Unsupervised Anomaly Detection and Explanation in Network Traffic with Transformers

Abstract

Deep learning-based autoencoders represent a promising technology for use in network-based attack detection systems. They offer significant benefits in managing unknown network traces or novel attack signatures. Specifically, in the context of critical infrastructures, such as power supply systems, AI-based intrusion detection systems must meet stringent requirements concerning model accuracy and trustworthiness. For the intrusion response, the activation of suitable countermeasures can greatly benefit from additional transparency information (e.g., attack causes). Transformers represent the state of the art for learning from sequential data and provide important model insights through the widespread use of attention mechanisms. This paper introduces a two-stage transformer-based autoencoder for learning meaningful information from network traffic at the packet and sequence level. Based on this, we present a sequential attention weight perturbation method to explain benign and malicious network packets. We evaluate our method against benchmark models and expert-based explanations using the CIC-IDS-2017 benchmark dataset. The results show promising results in terms of detecting and explaining FTP and SSH brute-force attacks, highly outperforming the results of the benchmark model.

1. Introduction

1.1. Motivation

Network intrusion detection systems (NIDSs) play a vital role in detecting cyber-attacks and are an important component in today’s security operation centers. Machine learning techniques, especially deep learning models, can learn the behavior in network traces from large network infrastructures. This enables the detection of complex cyber-attacks from flow-based or packet-based network features. Transformers represent the state of the art in the processing of sequential data and are applied in various application domains [1,2,3,4]. Thus, they are a promising approach with which to process and analyze the heterogenous information in long network packet sequences.

The limited availability of attack examples as well as the constant emergence of new attack patterns [5,6,7,8] requires unsupervised model training to efficiently distinguish between benign and malicious network packet sequences. Additional transparency information about the model’s decisions (e.g., attack causes) can support subsequent decision-making tasks for intrusion prevention or forensic analysis. This increases the reliability and trustworthiness of the model’s decisions and improves the further deployment of data-driven NIDS applications in the industry.

1.2. Related Work

The application of deep learning models to detect network anomalies or to classify attack traces has been investigated for many years [7,8,9,10]. Most of the research focuses on solutions that detect cyber-attacks in a classification setting (e.g., using transformers [11], CNNs [12], or CNN-LSTMs [13]). Anomaly-based cyber-attack detection is significantly more challenging since it has no prior knowledge of attack examples in the training phase. Classical machine learning approaches apply statistical analysis, outlier detection models, or clustering methods to preprocessed and attributed network traffic records. In [14], the authors introduce an empirical anomaly score learning method with regularized self-representations on network flows using the Bot-IoT [15] and USNW-NB15 [16] datasets. An intrusion detection and prevention framework is presented in [17] that uses deep autoencoders, OC-SVM, and DBSCAN clustering on network flow features from the CSE-CIC-IDS2018 [18] dataset. A multi-dimensional anomaly detection method that uses Poisson canonical polyadic decomposition (CPD) is evaluated in [19] via its application to host authentication events, network flow records, and banking transaction logs. The authors of [20] combine an ensemble clustering approach with a neural network classifier to detect cyber-attacks in the NSL-KDD [21] and TON-IoT [22] datasets. Lastly, [23] tested six classical anomaly detection algorithms (e.g., Isolation Forest) on the NSL-KDD and ISCX-2012 [24] datasets.

Deep learning-based approaches use traditional multi-layer perceptron (MLP)-based autoencoders (AEs) on the statistical features of preprocessed and benign network traffic records. This is performed in [25] to detect probing or denial-of-service attacks in the NSL-KDD dataset and employed in [26] to detect botnet attacks in IoT networks. An ensemble of AEs is presented in [27] to detect flooding or man-in-the-middle attacks on video surveillance networks. Similar work is performed in [28] to detect cyber-attacks on an experimental smart home network. Additionally, extensive hyperparameter research related to MLP-based AEs is performed in [29] on various benchmark datasets (e.g., NSL-KDD or IoTID20 [30]).

Similar to our approach, in [31], a transformer model with which to forecast network packet sequences is presented. This uses the vanilla encoder–decoder architecture introduced in [1]. They process categorical, binary, and numerical features from network packet sequences to detect flooding and scanning attacks in ICS networks. As a downside, this approach does not incorporate explainability aspects and compresses the individual packet information through linear transformation, making it difficult to identify its relevance to benign or malicious network behavior. Our approach processes discrete and continuous network packet information through individual transformations and calculates a common feature representation with an interpretable attention mechanism.

