An Explanation of the LSTM Model Used for DDoS Attacks Classification
With the rise of DDoS attacks, several machine learning-based attack detection models have been used to mitigate malicious behavioral attacks. Understanding how machine learning models work is not trivial. This is particularly true for complex and nonlinear models, such as deep learning models that...
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2023-07-01
|
| Series: | Applied Sciences |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2076-3417/13/15/8820 |
| _version_ | 1827731461162139648 |
|---|---|
| author | Abdulmuneem Bashaiwth Hamad Binsalleeh Basil AsSadhan |
| author_facet | Abdulmuneem Bashaiwth Hamad Binsalleeh Basil AsSadhan |
| author_sort | Abdulmuneem Bashaiwth |
| collection | DOAJ |
| description | With the rise of DDoS attacks, several machine learning-based attack detection models have been used to mitigate malicious behavioral attacks. Understanding how machine learning models work is not trivial. This is particularly true for complex and nonlinear models, such as deep learning models that have high accuracy. The struggle to explain these models creates a tension between accuracy and explanation. Recently, different methods have been used to explain deep learning models and address ambiguity issues. In this paper, we utilize the LSTM model to classify DDoS attacks. We then investigate the explanation of LSTM using LIME, SHAP, Anchor, and LORE methods. Predictions of 17 DDoS attacks are explained by these methods, where common explanations are obtained for each class. We also use the output of the explanation methods to extract intrinsic features needed to differentiate DDoS attacks. Our results demonstrate 51 intrinsic features to classify attacks. We finally compare the explanation methods and evaluate them using descriptive accuracy (DA) and descriptive sparsity (DS) metrics. The comparison and evaluation show that the explanation methods can explain the classification of DDoS attacks by capturing either the dominant contribution of input features in the prediction of the classifier or a set of features with high relevance. |
| first_indexed | 2024-03-11T00:31:34Z |
| format | Article |
| id | doaj.art-aebf5f15763a414d8c618661e3b82135 |
| institution | Directory Open Access Journal |
| issn | 2076-3417 |
| language | English |
| last_indexed | 2024-03-11T00:31:34Z |
| publishDate | 2023-07-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Applied Sciences |
| spelling | doaj.art-aebf5f15763a414d8c618661e3b821352023-11-18T22:37:59ZengMDPI AGApplied Sciences2076-34172023-07-011315882010.3390/app13158820An Explanation of the LSTM Model Used for DDoS Attacks ClassificationAbdulmuneem Bashaiwth0Hamad Binsalleeh1Basil AsSadhan2Department of Electronic Engineering and Communication, Hadhramout University, Mukalla 50512, YemenDepartment of Computer Science, Imam Mohammad Ibn Saud Islamic University, Riyadh 11432, Saudi ArabiaDepartment of Electrical Engineering, King Saud University, Riyadh 11421, Saudi ArabiaWith the rise of DDoS attacks, several machine learning-based attack detection models have been used to mitigate malicious behavioral attacks. Understanding how machine learning models work is not trivial. This is particularly true for complex and nonlinear models, such as deep learning models that have high accuracy. The struggle to explain these models creates a tension between accuracy and explanation. Recently, different methods have been used to explain deep learning models and address ambiguity issues. In this paper, we utilize the LSTM model to classify DDoS attacks. We then investigate the explanation of LSTM using LIME, SHAP, Anchor, and LORE methods. Predictions of 17 DDoS attacks are explained by these methods, where common explanations are obtained for each class. We also use the output of the explanation methods to extract intrinsic features needed to differentiate DDoS attacks. Our results demonstrate 51 intrinsic features to classify attacks. We finally compare the explanation methods and evaluate them using descriptive accuracy (DA) and descriptive sparsity (DS) metrics. The comparison and evaluation show that the explanation methods can explain the classification of DDoS attacks by capturing either the dominant contribution of input features in the prediction of the classifier or a set of features with high relevance.https://www.mdpi.com/2076-3417/13/15/8820machine learningDDoS attack classificationexplanation methodsdescriptive accuracydescriptive sparsity |
| spellingShingle | Abdulmuneem Bashaiwth Hamad Binsalleeh Basil AsSadhan An Explanation of the LSTM Model Used for DDoS Attacks Classification Applied Sciences machine learning DDoS attack classification explanation methods descriptive accuracy descriptive sparsity |
| title | An Explanation of the LSTM Model Used for DDoS Attacks Classification |
| title_full | An Explanation of the LSTM Model Used for DDoS Attacks Classification |
| title_fullStr | An Explanation of the LSTM Model Used for DDoS Attacks Classification |
| title_full_unstemmed | An Explanation of the LSTM Model Used for DDoS Attacks Classification |
| title_short | An Explanation of the LSTM Model Used for DDoS Attacks Classification |
| title_sort | explanation of the lstm model used for ddos attacks classification |
| topic | machine learning DDoS attack classification explanation methods descriptive accuracy descriptive sparsity |
| url | https://www.mdpi.com/2076-3417/13/15/8820 |
| work_keys_str_mv | AT abdulmuneembashaiwth anexplanationofthelstmmodelusedforddosattacksclassification AT hamadbinsalleeh anexplanationofthelstmmodelusedforddosattacksclassification AT basilassadhan anexplanationofthelstmmodelusedforddosattacksclassification AT abdulmuneembashaiwth explanationofthelstmmodelusedforddosattacksclassification AT hamadbinsalleeh explanationofthelstmmodelusedforddosattacksclassification AT basilassadhan explanationofthelstmmodelusedforddosattacksclassification |