xIIRS: Industrial Internet Intrusion Response Based on Explainable Deep Learning

Abstract

The extensive interconnection and intelligent collaboration of multi-source heterogeneous devices in the industrial Internet environment have significantly improved the efficiency of industrial production and resource utilization. However, at the same time, the deployment characteristics of open-network architecture and the promotion of the concept of deep integration of OT/IT have led to an exponential growth of attacks on the industrial Internet. At present, most of the detection methods for industrial internet attacks use deep learning. However, due to the black-box characteristics caused by the complex structure of deep learning models, the explainability of industrial internet detection results generated based on deep learning is low. Therefore, we proposed an industrial internet intrusion response method xIIRS based on explainable deep learning. Firstly, an explanation method was improved to enhance the explanation by approximating and sampling the historical input and calculating the dynamic weighting for the sparse group lasso based on the evaluation criteria for the importance of features between and within feature groups. Then, we determined the defense rule scope based on the obtained explanation results and generated more fine-grained defense rules to implement intrusion response in combination with security constraints. The proposed method was experimented on two public datasets, TON_IoT and Gas Pipeline. The experimental results show that the explanation effect of xIIRS is better than the baseline method while achieving an average malicious traffic blocking rate of about 95% and an average normal traffic passing rate of about 99%.

1. Introduction

1.1. Research Background

With the degree of industrial informatization deepening, the industrial Internet security problem is becoming increasingly serious [1]. At present, the protection of the industrial Internet mainly focuses on the detection and identification of attacks, namely the industrial intrusion detection system (IDS), but it is also necessary to respond to the attacks, namely the industrial intrusion response system (IRS). Among them, as an important line of defense in the industrial Internet, intrusion detection systems maintain the security of the industrial Internet by monitoring the entire network to detect attacks [2,3]. Current deep learning-based industrial internet intrusion detection systems (DL-IIDS) [4,5,6] show excellent detection performance due to their strong ability to detect and capture complex patterns and small deviations, but at the same time, their black-box characteristics due to their complex structure make it difficult to explain the model-detection results, which leads to low explainability [7,8,9,10]. Therefore, the decisions made based on the deep learning model lack trustworthiness and are difficult to use as the basis for a series of subsequent complex operations. The emergence of Explainable Artificial Intelligence (XAI) provides ideas to solve the above problems [11,12,13], and offers the possibility of implementing industrial intrusion response based on XAI.

In recent years, many methods have been focused on explaining security-related decisions. For example, the Natural Language Generation (NLG)-based security decision explanation method [14] can help users understand the security threats in automated rules by generating easy-to-understand natural language security risk explanations, thereby improving users’ decision-making trust. However, the explanation of deep learning models, especially in the context of time-series and interdependent network traffic, the existing explanation methods for deep learning models [15,16,17,18,19] provide local explanations for specific input samples and their decisions by highlighting important features. However, none of these methods can explain DL-IIDS well. Specifically, the input to industrial internet intrusion detection is a time series and interdependent, and the majority of the existing explanation methods do not take into account the complex dependencies between historical input samples and features. Although xNIDS [20] proposed a solution for the above problem, this method did not fully consider the differences in features between and within feature groups when capturing feature dependencies of industrial traffic data, which weakened the explanation effect and further reduced the effect of industrial intrusion response.

1.2. Contribution and Organization

To address the problems of the existing explanation method xNIDS, we noted that the study in [21] improved the effectiveness of obtaining genes related to cancer diagnosis by introducing between and within gene groups importance-evaluation metrics in the traditional sparse group lasso. With this inspiration, in this study, we improved an explanation method by approximating and sampling the historical input and calculating the sparse group lasso dynamic weighting according to the between and within feature groups importance-evaluation criteria, which improves the ability of sparse group lasso to capture key features and implements fine-grained explanation. Finally, we determined the defense rule scope based on the obtained explanation results and generated more fine-grained defense rules to implement intrusion response in combination with security constraints. The main contributions of this paper are as follows:

• We improved an explanation method by approximating and sampling the historical input and calculating the sparse group lasso dynamic weighting according to the between and within feature groups importance-evaluation criteria, which improves the ability of sparse group lasso to capture key features and implements fine-grained explanation. When calculating the weights between feature groups, the symmetric uncertainty was calculated to determine the contribution of different feature groups to the classification, and the importance weights of different features within a feature group were calculated by considering the group-affiliation trustworthiness and comprehensive evaluation criteria.
• We proposed an industrial internet intrusion defense rule generation method that determines the defense rule scope based on explanation results and generates fine-grained defense rules combined with security constraints to effectively respond to industrial internet intrusions.