Explainable artificial intelligence (XAI) is a well-studied topic, especially regarding deep learning models [32,33,34,35]. For the transparent detection of cyber-attacks, only a little research has been carried out. This includes an approach specific to variational autoencoders, outlined in [36], and the anomaly contribution explainer (ACE) outlined in [37], which assumes a vectorized input and a scalar output (anomaly score). The field of transparent anomaly detection and anomaly explanation [38] offers alternatives with which to compute transparency information after detecting cyber-attacks. In [39], layer-wise relevance propagation is used to explain anomalies detected by a binary MLP-based classifier. The work in [40] extends the well-known Shapley additive explanations (SHAP) approach to explain anomalies from the reconstruction errors of deep autoencoders, but requires vectorized model inputs and outputs, as in the case of ACE. The DAEMON approach outlined in [41] uses adversarial training for a CNN autoencoder with known prior distribution of the latent space. In [42], proximate counterfactuals are generated to explain anomalies detected by deep autoencoders. These previously used explanation techniques are not appropriate for our study as they have excessively strict limitations in terms of the anomaly detection model. Attention-based explanation methods are more related to our modeling approach. Here, the ATON (attention-guided triplet deviation network) [43] calculates anomaly scores with an attention coefficient vector and determines the contribution of each embedding dimension to the model decision. This approach requires a specific neural network architecture and a specific loss formulation. In contrast to that, the attention manipulation (AtMan) approach of [44] is more model-agnostic and perturbs the attention scores of a transformer model to compute their contribution to the model’s decision. We adapt their approach to implement a sequential explanation procedure for our combined autoencoder and detection model.

1.3. Paper’s Contribution and Organization

To detect and explain malicious network packets, we propose using a transformer-based autoencoder to learn the benign network behavior in an unsupervised manner by efficiently reconstructing the discrete and continuous packet information in network traffic sequences. In analogy to natural language processing, we treat the sequential network packet information like words in a sentence using vector representations. The inherent use of multiple attention mechanisms and their analysis allows for the provision of additional transparency information at the sequence and packet level. The contribution of this paper can be summarized as follows:

• We outline a transformer-based autoencoder with feature- and self-attention mechanisms to reconstruct discrete and continuous information from network packet sequences;
• We perform unsupervised detection of malicious network packets with transformer-based autoencoders in network packet sequences;
• We offer sequential attention perturbation method for explaining the detection of benign and malicious network packets;
• We perform the evaluation of the explanation results by comparison with benchmark methods and expert-based true explanations.

The paper is organized as follows. Section 2 explains the model structure and training objective of the proposed transformer-based network traffic autoencoder. Based on this, the cyber-attack detection and explanation methods are given in Section 3. A comprehensive description of the experimental results using the CIC-IDS-2017 [45] benchmark dataset is provided in Section 4. Section 5 summarizes the research findings and gives an overview about future work.

2. T-NAE: Transformer-Based Network Traffic Autoencoder

The general structure of the proposed transformer-based network traffic autoencoder (T-NAE) is given in Figure 1 and Figure 2 and is based on previous work in [46,47]. Section 2.1 describes the input data and the preprocessing steps. A detailed description of the different encoder and decoder components of the model is given in Section 2.2. Section 2.3 explains the training objective of the model.

2.1. Preprocessing of Discrete and Continuous Network Packet Information

The efficient processing of network packet information in the T-NAE model requires some transformation steps. The discrete packet information (see

Table 1. Overview of discrete input features.

Input Feature	Encoding Type
Packet structure (trimmed)	[1…N]
MAC source address MAC destination address	[1…N]
IP source address IP destination address	0: no address 1: equals previous source address 2: equals previous destination address 3: new address
TCP source port TCP destination port	0: no port 1: system port 2: register port 3: dynamic port
TCP flag	[1…N]

) is tokenized using a fixed vocabulary with $V$ entries.

To limit the size of the vocabulary and to improve the model’s generalization capability, the following preprocessing steps are applied:

• We reduce the extracted packet structures to a combination of common network layers (e.g., Ethernet, IP, TCP, HTTP);
• We transform the IP addresses and the TCP ports into a 4-tuplet (see Table 1).

This allows the model to handle the dynamic assignment of IP addresses (e.g., via DHCP services) as well as the dynamic usage of TCP ports from the network clients. Only the MAC address and TCP flag information are taken as raw inputs. Missing packet information (e.g., IP address of UDP packets) is treated as a special token. The continuous packet information is listed in

Table 2. Overview of continuous input features.

Input Feature (Unit)	Encoding Type
Packet time difference (ms) Packet length (bytes) IP checksum IP length (bytes) TCP checksum TCP payload size (bytes) TCP stream number TCP time delay (ms) TCP window size	Numeric

. The packet time difference is extracted from the ethernet layer timestamps of the current and previous network packets. The raw inputs are normalized before being passed into the neural network, whereas missing packet information is treated as zero. In total, the T-NAE model processes $D$ discrete and $C$ continuous input features from each network packet.

