Abstract
With the advances in computing powers and increasing volumes of data, deep learning’s emergence has helped revitalize artificial intelligence research. There is a growing trend of applying deep learning techniques to image processing, speech recognition, self-driving cars, and even health-care. Recently, several deep learning models have been employed to detect a cyber threat such as network attack, malware infiltration, or phishing website; nevertheless, they suffer from not being explainable to security experts. Security experts not only do need to detect the incoming threat but also need to know the incorporating features that cause that particular security incident. To address this issue, in this paper, we propose a deep embedded neural network expert system (DeNNeS) that extracts refined rules from a trained deep neural network (DNN) architecture to substitute the knowledge base of an expert system. The knowledge base later is used to classify an unseen security incident and inform the final user of the corresponding rule that made that inference. We consider different rule extraction scenarios, and to prove the robustness of DeNNeS, we evaluate it on two cybersecurity datasets including UCI phishing websites dataset and Android malware dataset comprising more than 4000 Android APKs from several sources. The comparison results of DeNNeS with standalone DNN, JRip, and common machine learning algorithms show that DeNNeS with the retraining uncovered samples scenario outperforms other algorithms on both datasets. Furthermore, the extracted rules approximately reproduce the accuracy of the neural network from which they are derived. DeNNeS achieves an outstanding accuracy of \(97.5\%\) and a negligible false positive rate of \(1.8\%\) about \(2.4\%\) higher and \(3.5\%\) lower than the rule learner JRip on the phishing dataset. Moreover, DeNNeS outperforms random forest (RF), which produces the highest results among decision tree (DT), support vector machine, k-nearest neighbor, and Gaussian naive Bayes. Despite smaller training data in the malware dataset, DeNNeS achieves an accuracy of \(95.8\%\) and \({F_{1}\,score}\) of \(91.1\%\), much higher than JRip and RF.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.References
(2018) Scikit-learn: machine learning in python. http://scikit-learn.org/stable/. Accessed Feb 2020
(2018) Weka 3: data mining software in java. https://www.cs.waikato.ac.nz/ml/weka/. Accessed July 2019
(2018) The onion ransomware (encryption trojan). https://www.kaspersky.co.in/resource-center/threats/onion-ransomware-virus-threat. Accessed Oct 2018
Abadi M, Agarwal A, Barham P, KullBrevdo E, Chen Z, Citro C, Corrado GS, Davis A, Dean J, Devin M, et al. (2016) Tensorflow: large-scale machine learning on heterogeneous distributed systems. arXiv:160304467
Andrews R, Geva S (1995) Inserting and extracting knowledge from constrained error back propagation networks. In: Proceedings of the 6th Australian conference on neural networks, Sydney, NSW, Australia, pp 213–216
Andrews R, Geva S (1995) Rule extraction from a constrained error back propagation mlp. In: Proceedings of the 5th Australian conference on neural networks, Brisbane, Queensland, Australia, pp 9–12
Andrews R, Diederich J, Tickle AB (1995) Survey and critique of techniques for extracting rules from trained artificial neural networks. Knowl Based Syst 8(6):373–389. https://doi.org/10.1016/0950-7051(96)81920-4
Augasta MG, Kathirvalavakumar T (2012) Reverse engineering the neural networks for rule extraction in classification problems. Neural Process Lett 35(2):131–150. https://doi.org/10.1007/s11063-011-9207-8
Benítez JM, Castro JL, Requena I (1997) Are artificial neural networks black boxes? IEEE Trans Neural Netw 8(5):1156–1164. https://doi.org/10.1109/72.623216
Biswas SK, Chakraborty M, Purkayastha B (2018) A rule generation algorithm from neural network using classified and misclassified data. Intl J Bio-Inspired Comput 11(1):60–70
Borgolte K, Kruegel C, Vigna G (2015) Meerkat: detecting website defacements through image-based object recognition. In: Proceedings of the 2015 USENIX security symposium, pp 595–610
Chakraborty M, Biswas SK, Purkayastha B (2018) Recursive rule extraction from nn using reverse engineering technique. New Gener Comput 36(2):119–142
