cyber intrusion detection are heuristic, which is neither accurate nor sufficient. This paper proposed a rigorous interpretable ML-driven omnipotent DDoS detection approach, based on knowledge compilation technologies. Details of rigorous interpretation calculation process for the ML model are presented, which include an accelerated prime implicant calculation method driven by knowledge compilation for the DDoS detection ML model, and a map, combine, and merge (M &M) algorithm to discretize continuous features into Boolean expression. The proposed Prime implicant reasons calculation algorithm has been tested on a DDoS LOIC and HOIC attack detection ML model with 100% accuracy, trained with real-life DDoS data. An exhaust list of explanations are given in detail as rules for the omnipotent DDoS intrusion detection learnt by the ML model used. As the ML interpretation method is an SAT problem-solving process, the explanations are rigorous and sufficient reasons for the ML model for DDoS attack detection, and are believed to shade light on DDoS detection research work in cybersecurity community.