2.2. Two-Stage Encoder and Decoder Structure

From the encoder–decoder architecture shown in Figure 1 and Figure 2, we distinguish between a packet level (packet-wise encoder/decoder) and a sequence level (temporal encoder/decoder) by learning from network packets. At the packet level, the discrete and continuous inputs are transformed so that there is a single feature vector per network packet. At the sequence level, we compute a compact latent representation based on the learned temporal dependencies existing between the packet feature vectors.

The encoder learns a latent representation $\mathit{Z}$ from a given sequence of $T$ network packets, including the discrete information ${\mathit{X}}_{\mathrm{D}}$ and the continuous information ${\mathit{X}}_{\mathrm{C}}$, such that

$${\mathit{X}}_{\mathrm{D}}=\left[{\underset{\_}{x}}_{\mathrm{D}}^{t=1}\dots {\underset{\_}{x}}_{\mathrm{D}}^{t=\mathrm{T}}\right]\mathrm{with} {\mathit{X}}_{\mathrm{D}}\in {\mathbb{R}}^{\mathrm{T}\times \mathrm{D}}$$

(1)

$${\mathit{X}}_{\mathrm{C}}=\left[{\underset{\_}{x}}_{\mathrm{C}}^{t=1}\dots {\underset{\_}{x}}_{\mathrm{C}}^{t=\mathrm{T}}\right]\mathrm{with} {\mathit{X}}_{\mathrm{C}}\in {\mathbb{R}}^{\mathrm{T}\times \mathrm{C}}$$

(2)

The packet-wise encoder $f_{\mathrm{E}\mathrm{n}\mathrm{c},\mathrm{P}}\left(·\right)$ includes a feature-attention layer (derived from [48]) and a linear layer with $Q$ hidden units (see Figure 1). The computation of the feature vector ${\underset{\_}{x}}_{\mathrm{P}}\in {\mathbb{R}}^{\mathrm{Q}}$ for each network packet in the sequence is given by

$${\underset{\_}{x}}_{\mathrm{P}}=f_{\mathrm{E}\mathrm{n}\mathrm{c},\mathrm{P}}\left(\left[{\underset{\_}{x}}_{\mathrm{D}},{\underset{\_}{x}}_{\mathrm{C}}\right],{\theta }_{\mathrm{E}\mathrm{n}\mathrm{c},\mathrm{P}}\right)$$

(3)

Hence, the weights and biases ${\theta }_{\mathrm{E}\mathrm{n}\mathrm{c},\mathrm{P}}$ are shared across all network packets. For this, each piece of discrete packet information is mapped via vector embedding using the vocabulary with $V$ entries. The feature-attention layer combines discrete and continuous packet information vectors as a weighted sum into a single vector representation ${\underset{\_}{x}}_{\mathrm{A}}$ with

$${\underset{\_}{x}}_{\mathrm{A}}={\sum }_{i=1}^{i=\mathrm{D}+\mathrm{C}}{\alpha }_i{\underset{\_}{x}}_i$$

(4)

Therefore, the continuous inputs are vectorized to match the dimensions of the discrete inputs (size of the vocabulary $V$). The attention weights ${\alpha }_i$ are computed for each piece of discrete and continuous packet information ${\underset{\_}{x}}_i$ as follows:

$$s_i=\tanh \left({\mathit{W}}_S{\underset{\_}{x}}_i+{\underset{\_}{b}}_S\right)$$

(5)

$${\alpha }_i={\displaystyle \frac{exp\left(s_i\right)}{\sum _{i}exp\left(s_i\right)}}$$

(6)

More detailed information is provided in [48]. The temporal encoder $f_{\mathrm{E}\mathrm{n}\mathrm{c},\mathrm{T}}\left(·\right)$ includes a transformer block with a self-attention mechanism followed by a linear layer with $P$ hidden units and a 1D average pooling operation. A more detailed overview of the transformer block used is given in Figure 3.

The temporal encoder computes the latent representation $\mathit{Z}\in {\mathbb{R}}^{\mathrm{M}\times \mathrm{P}}$ from the sequence of packet feature vectors ${\mathit{X}}_{\mathrm{P}}$ such that

$$\mathit{Z}=f_{\mathrm{E}\mathrm{n}\mathrm{c},\mathrm{T}}\left({\mathit{X}}_{\mathrm{P}},{\theta }_{\mathrm{E}\mathrm{n}\mathrm{c},\mathrm{T}}\right)$$

(7)

The 1D average pooling (see Figure 1) further enhances the compression of the latent space by reducing the sequence length to $M$ steps.