Chowdhury M, Rahman A, Islam R (2017) Malware analysis and detection using data mining and machine learning classification. In: Proceedings of the 2017 international conference on applications and techniques in cyber security and intelligence. Springer, pp 266–274. https://doi.org/10.1007/978-3-319-67071-3_33
Cohen WW (1995) Fast effective rule induction. In: Machine learning proceedings 1995. Elsevier, pp 115–123
Collobert R, Weston J (2008) A unified architecture for natural language processing: deep neural networks with multitask learning. In: Proceedings of the 25th international conference on machine learning. ACM, pp 160–167. https://doi.org/10.1145/1390156.1390177
Craven MW, Shavlik JW (1994) Using sampling and queries to extract rules from trained neural networks. In: Proceedings of the 11th international conference on machine learning. Elsevier, pp 37–45. https://doi.org/10.1016/B978-1-55860-335-6.50013-1
Dahl GE, Stokes JW, Deng L, Yu D (2013) Large-scale malware classification using random projections and neural networks. In: Proceedings of the 2013 international conference on acoustics, speech and signal processing (ICASSP). IEEE, pp 3422–3426. https://doi.org/10.1109/ICASSP.2013.6638293
David OE, Netanyahu NS (2015) Deepsign: Deep learning for automatic malware signature generation and classification. In: Proceedings of the 2015 international joint conference on neural networks (IJCNN). IEEE, pp 1–8. https://doi.org/10.1109/IJCNN.2015.7280815
De Paola A, Favaloro S, Gaglio S, Lo Re G, Morana M (2018) Malware detection through low-level features and stacked denoising autoencoders. In: Proceedings of the 2nd Italian conference on cyber security, ITASEC 2018, CEUR-WS, vol 2058
Deng L (2014) A tutorial survey of architectures, algorithms, and applications for deep learning. APSIPA Trans Signal Inf Process 3(2):1–29. https://doi.org/10.1017/atsip.2013.9
Deng L, Yu D et al (2014) Deep learning: methods and applications. Found Trends Signal Process 7(3–4):197–387. https://doi.org/10.1561/2000000039
Ding Y, Chen S, Xu J (2016) Application of deep belief networks for opcode based malware detection. In: Proceedings of the 2016 international joint conference on neural networks (IJCNN). IEEE, pp 3901–3908. DOIurl10.1109/IJCNN.2016.7727705
Duy PH, Diep NN (2017) Intrusion detection using deep neural network. Southeast Asian J Sci 5(2):111–125
Enck W, Ongtang M, McDaniel P (2009) Understanding android security. IEEE Secur Priv 1:50–57. https://doi.org/10.1109/MSP.2009.26
Fu L (1991) Rule learning by searching on adapted nets. In: Proceedings of the 13th AAAI conference on artificial intelligence, vol 91, pp 590–595
Fu L (1994) Rule generation from neural networks. IEEE Trans Syst Man Cybern 24(8):1114–1124. https://doi.org/10.1109/21.299696
Gallant SI (1988) Connectionist expert systems. Commun ACM 31(2):152–169. https://doi.org/10.1109/ANNES.1993.323039
Gallant SI (1988) Matrix controlled expert system producible from examples. US Patent 4,730,259
Gallant SI (1995) Neural network learning and expert systems. A Bradford book, 3rd edn. MIT Press, Cambridge
Giles CL, Omlin CW (1993) Rule refinement with recurrent neural networks. In: Proceedings of the IEEE international conference on neural networks, pp 801–806. https://doi.org/10.1109/ICNN.1993.298658
Guo W, Mu D, Xu J, Su P, Wang G, Xing X (2018) Lemna: explaining deep learning based security applications. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security. ACM, pp 364–379. https://doi.org/10.1145/3243734.3243792
Hayward R, Ho-Stuart C, Diederich J, Pop E (1996) RULENEG: extracting rules from a trained ann by stepwise negation. Technical report, Neurocomputing Research Centre, Queensland University Technology, Brisbane, Qld, Aust, QUT NRC
Hinton G, Deng L, Yu D, Dahl GE, Ar M, Jaitly N, Senior A, Vanhoucke V, Nguyen P, Sainath TN et al (2012) Deep neural networks for acoustic modeling in speech recognition: the shared views of four research groups. IEEE Signal Process Mag 29(6):82–97. https://doi.org/10.1109/MSP.2012.2205597
Hinton GE (2009) Deep belief networks. Scholarpedia 4(5):5947. https://doi.org/10.1145/1756006.1756025
Hinton GE, Osindero S, Teh YW (2006) A fast learning algorithm for deep belief nets. Neural Comput 18(7):1527–1554. https://doi.org/10.1162/neco.2006.18.7.1527
