Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FINER: Enhancing State-of-the-art Classifiers with Feature Attribution to Facilitate Security Analysis

Yiling He, Jian Lou, Zhan Qin, Kui Ren

TL;DR

FINER addresses the opacity of state-of-the-art risk detectors by introducing an explainable risk detection system that couples a high-fidelity, task-aware explanatory framework with data-driven classifiers. It achieves this through explanation-guided model updating (multi-task learning with explanation-driven data augmentation) and task-aware explanation generation (domain-adjusted FA methods with IC-based ensemble), guided by a formal IC abstraction layer. Extensive evaluations across Android malware, Windows malware, and vulnerability detection tasks show that FINER improves explanation fidelity substantially without harming accuracy, and enables function-level malware localization that outperforms a state-of-the-art tool. The framework’s staged architecture and open-source availability make it practical for real-world security analysis and adaptable to additional risk domains.

Abstract

Deep learning classifiers achieve state-of-the-art performance in various risk detection applications. They explore rich semantic representations and are supposed to automatically discover risk behaviors. However, due to the lack of transparency, the behavioral semantics cannot be conveyed to downstream security experts to reduce their heavy workload in security analysis. Although feature attribution (FA) methods can be used to explain deep learning, the underlying classifier is still blind to what behavior is suspicious, and the generated explanation cannot adapt to downstream tasks, incurring poor explanation fidelity and intelligibility. In this paper, we propose FINER, the first framework for risk detection classifiers to generate high-fidelity and high-intelligibility explanations. The high-level idea is to gather explanation efforts from model developer, FA designer, and security experts. To improve fidelity, we fine-tune the classifier with an explanation-guided multi-task learning strategy. To improve intelligibility, we engage task knowledge to adjust and ensemble FA methods. Extensive evaluations show that FINER improves explanation quality for risk detection. Moreover, we demonstrate that FINER outperforms a state-of-the-art tool in facilitating malware analysis.

FINER: Enhancing State-of-the-art Classifiers with Feature Attribution to Facilitate Security Analysis

TL;DR

FINER addresses the opacity of state-of-the-art risk detectors by introducing an explainable risk detection system that couples a high-fidelity, task-aware explanatory framework with data-driven classifiers. It achieves this through explanation-guided model updating (multi-task learning with explanation-driven data augmentation) and task-aware explanation generation (domain-adjusted FA methods with IC-based ensemble), guided by a formal IC abstraction layer. Extensive evaluations across Android malware, Windows malware, and vulnerability detection tasks show that FINER improves explanation fidelity substantially without harming accuracy, and enables function-level malware localization that outperforms a state-of-the-art tool. The framework’s staged architecture and open-source availability make it practical for real-world security analysis and adaptable to additional risk domains.

Abstract

Deep learning classifiers achieve state-of-the-art performance in various risk detection applications. They explore rich semantic representations and are supposed to automatically discover risk behaviors. However, due to the lack of transparency, the behavioral semantics cannot be conveyed to downstream security experts to reduce their heavy workload in security analysis. Although feature attribution (FA) methods can be used to explain deep learning, the underlying classifier is still blind to what behavior is suspicious, and the generated explanation cannot adapt to downstream tasks, incurring poor explanation fidelity and intelligibility. In this paper, we propose FINER, the first framework for risk detection classifiers to generate high-fidelity and high-intelligibility explanations. The high-level idea is to gather explanation efforts from model developer, FA designer, and security experts. To improve fidelity, we fine-tune the classifier with an explanation-guided multi-task learning strategy. To improve intelligibility, we engage task knowledge to adjust and ensemble FA methods. Extensive evaluations show that FINER improves explanation quality for risk detection. Moreover, we demonstrate that FINER outperforms a state-of-the-art tool in facilitating malware analysis.
Paper Structure (35 sections, 4 equations, 13 figures, 13 tables, 2 algorithms)

This paper contains 35 sections, 4 equations, 13 figures, 13 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Explainable Risk Detection System
  3. Problem Definition
  4. Diverse Classifiers and Explainers
  5. Understanding Risk Explanations
  6. Scope and Motivation
  7. Our Research Scope
  8. Why Current ERDS is Insufficient
  9. FINER Framework
  10. Insights Behind Our Design
  11. Overview
  12. Explanation-guided Model Updating
  13. Task-aware Explanation Generation
  14. Explanation Quality Measurement
  15. Framework Deployment
  16. ...and 20 more sections

Figures (13)

  • Figure 1: Workflow of the explainable risk detection system (ERDS). The formalized notations can be referenced in Table \ref{['tab:notation']}.
  • Figure 2: A showcase of the failure of current ERDS: explaining DAMD with the text explainer in LIME toolbox lime. The selected sample is predicted as malware with $100\%$ confidence by the classifier. For the visualized explanation, the left panel shows the top $10$ opcodes that make the sample malicious, and the right panel shows the feature-space opcode sequence with the explanation highlighted. Since the original sequence has a length of 28 245, we display part of the results on the right panel, yet it is representative enough as the explanation is sparse throughout the sequence.
  • Figure 3: Different Stakeholders involved in building ERDS.
  • Figure 4: Insights for minimizing the approximation error.
  • Figure 5: The overall architecture of FINER.
  • ...and 8 more figures

Theorems & Definitions (3)

  • Definition 1: ERDS
  • Definition 2: Classifier
  • Definition 3: Explainer