The rest of this paper is organized as follows: In Section 2, we review the research studies related to this paper. In Section 3, we present the detailed design of the xIIRS. In Section 4, we evaluate and analyze the proposed xIIRS in this paper through experiments. In Section 5, we describe the advantages and practical implications of xIIRS. Finally, in Section 6, we conclude this work and provide a vision for future work.

2. Related Work

In this section, we review existing methods for explaining deep learning and related research on active intrusion response methods, as explanation methods are needed to implement industrial intrusion response.

2.1. Explanation Methods

In industrial scenarios, XAI can help humans make trusted decisions for critical applications that require information fusion. XAI is essential to explain the decisions made by AI, support trustworthiness, and guarantee compliance. XAI articulates the clear reasoning behind the decisions made, helping to understand the AI recommendations that are critical to making safety decisions. Feature importance is one of the most popular types of explanations returned by local explanation methods. For feature importance-based explanation methods, the explainer assigns an importance value to each feature, which indicates the importance of that particular feature for the analyzed prediction [22]. The methods considered in this paper for explaining the results of deep learning are mainly by calculating feature importance, and the specific explanation methods are described as follows: IG [15] calculates the importance score ${\beta }_i$ of feature Xi by accumulating the path gradient of feature Xi from the benchmark input to the actual input. This method maintains the sensitivity of feature importance to input changes so that the importance score of each feature can accurately reflect its influence on model prediction. LRP [16] calculates the importance score ${\beta }_i$ of feature Xi by tracing its contribution to detection layer by layer. Specifically, LRP starts from the output layer of the model and gradually propagates to the input layer along the hierarchical structure of the model to calculate the contribution of each layer’s features to the final prediction result. In this process, each layer of the model passes a correlation to the previous layer features based on how much it contributes to the final prediction, which allows LRP to visually show how each input feature affects the final classification or regression result. LIME [17] and SHAP [18] both compute feature-importance scores ${\beta }_i$ by lasso regression and assume that the selection of features is independent. However, LIME uses cosine similarity to measure the relationship between features and prediction results, while SHAP is based on Shapely values and assigns a fair importance score to each feature through cooperative game theory. LEMNA [19] calculates feature-importance scores ${\beta }_i$ by constructing a unique hybrid regression model, which first generates a set of artificial data samples in the local region of the input sample and fits a hybrid regression model consisting of K linear regression models through these samples. In the process of model fitting, LEMNA introduces fused lasso as a regularization term to force adjacent features to have similar importance scores so as to effectively capture the dependencies between features, which can approximate the local nonlinear decision boundary of the deep learning model and extract the explanation of key features from the hybrid regression model. xNIDS [20] focuses on the time-series characteristics of traffic by approximating and sampling historical input traffic and uses the sparse group lasso method to capture the dependencies between features. This method allows predefined groups of features to be either all selected or all excluded, ensuring that all features in the same group are either all included or completely excluded. This approach has desirable group-level and feature-level sparsity effects, helping to identify the key features that are most explanatory to the prediction results. However, when performing sparsity interpretation, the importance of different feature groups and the importance of the features within the group may differ. Treating them as the same may lead to a reduction in the explanatory effect.

2.2. Active Intrusion Responses

For the protection of the industrial Internet, it is not enough to use IDS alone. IDS must be combined with IRS to dynamically deploy appropriate defense rules to mitigate the detected attacks and restore to the normal state [23]. Many scholars have tried to use feature-based or specification-based NIDS [24,25] to implement active intrusion response. For example, the study in [26] proposed a network-control framework based on the open-source Bro [24] network security monitor, which enables passive network monitoring systems to actively control network components (such as switches, firewalls, etc.), and finally used OpenFlow [27] for the evaluation of functionality and performance. The study in [28] proposed SnortFlow, an intrusion prevention system based on OpenFlow and Snort, which enables cloud-network environments to detect intrusions and deploy defenses through real-time reconfiguration of the cloud-network environment. In short, the proposed defense system utilizes Snort to analyze the network traffic and deploys defense rules on OpenFlow to defense. The study in [29] proposed Poseidon, a high-performance, low-cost, and agile DDoS defense system, which uses a modular policy abstraction to represent defense policies, divides them into programmable switches to run according to the attributes of the defense primitives, maps the high-level policies to defense resources through an optimized orchestration mechanism, and finally a runtime-management mechanism is designed to achieve dynamic defense without blocking legitimate traffic. The study in [30] proposed a method, FIRMA, to detect and respond to network intrusions using network characteristics and blacklists; however, the method is too strict and leads to excessive intrusion response, which not only blocks malicious traffic but also normal traffic, and fails to achieve fine-grained management of traffic. The study in [20] proposed xNIDS, an intrusion response framework based on the explanation method, which focuses on the time-series characteristics of the traffic by approximating and sampling the historical input traffic and then uses the sparse group lasso method to capture the dependencies between the characteristics. This method allows predefined groups of features to be either all selected or all excluded, ensuring that all features in the same group are either all included or completely excluded. This approach has desirable group-level and feature-level sparsity effects, helping to identify the key features that are most explanatory to the prediction results. However, when performing a sparsity explanation, the importance of different feature groups and the importance of the features within the group may differ. Treating them as the same may lead to a reduction in the explanatory effect.