Hou S, Saas A, Chen L, Ye Y (2016) Deep4MalDroid: a deep learning framework for android malware detection based on Linux kernel system call graphs. In: Proceedings of the 2016 international conference on web intelligence workshops (WIW). IEEE, pp 104–111. https://doi.org/10.1109/WIW.2016.040
Hou S, Saas A, Ye Y, Chen L (2016) Droiddelver: an android malware detection system using deep belief network based on API call blocks. In: Proceedings of the 2016 international conference on web-age information management. Springer, pp 54–66. https://doi.org/10.1007/978-3-319-47121-1_5
Hsien-De Huang T, Kao HY (2018) R2-d2: color-inspired convolutional neural network (cnn)-based android malware detections. In: Proceedings of the 2018 IEEE international conference on big data (big data). IEEE, pp 2633–2642
Huang W, Stokes JW (2016) MtNet: a multi-task neural network for dynamic malware classification. In: Detection of intrusions and malware, and vulnerability assessment. Springer, pp 399–418. https://doi.org/10.1007/978-3-319-40667-1_20
Kadir AFA, Stakhanova N, Ghorbani AA (2015) Android botnets: what urls are telling us. In: International conference on network and system security. Springer, pp 78–91. https://doi.org/10.1007/978-3-319-25645-0_6
Kadir AFA, Stakhanova N, Ghorbani AA (2016) An empirical analysis of android banking malware. In: Protecting mobile networks and devices: challenges and solutions, vol 209. CRC Press, Taylor & Francis
Kahramanli H, Allahverdi N (2009) Rule extraction from trained adaptive neural networks using artificial immune systems. Expert Syst Appl 36(2):1513–1522. https://doi.org/10.1016/j.eswa.2007.11.024
Karbab EB, Debbabi M, Derhab A, Mouheb D (2018) Maldozer: automatic framework for android malware detection using deep learning. Digit Invest 24:S48–S59. https://doi.org/10.1016/j.diin.2018.01.007
Kim CH, Kabanga EK, Kang SJ (2018) Classifying malware using convolutional gated neural network. In: Proceedings of the 20th international conference on advanced communication technology (ICACT). IEEE, pp 40–44. https://doi.org/10.23919/ICACT.2018.8323639
Kim J, Kim J, Thu HLT, Kim H (2016) Long short term memory recurrent neural network classifier for intrusion detection. In: Proceedings of the 2016 international conference on platform technology and service (PlatCon). IEEE, pp 1–5. https://doi.org/10.1109/PlatCon.2016.7456805
Kingma DP, Ba J (2014) Adam: a method for stochastic optimization. arXiv:14126980
Kolosnjaji B, Zarras A, Webster G, Eckert C (2016) Deep learning for classification of malware system call sequences. In: Proceedings of the Australasian joint conference on artificial intelligence. Springer, pp 137–149. https://doi.org/10.1007/978-3-319-50127-7_11
Krizhevsky A, Sutskever I, Hinton GE (2012) Imagenet classification with deep convolutional neural networks. In: Proceedings of the advances in neural information processing systems (NIPS), pp 1097–1105. https://doi.org/10.1145/3065386
Kuang F, Xu W, Zhang S (2014) A novel hybrid KPCA and SVM with GA model for intrusion detection. Appl Soft Comput 18:178–184. https://doi.org/10.1016/j.asoc.2014.01.028
LeCun Y, Bengio Y, Hinton G (2015) Deep learning. Nat 521(7553):436–444. https://doi.org/10.1038/nature14539
Li Y, Shen T, Sun X, Pan X, Mao B (2015) Detection, classification and characterization of android malware using API data dependency. In: Proceedings of the 2015 international conference on security and privacy in communication systems. Springer, pp 23–40. https://doi.org/10.1007/978-3-319-28865-9_2
Lin WC, Ke SW, Tsai CF (2015) CANN: an intrusion detection system based on combining cluster centers and nearest neighbors. Knowl Based Syst 78:13–21. https://doi.org/10.1016/j.knosys.2015.01.009
Liu Y, Zhang X (2016) Intrusion detection based on IDBM. In: Proceedings of the 14th international conference on dependable, autonomic and secure computing, 14th international conference on pervasive intelligence and computing, 2nd international conference on big data intelligence and computing and cyber science and technology congress (DASC/PiCom/DataCom/CyberSciTech). IEEE, pp 173–177. https://doi.org/10.1109/DASC-PICom-DataCom-CyberSciTec.2016.48
Ma Z, Ge H, Liu Y, Zhao M, Ma J (2019) A combination method for android malware detection based on control flow graphs and machine learning algorithms. IEEE Access 7:21235–21245