The decoder reconstructs the discrete information $\widehat{\mathit{P}}$ and the continuous information ${\widehat{\mathit{X}}}_{\mathrm{C}}$ using the input from $\mathit{Z}$. Here, the temporal decoder $f_{\mathrm{D}\mathrm{e}\mathrm{c},\mathrm{T}}\left(·\right)$ uses an upsampling operation, followed by a dense layer and a transformer block, to compute the reconstructed sequence of packet feature vectors ${\widehat{\mathit{X}}}_{\mathrm{P}}\in {\mathbb{R}}^{\mathrm{T}\times \mathrm{Q}}$ as follows:

$${\widehat{\mathit{X}}}_{\mathrm{P}}=f_{\mathrm{D}\mathrm{e}\mathrm{c},\mathrm{T}}\left(\mathit{Z},{\theta }_{\mathrm{D}\mathrm{e}\mathrm{c},\mathrm{T}}\right)$$

(8)

The packet-wise decoder $f_{\mathrm{D}\mathrm{e}\mathrm{c},\mathrm{P}}\left(·\right)$ includes a dense and softmax layer with which to compute a probability vector for each piece of discrete packet information (e.g., ${\underset{\_}{\widehat{p}}}_{\mathrm{M}\mathrm{A}\mathrm{C},\mathrm{s}\mathrm{r}\mathrm{c}}\in {\mathbb{R}}^{\mathrm{V}}$) from a given reconstructed packet feature vector ${\widehat{\underset{\_}{x}}}_{\mathrm{P}}$. This results in a probability matrix ${\widehat{\mathit{P}}}_{\mathrm{D}}\in {\mathbb{R}}^{\mathrm{D}\times \mathrm{V}}$ for a single network packet. We use another dense layer to compute the reconstructed continuous packet information ${\widehat{\underset{\_}{x}}}_{\mathrm{C}}$ from the same feature vector ${\widehat{\underset{\_}{x}}}_{\mathrm{P}}$ such that

$$\left[{\widehat{\mathit{P}}}_{\mathrm{D}},{\widehat{\underset{\_}{x}}}_{\mathrm{C}}\right]=f_{\mathrm{D}\mathrm{e}\mathrm{c},\mathrm{P}}\left({\widehat{\underset{\_}{x}}}_{\mathrm{P}},{\theta }_{\mathrm{D}\mathrm{e}\mathrm{c},\mathrm{P}}\right)$$

(9)

As in case of the packet-wise encoder, we apply the packet-wise decoder for each network packet within the sequence with shared weights ${\theta }_{\mathrm{D}\mathrm{e}\mathrm{c},\mathrm{P}}$. This results in a probability tensor $\widehat{\mathit{P}}\in {\mathbb{R}}^{\mathrm{T}\times \mathrm{D}\times \mathrm{V}}$ for the reconstructed discrete packet information with

$$\widehat{\mathit{P}}=\left[{\widehat{\mathit{P}}}_{\mathrm{D}}^{t=1}\dots {\widehat{\mathit{P}}}_{\mathrm{D}}^{t=\mathrm{T}}\right]$$

(10)

2.3. Model Training and Hyperparameter Optimization

The T-NAE model is trained by minimizing the reconstruction errors between the estimated ($\widehat{p}$) and true ($p$) discrete packet information with a cross-entropy loss $L_{\mathrm{C}\mathrm{E}}$ and by minimizing the reconstruction errors between the estimated (${\widehat{x}}_{\mathrm{C}}$) and true ($x_{\mathrm{C}}$) continuous packet information with a mean squared error loss $L_{\mathrm{M}\mathrm{S}\mathrm{E}}$. This results in a combined loss formulation as a weighted sum of cross-entropy and mean squared error loss over all $T$ packets in the sequence such that

$$L_{\mathrm{C}\mathrm{E}}=-\sum _T\sum _D\sum _{V}p\log \widehat{p}$$

(11)

$$L_{\mathrm{M}\mathrm{S}\mathrm{E}}=\sum _T\sum _C{\left({\widehat{x}}_{\mathrm{C}}-x_{\mathrm{C}}\right)}^2$$

(12)

$$L=w_{\mathrm{C}\mathrm{E}}{L}_{\mathrm{C}\mathrm{E}}+w_{\mathrm{M}\mathrm{S}\mathrm{E}}{L}_{\mathrm{M}\mathrm{S}\mathrm{E}}$$

(13)

The optimal hyperparameters of the model are estimated by Bayesian optimization using Gaussian processes with 100 trials. The total loss $L$ is used as an objective function. We choose early stopping as a regularization technique.