In summary, the existing explanation methods and active intrusion response methods still have the following problems: Firstly, IIDS needs to make a decision based on the current sample and several historical inputs when making predictions, and it needs to consider the complex dependencies between features. However, the explanation methods LEMNA, LIME, and SHAP only consider the current sample and ignore the historical input samples. Second, explanation methods cannot capture the complex dependencies between features. For example, IG, LIME, and SHAP assume that features in the input sample are independent, and LEMNA assumes that adjacent features have the same contribution, which cannot capture the dependencies between features. Although there have been related studies such as xNIDS to solve the above problems, they do not fully consider the differences between feature groups and features within feature groups, resulting in poor explanation effects. Finally, most of the existing intrusion response methods, such as SnortFlow, Poseidon, and FIRMA, mainly rely on predefined feature matching or rule specification to respond, which lack dynamic adaptability and cannot achieve fine-grained management of network traffic. However, in actual industrial scenarios, defense rules often need to be dynamically adjusted and deployed according to real-time industrial network traffic to adapt to the complex and changing network environment, and defense rules also need to implement fine-grained management of industrial network traffic. Considering the problems existing in current research, this paper proposes an intrusion response method for the industrial Internet based on explainable deep learning to realize active protection for the industrial Internet.

3. System Design

In this section, we introduce two important parts of this work: explaining industrial intrusion detection results and generating industrial intrusion defense rules, where the part of explaining industrial intrusion detection results describes the improved explanation method in detail, and the part of generating defense rules describes the method of determining the scope of the defense rules based on the explanation results and generating the industrial intrusion defense rules in combination with the security constraints.

The industrial internet intrusion response system considered in this paper is shown in Figure 1, which includes two important parts: the explanation of industrial intrusion detection results and the generation of industrial intrusion response rules. Specifically, first of all, the traffic in the industrial Internet is collected and uploaded to the industrial intrusion detection model based on deep learning, and the results will be output when the detection is finished. The trained industrial intrusion detection model based on deep learning, the traffic to be explained, and the detection results will be uploaded to the improved explanation method of this paper. After the explanation, the output is the feature-importance score. Based on the explanation results to determine the defense rule scope and combined with the security constraints to generate unified defense rules, in order to verify the effectiveness of the defense rules, the unified defense rules will be specific and then deployed to different defense tools to achieve a more fine-grained blocking and passing of industrial traffic.

3.1. Explaining Industrial Intrusion Detection Results

The explanation of industrial intrusion detection results consists of two key steps: approximating historical inputs and sampling and capturing feature dependencies. Firstly, in order to fully consider the influence of historical inputs of industrial internet traffic, we approximate the historical inputs and synthesize the samples using Weighted Random Sampling (WRS) [31]. We then take into account the importance of features between and within feature groups and use a dynamically weighted sparse group lasso to obtain a more fine-grained explanation of the results.

3.1.1. Approximating History Inputs and Sampling

Due to the strong time-series characteristics of industrial internet traffic, although the existing explanation methods LEMNA, LIME, and SHAP can highlight the features that have important contributions to the detection results to explain the detection results, they are not sufficient to explain the detection results about historical inputs. Aiming at this problem, some studies have begun to consider historical inputs to obtain a better explanation. However, in industrial internet intrusion detection, the explanation results obtained only from the current input or a fixed number of historical inputs are insufficient, which will lead to low explanation fidelity. In addition, it is also unreasonable to consider all historical inputs, which will produce redundancy, so it is necessary to effectively find a small number of inputs to approximate the relevant historical inputs [20]. This involves approximating the historical input and synthesizing samples by weighted random sampling around the historical input.