Mahdavifar S, Ghorbani AA (2019) Application of deep learning to cybersecurity: a survey. Neurocomputing 347:149–176
Martín A, Fuentes-Hurtado F, Naranjo V, Camacho D (2017) Evolving deep neural networks architectures for android malware classification. In: Proceedings of the 2017 IEEE congress on evolutionary computation (CEC), IEEE, pp 1659–1666. https://doi.org/10.1109/CEC.2017.7969501
McLaughlin N, Martinez del Rincon J, Kang B, Yerima S, Miller P, Sezer S, Safaei Y, Trickel E, Zhao Z, Doupé A, et al. (2017) Deep android malware detection. In: Proceedings of the seventh ACM on conference on data and application security and privacy. ACM, pp 301–308
McMillan C, Mozer MC, Smolensky P (1991) The connectionist scientist game: rule extraction and refinement in a neural network. In: Proceedings of the 13th annual conference of the cognitive science society, pp 424–430
Medsker L (1995) Expert systems and neural networks. In: Hybrid intelligent system. Springer US, chap 3. https://doi.org/10.1007/978-1-4615-2353-6_3
Min S, Lee B, Yoon S (2017) Deep learning in bioinformatics. Brief Bioinform 18(5):851–869. https://doi.org/10.1093/bib/bbw068
Mohammad RM, Thabtah F, McCluskey L (2012) An assessment of features related to phishing websites using an automated technique. In: 2012 international conference for internet technology and secured transactions. IEEE, pp 492–497
Noda K, Yamaguchi Y, Nakadai K, Okuno HG, Ogata T (2015) Audio-visual speech recognition using deep learning. Appl Intell 42(4):722–737. https://doi.org/10.1007/s10489-014-0629-7
Ota K, Dao MS, Mezaris V, De Natale FG (2017) Deep learning for mobile multimedia: a survey. ACM Trans Multimed Comput 13(3s):34:1–34:22. https://doi.org/10.1145/3092831
Pascanu R, Stokes JW, Sanossian H, Marinescu M, Thomas A (2015) Malware classification with recurrent networks. In: Proceedings of the 2015 international conference on acoustics, speech and signal processing (ICASSP). IEEE, pp 1916–1920. https://doi.org/10.1109/ICASSP.2015.7178304
Rhode M, Burnap P, Jones K (2018) Early-stage malware prediction using recurrent neural networks. J Comput Secur 77:578–594. https://doi.org/10.1016/j.cose.2018.05.010
Saito K, Nakano R (1988) Medical diagnostic expert system based on pdp model. Proc. IEEE Int. Conf. Neural Netw. 1:255–262. https://doi.org/10.1109/ICNN.1988.23855
Sato M, Tsukimoto H (2001) Rule extraction from neural networks via decision tree induction. In: Proceedings of the 2001 international joint conference on neural networks. IEEE, vol 3, pp 1870–1875. https://doi.org/10.1109/IJCNN.2001.938448
Segler MH, Preuss M, Waller MP (2018) Planning chemical syntheses with deep neural networks and symbolic ai. Nature 555(7698):604
Sestito S (1991) The use of sub-symbolic methods for the automation of knowledge acquisition for expert systems. In: Proceedings of the 11th international conference on expert systems and their applications, 1991
Sestito S (1992) Automated knowledge acquisition of rules with continuously valued attributes. In: Proceedings of the 12th international conference on expert systems and their applications, 1992
Sethi KK, Mishra DK, Mishra B (2012) Kdruleex: a novel approach for enhancing user comprehensibility using rule extraction. In: Proceedings of the 3rd international conference on intelligent systems, modelling and simulation (ISMS). IEEE, pp 55–60. https://doi.org/10.1109/ISMS.2012.116
Setiono R, Leow WK (2000) Fernn: an algorithm for fast extraction of rules from neural networks. Appl Intell 12(1–2):15–25. https://doi.org/10.1023/A:1008307919726
Setiono R, Baesens B, Mues C (2008) Recursive neural network rule extraction for data with mixed attributes. IEEE Trans Neural Netw 19(2):299–307
Simonyan K, Zisserman A (2014) Very deep convolutional networks for large-scale image recognition. arXiv:14091556
Socher R, Lin CC, Manning C, Ng AY (2011) Parsing natural scenes and natural language with recursive neural networks. In: Proceedings of the 28th international conference on machine learning (ICML-11), pp 129–136
Tam K, Khan SJ, Fattori A, Cavallaro L (2015) Copperdroid: automatic reconstruction of android malware behaviors. In: Network and distributed system security symposium (NDSS). https://doi.org/10.14722/ndss.2015.23145