3. Cyber-Attack Detection and Explanation

3.1. Histogram-Based Threshold Computation

To differentiate between normal and abnormal network packets, we derive the threshold value $\tau$ as the maximum allowed reconstruction error from the training results. In the case of discrete values, the detection result ${\widehat{y}}_{\mathrm{D}}$ is calculated from the categorical accuracy ${\eta }_{\mathrm{A}\mathrm{C}\mathrm{C}}$ between the estimated ($\underset{\_}{\widehat{p}})$ and true ($\underset{\_}{p}$) packet information probability vectors as follows:

$${\widehat{y}}_{\mathrm{D}}=\left\{\begin{array}{cc}\mathrm{A}\mathrm{t}\mathrm{t}\mathrm{a}\mathrm{c}\mathrm{k}:& {\eta }_{\mathrm{A}\mathrm{C}\mathrm{C}}\left(\underset{\_}{\widehat{p}},\underset{\_}{p}\right)<{\tau }_{\mathrm{D}}\\ \mathrm{N}\mathrm{o}\mathrm{r}\mathrm{m}\mathrm{a}\mathrm{l}:& \mathrm{e}\mathrm{l}\mathrm{s}\mathrm{e}\end{array}\right.$$

(14)

A threshold value ${\tau }_{\mathrm{D}}$ is estimated as the upper bound for each of the $D=7$ discrete input features using a histogram analysis of the reconstruction error distribution (see Appendix A). For continuous values, the detection result ${\widehat{y}}_{\mathrm{C}}$ is calculated from the mean squared error ${\eta }_{\mathrm{M}\mathrm{S}\mathrm{E}}$ between the estimated ($\underset{\_}{\widehat{x}})$ and true ($\underset{\_}{x}$) packet information such that

$${\widehat{y}}_{\mathrm{C}}=\left\{\begin{array}{cc}\mathrm{A}\mathrm{t}\mathrm{t}\mathrm{a}\mathrm{c}\mathrm{k}:& {\eta }_{\mathrm{M}\mathrm{S}\mathrm{E}}\left(\underset{\_}{\widehat{x}},\underset{\_}{x}\right)>{\tau }_{\mathrm{C}}\\ \mathrm{N}\mathrm{o}\mathrm{r}\mathrm{m}\mathrm{a}\mathrm{l}:& \mathrm{e}\mathrm{l}\mathrm{s}\mathrm{e}\end{array}\right.$$

(15)

where a threshold value of ${\tau }_{\mathrm{C}}$ is estimated as the lower bound for each of the $C=9$ continuous inputs using the error histograms. The final detection result $\widehat{y}$ for a single network packet follows an OR combination of the detection results over all discrete and continuous information, such that

$$\widehat{y}=\left\{{\widehat{y}}_{\mathrm{D},1}\bigvee \dots \bigvee {\widehat{y}}_{\mathrm{D},7}\bigvee {\widehat{y}}_{\mathrm{C},1}\bigvee \dots \bigvee {\widehat{y}}_{\mathrm{C},9}\right\}$$

(16)

3.2. Explanation via Perturbation of Attention Weights

Our explanation method builds upon the attention perturbation approach described in [44]. Here, the attention weights are manipulated to assess their influence on the model’s results by comparing the model’s loss before and after the perturbation within a positional influence function. Our approach uses a manipulation signal $a=1-{\mathrm{f}}_a$ with the following features:

• A positive manipulation factor $1>{\mathrm{f}}_a>0$ (suppression) to decrease the influence of a specific attention weight;
• A negative manipulation factor ${\mathrm{f}}_a<0$ (amplification) to increase the influence of a specific attention weight.

We adapted this approach to account for the specific architecture of our T-NAE model (see Section 2) and modified the calculation of the influence values by incorporating the anomaly detection model from Section 3.1.

The explanation model is given in Figure 4. We manipulate the feature-attention weights by multiplying the attention scores (see Equation (5) in Section 2.2) with a manipulation vector ${\underset{\_}{a}}_{FA}\in {\mathbb{R}}^{\mathrm{D}+\mathrm{C}}$. Thus, the manipulated feature-attention weights ${\underset{\_}{\alpha }}^{*}$ are calculated by

$${\underset{\_}{\alpha }}^{*}=\mathrm{s}\mathrm{o}\mathrm{f}\mathrm{t}\mathrm{m}\mathrm{a}\mathrm{x}\left(\underset{\_}{s}\ast {\underset{\_}{a}}_{FA}\right)$$

(17)

The self-attention mechanism in the transformer block (Section 2.2) computes attention scores, $\mathit{S}\in {\mathbb{R}}^{\mathrm{T}\times \mathrm{T}},$ via scaled-dot products over the key $\underset{\_}{q}$ and value $\underset{\_}{k}$ representations as follows:

$$\mathit{S}=\left[s_{i,j}\right]\mathrm{with} s_{i,j}={\underset{\_}{q}}_i^T{\underset{\_}{k}}_{\mathit{j}}/\sqrt{d}\mathrm{and} i,j\in \left[1\dots \mathrm{T}\right]$$

(18)

Thus, we compute the manipulated self-attention weights ${\alpha }^{*}$ by multiplying the attention scores with a manipulation matrix ${\mathit{A}}_{SA}\in {\mathbb{R}}^{\mathrm{T}\times \mathrm{T}}$:

$${\alpha }^{*}=\mathrm{s}\mathrm{o}\mathrm{f}\mathrm{t}\mathrm{m}\mathrm{a}\mathrm{x}\left(\mathit{S} \ast {\mathit{A}}_{SA}\right)$$

(19)

It should be noted that a manipulation of the feature or self-attention scores leads to a change in both model outputs (discrete and continuous reconstructions). This has to be considered when calculating the influence values in the following section.