When approximating the historical input, we first need to find a length L, such that the approximate historical input of length L and the approximation result containing K actual historical inputs meet a specific accuracy, if not, we will double L, otherwise we will cut L in half, until the approximate accuracy is satisfied or the maximum number of updates is reached. Secondly, some weakly correlated historical inputs were deleted from the obtained historical inputs of length L to ensure that the detection results still meet the requirements of approximate accuracy, and then the most relevant inputs were selected.

When sampling the historical input, considering that the latest input may have more influence on the result than the old input when DL-IIDS make decisions, the sampling is not uniform near the historical input. Firstly, we assign weights according to the arrival order of historical inputs and assign greater weights to the latest historical inputs. Then, we synthesize samples closer to the latest historical inputs by Weighted Random Sampling (WRS). Specifically, the probability of each sample being selected at WRS is determined by its relative weight. Weights are assigned to each historical input according to its arrival order, and features of the latest historical input have a higher probability to be selected, while features of the same input have the same probability to be selected.

3.1.2. Capturing Feature Dependencies

To achieve sparse explanation, the most relevant features from the input are selected as the result of the explanation, while ignoring those features that have less contribution to the detection result. The traditional sparse group lasso (SGL) is a regression method that supports selection on the basis of feature groups, which allows predefined groups of features to be included in the model as a whole or excluded as a whole. This method has shown desirable results in terms of sparsity of both feature groups and individual features [32]. However, the traditional sparse group lasso does not consider the differences between and within groups. To address this problem, we integrate the importance-evaluation criteria of features between and within feature groups on the basis of the traditional sparse group lasso, which is used to measure the importance of different features between and within feature groups, so as to implement the dynamically weighted sparse group lasso to further enhance the explanation effect. The specific calculation formulas are as follows:

The evaluation of the importance of feature groups requires measuring the relationship between the module feature vector and the classification label Y, specifically calculating the contribution of the g-th feature group to the classification, as shown in Equation (1):

$$s{g}^{\left(g\right)}={\displaystyle \frac{\mathrm{SU}\left(m{e}_g,Y\right)}{\sqrt{p_g}}}$$

(1)

where $p_g$ is the number of features in group g, which reduces the impact of the number of features on the detection results, and meg denotes the representative features of feature group g obtained by Principal Component Analysis (PCA), Equation (2) measures the degree of correlation between the representative feature meg and the categorical label Y through an information theoretic perspective:

$$\mathrm{SU}\left(m{e}_g,Y\right)=2·{\displaystyle \frac{IG\left(m{e}_g,Y\right)}{H\left(m{e}_g\right)+H\left(Y\right)}}$$

(2)

According to the feature group importance evaluation shown in Equation (1), we construct the g-th feature group weight, as shown in Equation (3):

$$w_{grp}^{\left(g\right)}={\displaystyle \frac{1}{s{g}^{\left(g\right)}}}$$

(3)

The symbol $m_t^{\left(g\right)}$ denotes the group-affiliation trustworthiness of the t-th feature of the g-th group, and the group-affiliation trustworthiness indicates the degree of trustworthiness that the feature belongs to the feature group, specifically calculating the similarity between the current feature and the representative features of the group, as shown in Equation (4):

$${\mathrm{m}}_{\mathrm{t}}^{\left(\mathrm{g}\right)}=\mathrm{SU}\left({\mathrm{S}}_{\mathrm{t}}^{\left(\mathrm{g}\right)},{\mathrm{me}}_{\mathrm{g}}\right)$$

(4)

The symbol $s_t^{\left(g\right)}$ denotes the comprehensive evaluation criterion for the t-th feature in the g-th feature group, and the definitions of each parameter and other representations are described in detail in [21], as shown in Equation (5):

$$\begin{array}{c}{s}_t^{\left(g\right)}={\displaystyle \frac{{\delta }_2}{{\delta }_1+{\delta }_2}}s{1}_t^{\left(g\right)}+{\displaystyle \frac{{\delta }_1}{{\delta }_1+{\delta }_2}}s{2}_t^{\left(g\right)}\\ s{1}_t^{\left(g\right)}={\displaystyle \frac{1}{{\left(p_g-1\right)}^2}}{\sum }_{\begin{array}{c}i=1\\ i\ne t\end{array}}^{p_g}\sum _{\begin{array}{c}j=1\\ j\ne t\end{array}}^{p_g}I\left({\widehat{D}}_i^{\left(g\right)};{\widehat{D}}_j^{\left(g\right)}\mid {\widehat{D}}_t^{\left(g\right)}\right)\\ s{2}_t^{\left(g\right)}={\displaystyle \frac{1}{{\left(p_g-1\right)}^2}}\sum _{\begin{array}{c}i=1\\ i\ne t\end{array}}^{p_g}\sum _{\begin{array}{c}j=1\\ j\ne t\end{array}}^{p_g}{\left[I\left({\widehat{D}}_i^{\left(g\right)};{\widehat{D}}_j^{\left(g\right)}\mid {\widehat{D}}_t^{\left(g\right)}\right)-I\left({\widehat{D}}_i^{\left(g\right)};{\widehat{D}}_j^{\left(g\right)}\right)\right]}_{+}\end{array}$$

