Browse > Article
http://dx.doi.org/10.13089/JKIISC.2021.31.6.1193

A Study on Evaluation Methods for Interpreting AI Results in Malware Analysis  

Kim, Jin-gang (Hoseo University)
Hwang, Chan-woong (Hoseo University)
Lee, Tae-jin (Hoseo University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.31, no.6, 2021 , pp. 1193-1204 More about this Journal
Abstract
In information security, AI technology is used to detect unknown malware. Although AI technology guarantees high accuracy, it inevitably entails false positives, so we are considering introducing XAI to interpret the results predicted by AI. However, XAI evaluation studies that evaluate or verify the interpretation only provide simple interpretation results are lacking. XAI evaluation is essential to ensure safety which technique is more accurate. In this paper, we interpret AI results as features that have significantly contributed to AI prediction in the field of malware, and present an evaluation method for the interpretation of AI results. Interpretation of results is performed using two XAI techniques on a tree-based AI model with an accuracy of about 94%, and interpretation of AI results is evaluated by analyzing descriptive accuracy and sparsity. As a result of the experiment, it was confirmed that the AI result interpretation was properly calculated. In the future, it is expected that the adoption and utilization of XAI will gradually increase due to XAI evaluation, and the reliability and transparency of AI will be greatly improved.
Keywords
Malware; XAI; AI; Explanation; XAI Evaluation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 C.D. Manning, P. Raghavan, and H. Schutze, "An introduction to information retrieval," Cambridge University Press, April. 2009.
2 D. Gavrilut, M. Cimpoesu, D. Anton and L. Ciortuz, "Malware detection using machine learning," 2009 International Multiconference on Computer Science and Information Technology, IEEE, pp. 735-741, Oct. 2009.
3 Gi-seung Baek, "Machine learning based malware analysis algorithm suitability study," KISA-WP-2017-0014, KISA. 2017.
4 K. Grosse, N. Papernot, P. Manoharan, M. Backes, and P. McDaniel, "Adversarial examples for malware detection," European Symposium on Research in Computer Security, LNCS 10493, pp. 62-79, Aug. 2017.
5 W. Huang, J.W. Stokes "A multi-task neural network for dynamic malware classification," In Proc. of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment, LNCS 9721, pp. 399-418, June. 2016.
6 N. McLaughlin, J.M. del Rincon, B. Kang, S. Yerima, P. Miller, S. Sezer, Y. Safaei, E. Trickel, Z. Zhao, A. Doupe, and G.J. Ahn, "Deep android malware detection," Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 301-308, March. 2017.
7 Z.L. Chua, S. Shen, P. Saxena, and Z. Liang, "Neural nets can learn function type signatures from binaries," Proceedings of the 26th USENIX Security Symposium, pp. 99-116, Aug. 2017.
8 X. Xu, C. Liu, Q. Feng, H. Yin, L. Song, and D. Song, "Neural network-based graph embedding for cross-platform binary code similarity detection," ACM Conference on Computer and Communications Security (CCS 17), pp. 363-376, Aug. 2017.
9 Z. Li, D. Zou, S. Xu, X. Ou, H. Jin, S. Wang, Z. Deng, and Y. Zhong, "Vuldeepecker: a deep learning-based system for vulnerability detection," Network and Distributed System Security Symposium (NDSS), Jan. 2018.
10 M.G. Schultz, E. Eskin, F. Zadok, and E.J. Stolfo, "Data mining methods for detection of new malicious executables," Proceedings 2001 IEEE Symposium on Security and Privacy, pp. 38-49, May 2000.
11 S. Lundberg, Su-In Lee, "A unified approach to interpreting model predictions," Proceedings of the 31st International Conference on Neural Information Processing Systems, pp. 4765-4774, May. 2017.
12 Sun-oh Choi, Young-soo Kim, jong-hyun Kim, and Ik-kyun Kim, "Research trends in malware detection using deep learning," Journal of The KIISC, 27(3), pp. 20-26, June. 2017.
13 Y. Lin, X. Chang, "Towards interpreting ml-based automated malware detection models:a survey," arXiv Computer Science Cryptography and Security arXiv:2101.06232, Jan. 2021.
14 S. Gupta, H. Sharma, and S. Kaur, "Malware characterization using windows api call sequences," International Conference on Security, Journal of Cyber Security and Mobility vol.7, pp. 363-378, Oct. 2018.
15 M.T. Ribeiro, S. Singh, and C. Guestrin, "'Why should i trust you?': explaining the predictions of any classifier," Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics: Demonstrations, pp.97-101, Jun. 2016.
16 L. S. Shapley, "A value for n-person games," Published by Princeton University Press, 1953.
17 Hong-bi Kim, Yong-soo Lee, Eun-gyu Lee and Tae-jin Lee, "Cost-effective valuable data detection based on the reliability of artificial intelligence," in IEEE Access, vol. 9, pp. 108959-108974, July. 2021.   DOI
18 A. Warnecke, D. Arp, C. Wressnegger, and K. Rieck, "Evaluating explanation methods for deep learning in security," 2020 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 158-174, Sep. 2020.
19 E.C.R. Shin, D. Song, and R. Moazzezi, "Recognizing functions in binaries with neural networks," Proceedings of the 24th USENIX Security Symposium, pp. 611-626, Aug. 2015.