We compute the loss for the positional influence function as the distance between the reconstruction error, averaged over the timesteps of the sample, and the threshold value with $L_{\mathrm{P}\mathrm{I}\mathrm{F},\mathrm{D}}={\eta }_{\mathrm{A}\mathrm{C}\mathrm{C}}-{\tau }_{\mathrm{D}}$ and $L_{\mathrm{P}\mathrm{I}\mathrm{F},\mathrm{C}}={\eta }_{\mathrm{M}\mathrm{S}\mathrm{E}}-{\tau }_{\mathrm{C}}$. The influence values $I$ are calculated from the difference in the losses attained with perturbation $L_{\mathrm{P}\mathrm{I}\mathrm{F}}^{*}$ and without perturbation $L_{\mathrm{P}\mathrm{I}\mathrm{F}}$. For consistency, we declare that positive influence values $I>0$ contribute to the detection of normal samples and that negative influence values $I<0$ contribute to the detection of attack samples. This gives the following calculations of the influence values for discrete and continuous reconstructions:

$$I_D=f\left(L_{\mathrm{P}\mathrm{I}\mathrm{F},\mathrm{D}}^{*}\right)-f\left(L_{\mathrm{P}\mathrm{I}\mathrm{F},\mathrm{D}}\right)$$

(20)

$$I_C=f\left(L_{\mathrm{P}\mathrm{I}\mathrm{F},\mathrm{C}}\right)-f\left(L_{\mathrm{P}\mathrm{I}\mathrm{F},\mathrm{C}}^{*}\right)$$

(21)

To improve the interpretation of the explanation results, we bound the influence values into the range of $\left[-1;1\right]$ by converting the loss values with a Sigmoid function as follows:

$$f_{\mathrm{S}\mathrm{i}\mathrm{g}}\left(L_{\mathrm{P}\mathrm{I}\mathrm{F}}\right)=1/\left(1+\mathrm{e}\mathrm{x}\mathrm{p}\left(-{\displaystyle \frac{L_{\mathrm{P}\mathrm{I}\mathrm{F}}}{\sigma }}\right)\right)$$

(22)

The bandwidth parameter $\sigma$ gives additional control over the explanation results by assigning high influence values to loss values that are close to the threshold regime. This will focus the explanation results on the input signals that contribute most to the decisions of the detection model. An exemplary illustration is given in Figure 5. To accommodate and aggregate the influence values related to the feature-attention and self-attention scores, we follow the sequential procedure shown in Figure 6. The corresponding steps I to IV of the procedure are explained in the following material.

Within each perturbation step (I.a and I.b), we perform multiple manipulation runs. In each run, we calculate influence values by applying a manipulation signal to only one specific attention score, whereas the rest of the attention scores remain unchanged with $a=0$. First, we perturb the self-attention scores and identify the top $k$ influential network packets (time steps) within the given sequence (I.a to III.a). This is performed by summing up the influence values over all $K$ manipulation runs with

$$\underset{k}{\mathrm{argmax}}\sum _{i=1}^{i=\mathrm{K}}{I}_{D/C}^i$$

(23)

We perform this separately for all positive influence values ($I_{D/C}>0$) and negative influence values ($I_{D/C}<0$), resulting in $2k$ most influential network packets or time steps being identified (III.a). In parallel, we perturb the feature-attention scores and compute the corresponding influence values for all network packets and their input features (I.b and II.b). Finally, we select the top $j$ most influential input features using the procedure from above for the top $k$ most influential network packets (III.b). This results in a $2k\times 2j$ matrix of influence values for the discrete ${\mathit{I}}_D$ and continuous ${\mathit{I}}_C$ reconstructions (IV).

4. Results and Discussion

4.1. CIC-IDS-2017 Dataset and Explanation Evaluation

For our evaluation, we use a network traffic excerpt from the CIC-IDS-2017 dataset. The training set contains only benign network traces, whereas the test set contains benign and malicious network traces from FTP and SSH brute-force attacks. Here, we assume that the benign network behavior does not change significantly between the training and test dataset. An overview of the two datasets is given in

Table 3. Overview training and test datasets.

Dataset	Characteristics
Training	Normal packets: 750,000 Attack packets: 0 Attack ratio: 0%
Test	Normal packets: 752,600 Attack packets: 97,400 Attack ratio: 13%

.

We evaluate the detection performance of our T-NAE model (see Section 3.1) by calculating the F₁ score, the binary accuracy (BA), and the false positive rate (FPR) using the test dataset.