Thrun S (1993) Extracting provably correct rules from artificial neural networks. Citeseer
Tickle AB, Orlowski M, Diederich J (1994) Dedec: decision detection by rule extraction from neural networks. QUT NRC
Tieleman T, Hinton G (2012) Lecture 6.5-rmsprop: divide the gradient by a running average of its recent magnitude. COURSERA Neural Netw Mach Learn 4(2):26–31
Total V (2012) Virustotal-free online virus, malware and url scanner. https://www.virustotal.com/en
Contagio Mobile (2016) Contagio mobile malware mini dump. http://contagiominidump.blogspot.com/
Towell GG, Shavlik JW (1993) Extracting refined rules from knowledge-based neural networks. Mach Learn 13(1):71–101. https://doi.org/10.1023/A:1022683529158
Tsukimoto H (2000) Extracting rules from trained neural networks. IEEE Trans Neural Netw 11(2):377–389. https://doi.org/10.1109/72.839008
Wan J, Wang D, Hoi SCH, Wu P, Zhu J, Zhang Y, Li J (2014) Deep learning for content-based image retrieval: a comprehensive study. In: Proceedings of the 22nd ACM international conference on multimedia. ACM, pp 157–166. https://doi.org/10.1145/2647868.2654948
Wang W, Zhao M, Wang J (2018) Effective android malware detection with a hybrid model based on deep autoencoder and convolutional neural network. J Ambient Intell Humaniz Comput. https://doi.org/10.1007/s12652-018-0803-6
Wang Y, Cai W, Pc W (2016) A deep learning approach for detecting malicious javascript code. Secur Commun Netw 9(11):1520–1534. https://doi.org/10.1002/sec.1441
Wei F, Li Y, Roy S, Ou X, Zhou W (2017) Deep ground truth analysis of current android malware. In: International conference on detection of intrusions and malware, and vulnerability assessment (DIMVA’17). Springer, Bonn, pp 252–276. https://doi.org/10.1007/978-3-319-60876-1_12
Weiss SM, Indurkhya N (1993) Optimized rule induction. IEEE Expert 8(6):61–69. https://doi.org/10.1109/64.248354
Wu G, Lu W, Gao G, Zhao C, Liu J (2016) Regional deep learning model for visual tracking. Neurocomputing 175:310–323. https://doi.org/10.1016/j.neucom.2015.10.064
Xu Z, Ray S, Subramanyan P, Malik S (2017) Malware detection using machine learning based analysis of virtual memory access patterns. In: Proceedings of the 2017 design, automation & test in europe conference & exhibition (DATE). IEEE, pp 169–174. https://doi.org/10.23919/DATE.2017.7926977
Yen YS, Sun HM (2019) An android mutation malware detection based on deep learning using visualization of importance from codes. Microelectron Reliab 93:109–114
Yin C, Zhu Y, Fei J, He X (2017) A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access 5:21954–21961. https://doi.org/10.1109/ACCESS.2017.2762418
Yu D, Deng L (2011) Deep learning and its applications to signal and information processing [exploratory dsp]. IEEE Signal Process Mag 28(1):145–154. https://doi.org/10.1109/MSP.2010.939038
Zilke JR, Mencía EL, Janssen F (2016) Deepred–rule extraction from deep neural networks. In: International conference on discovery science. Springer, pp 457–473. https://doi.org/10.1007/978-3-319-46307-0_29
Zulkifli A, Hamid IRA, Shah WM, Abdullah Z (2018) Android malware detection based on network traffic using decision tree algorithm. In: Proceedings of the 2018 international conference on soft computing and data mining. Springer, pp 485–494. https://doi.org/10.1007/978-3-319-72550-5_46
Acknowledgements
The authors acknowledge the generous funding from the Atlantic Canada Opportunities Agency (ACOA) (Grant No: #201212) through the Atlantic Innovation Fund (AIF) and through a Grant from the Natural Sciences and Engineering Research Council of Canada (NSERC) (Grant No: #232074) to Dr. Ghorbani.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
Author B has received research grants from Atlantic Canada Opportunities Agency (ACOA) (Grant No: 201212) through the Atlantic Innovation Fund (AIF) and from the Natural Sciences and Engineering Research Council of Canada (NSERC) (Grant No: 232074).
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Mahdavifar, S., Ghorbani, A.A. DeNNeS: deep embedded neural network expert system for detecting cyber attacks. Neural Comput & Applic 32, 14753–14780 (2020). https://doi.org/10.1007/s00521-020-04830-w
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00521-020-04830-w