We compare our explanation results with those obtained when the integrated gradient (IG) method [49] is applied to our T-NAE model (see Section 2). The comparison of the explanation results is performed for selected samples from the test dataset, including

• Ten normal samples indicating web browsing and FTP file transfer activities;
• Eighteen attack samples indicating FTP and SSH brute-force attacks.

For these test samples, we estimate true explanations, using expert knowledge to better assess the explanation results. For this, we estimate the true influence values according to the following criteria:

• For normal samples, we assign influence values of $I=1$ for packets containing TCP, HTTP, or FTP protocol layers and specific MAC addresses;
• For attack samples, we assign influence values of $I=-1$ for packets containing TCP, SSH, or FTP protocol layers as well as the attacker’s MAC address.

The expert-based explanations are limited to the protocol type and MAC address information only. Since we do not know the relevance of the remaining packet information, we assign it influence values of zero with $I=0$. To compare the estimated and true influence values, we compute the F_β score between the predicted and true explanation values, which allows for additional control of the influence of the precision and the recall. For our evaluation, we choose a low $\beta$ value ($\beta =0.15$) to account for the high number of zero entries in the true explanations.

4.2. Reconstruction Accuracies and Detection Results

Figure 7 shows the performance of a T-NAE model over roughly 600 training epochs. The left chart shows the training and validation loss and the right chart shows the reconstruction results for discrete (accuracy) and continuous (mean squared error) model outputs. Good model convergence can be seen, with small differences between the training and validation loss curves. During the training, the accuracy values for the discrete reconstructions increase, whereas the squared error values for the continuous reconstructions decrease. Figure 8 shows the average reconstruction results over the different discrete and continuous model outputs for the normal and attack samples of the test dataset. In the case of the discrete features (left panel), the accuracy results of the attack samples are below the accuracy results of the normal samples. In particular, this holds for the MAC source and destination addresses, indicating a good separability between the normal and attack network packets. This is not the case for the continuous features (right panel). Here, only the features with high MSE values show good separability between normal and attack samples, whereas the other features show very low and similar reconstruction results. In the experiments, we observe the best detection results using the reconstruction errors of the discrete model outputs. This is considered in the evaluation of the explanation results in Section 4.3.

The detection performance is given in

Table 4. Detection results of applying different T-NAE models to the test dataset (values in %).

Pool Size	F1	BA	FPR
25	95.36	95.47	4.53
50	91.59	92.17	7.83
100	74.02	79.42	20.58

for T-NAE models with different pool sizes of the encoder (see Section 2.2). For all models, the hyperparameters are tuned as described in Section 2.3. The best T-NAE model gives an F₁ score of about 95% with a false positive rate of about 4.5%. This model is used for the subsequent explanation experiments in Section 4.3. The corresponding parameters of the T-NAE model and the detection model are given in Appendix B.

4.3. Explanation of Benign and Malicious Network Packet Sequences

Figure 9 and Figure 10 show the explanation results for two exemplary samples. Each sample consists of a sequence of $T=100$ network packets. The figures show the influence values at the feature level (top left and right panels) and at the sequence level (bottom panel). As already mentioned in Section 4.2, the influence values shown result from the discrete reconstructions, such that $I=I_D$. In Figure 9, most of the influence values are positive, indicating a benign network behavior. The influence values are quite small with $\left|I_D\right|<0.06$. The TCP flag and MAC address features contribute the most to the model’s predictions, whereas the continuous features show no importance or relevance. Negative influence values can only be seen for some network packets, but the positive influence values predominate along the entire sequence. In Figure 10, the number and size of the negative influence values are significantly larger, indicating malicious network behavior. In particular, the MAC and IP address features exhibit a strong impact on the detection results.

As in the previous case, the continuous features show very low influence values or influence values of zero. Negative influence values can be clearly observed for the network packets at specific time steps in the sequence. In particular, between $T=70$ and $T=90,$ there are relatively high positive and high negative influence values for the same network packets, with a slight predominance of the negative influence values. As in the previous case, the influence values are quite small, with $\left|I_D\right|<0.1$.

As introduced in Section 4.1, we compare the influence values for the expert-labeled normal and attack samples with the IG method’s results using the F_β score. Within the experiments, we vary the parameters of the explanation model (see Section 3.2), including the manipulation factor ${\mathrm{f}}_a$, the maximum number of most influential network packets $k$, the maximum number of most influential input features $j$, and the bandwidth of the positional influence function $\sigma$. As also stated in [44], we suppress the attention scores by applying positive manipulation factors throughout the perturbation experiments, which gives us better explanation results compared to those obtains from amplification.

For a better evaluation of the explanation results, we additionally group the normal and attack samples according to their average detection accuracy results.

Table 5. Best explanation results for samples with high detection accuracy (with $\beta =0.15$).

Samples	${\mathbf{f}}_{\mathit{a}}$	$\mathit{k}$	$\mathit{j}$	$\sigma$	Fβ (Ours) [%]	Fβ (IG) [%]
Normal	0.10	18	1	0.4	22.3	7.4
Attack	0.99	22	1	0.3	54.6	18.6

and

Table 6. Best explanation results for samples with low detection accuracy (with $\beta =0.15$).

Samples	${\mathbf{f}}_{\mathit{a}}$	$\mathit{k}$	$\mathit{j}$	$\sigma$	Fβ (Ours) [%]	Fβ (IG) [%]
Normal	0.8	28	1	0.4	24.3	6.0
Attack	0.2	26	1	0.4	69.5	19.4

show the explanation results for the best hyperparameters of the explanation model. The results for other configurations of the explanation model, including negative manipulation factors, are given in Appendix C. In the case of normal samples, the perturbation-based explanations yield F_β scores between 22% and 24% and significantly exceed the F_β scores of the IG-based explanations (which are between 6% and 7%). Nonetheless, the F_β scores of the normal samples are quite low for both methods. Unlike the case of the attack samples, we have no side information for the normal network traffic behavior. This makes the derivation of expert-based explanations for normal samples quite hard and may lead to incomplete or erroneous ground truths of the influence values. In the case of the attack samples, the F_β scores of both methods are greatly increased. Again, the perturbation-based explanation results (F_β scores between 54% and 69%) clearly surpass the IG-based explanation results (F_β scores between 18% and 19%). On average, the explanation results for the samples with low detection accuracy are slightly better than those for the samples with high detection accuracy.

Regarding the hyperparameters of our explanation model, we observe that, in general, high values of $k$ and low values of $j$ lead to the highest F_β scores. Low values of $j$ allow us to filter the most relevant input features for the explanations, which corresponds to the ground truth explanations. For attack samples with high detection accuracies, high manipulation factors up to ${\mathrm{f}}_a\approx 0.995$ improve the F_β scores on average. For normal samples or samples with low detection accuracies, no clear influence of the ${\mathrm{f}}_a$ values on the F_β scores can be observed. In contrast to that, the bandwidth parameter $\sigma$ exhibits a low influence on the explanation results and shows the best results in the range of $0.3 \mathrm{t}\mathrm{o} 0.4$. This is consistent with previous findings showing that the perturbation of the attention weights only slightly changes the model outputs, leading to small changes within the positional influence function and to low explanation values ($\left|I_D\right|<0.1$).

5. Summary and Outlook

In this study, we present a sequential attention weight perturbation method to explain benign and malicious packets from network traffic traces. For this purpose, we introduce a transformer-based autoencoder to learn the basic network traffic behavior and employ a histogram-based detection model using reconstruction error thresholds. The two-stage encoder–decoder architecture of the autoencoder incorporates different attention mechanisms at the packet and sequence levels. Our explanation approach manipulates the attention scores in a sequential manner to compute the input information making the largest contribution in order to explain normal or attack behavior in network packet sequences. In extensive experiments, performed using an excerpt from the CIC-IDS-2017 benchmark dataset, our explanation method shows superior results when applied to benign and malicious network traces (including FTP and SSH brute-force attacks) compared to the integrated gradients of benchmark methods. For the evaluation, we derived expert-based explanations for the network traces, considering the MAC address and protocol type information, and compared them with the predicted explanations (influence values) by calculating F_β scores. With an average binary detection accuracy of about 95% when applied to the test dataset, our explanation method achieves an F_β score of about 70% on attack samples, compared to the value of approximately 20% achieved by the IG method.

Still, these results are highly dependent on the chosen hyperparameters of the explanation model, and a method is required to automatically determine the hyperparameters and conduct further systematic investigations. There is also a need for other transparent cyber-attack detection benchmark models, for use on large datasets, with more reliable true explanations. In particular, this accounts for the labeling of benign network traces, where it is hard to derive the relevant explanatory factors. Here, representative datasets with already labeled explanations for normal and malicious network traces are necessary in order to systematically evaluate transparent cyber-attack detection methods at scale. Nevertheless, future experiments will be conducted to evaluate our method on a greater number of attack examples with manually derived explanations. Furthermore, the computational complexity of the explanation method should be reduced by minimizing the number of necessary perturbations. This could be achieved by grouping input features with similar influence behaviors (as already suggested in [44]) or by simultaneously perturbation at the feature and sequence levels. Alternatively, the computational time could be reduced by parallelizing the perturbation operations or by quantizing the weights of the T-NAE model. This would simplify the implementation in real-world scenarios, where a high throughput of large network traces would result in large autoencoder models. The detection model (see Section 3.1) is kept quite simple and this might lead to misclassifications in dynamic and high-noise environments. A more adaptive method should be considered in further research.