(5)

The within-group feature importance of the t-th feature of the g-th feature group is the product of the group-affiliation trustworthiness of the feature and the comprehensive evaluation criterion, as shown in Equation (6):

$$s{i}_t^{\left(g\right)}=s_t^{\left(g\right)}·m_t^{\left(g\right)}$$

(6)

Based on the within-group feature-importance shown in Equation (6), we construct the weight matrix of the features within the g-th feature group, as shown in Equation (7):

$$w_{ind}^{\left(g\right)}=diag\left\{{\displaystyle \frac{1}{s{i}_1^{\left(g\right)}}},{\displaystyle \frac{1}{s{i}_2^{\left(g\right)}}},\dots ,{\displaystyle \frac{1}{s{i}_{p_g}^{\left(g\right)}}}\right\}$$

(7)

We proposed an improved dynamic weighted sparse group lasso. Compared with the fixed coefficient of the traditional sparse group lasso, we refine the penalty strength for the feature group and the features within the group. Through the importance calculation Equations (3) and (7), the calculated weighted coefficient is introduced for dynamic weighting, such as Equation (8):

$$\underset{\beta }{argmin}{\{\parallel f-g\parallel }_2^2+\underset{\mathrm{Group}\mathrm{Sparsity}}{\underbrace{(1-\alpha )\lambda \sum _{q=1}^Q{w}_{grp}^{\left(q\right)}{\parallel {\beta }_q\parallel }_2}}+\underset{\mathrm{Feature}\mathrm{Sparsity}}{\underbrace{\alpha \lambda \sum _{q=1}^Q{\parallel w_{ind}^{\left(q\right)}\beta \parallel }_1}}\}$$

(8)

3.2. Generating Industrial Intrusion Defense Rules

After extracting the important features used by DL-IIDS for decision making, xIIRS generates defense rules based on these features. Figure 2 gives a detailed example of how xIIRS generates defense rules. It comprises the following three steps: (1) determine the defense rule scope according to the explanation results. (2) create a unified defense rule entity by filling the important feature matching values into the corresponding fields according to the defense rule scope and security constraints. (3) specify the unified defense rules in different defense tools to generate their own defense rules.

3.2.1. Defense Rule Scope

In order to balance accuracy and generalization, we use the defense rule scopes defined in the study in [20] to determine the scope of application of the rules, where the per-flow scope can only affect network traffic for a specific flow, the per-host scope blocks multiple flows from the same host, and the multi-host scope blocks multiple flows from multiple hosts.

Specifically, the defense rule scope is determined by analyzing the corresponding explanations. As shown in

Table 1. Details of statistical information.

Field	Description
IP_pool	The IPs involved in inputs
IP_n	The largest number of packets from the same IP
MAC_n	The largest number of packets from the same MAC
Port_n	The largest number of packets from the same Port
Protocol_n	The largest number of packets from the same Protocol

, the statistics are defined as S and contain the following five fields: IP_pool, IP_n, MAC_n, Port_n, and Protocol_n. We determine the defense rule scope (scope of action) by examining the values of the fields in the statistics. For example, a large value of Protocol_n or Port_n indicates that the abnormal traffic shares the same protocol or port, and there is a high probability that multiple hosts are sending traffic together, focusing on a certain protocol or port, which indicates that multiple hosts may be involved in the attack. Therefore, the scope of the defense rule should be multi-host. Otherwise, if the abnormal traffic comes from the same host, the corresponding defense rule scope should be set to per-host scope or per-flow scope. In this case, if multiple protocols or ports are included in the important features, which means that the host uses multiple protocols to launch the attack, the defense rule scope is per-host scope; otherwise, it is per-flow scope.

3.2.2. Security Constraints

The industrial network environment is complex and dynamic, which needs to be flexibly adjusted according to different network environments and possible changes. To this end, security constraints that can be dynamically configured by industrial network managers are introduced. These constraints include whitelisting and blocking strategies to ensure the availability of industrial networks and maintain an appropriate blocking rate. Among them, the whitelist ensures that the industrial network traffic of critical services is not affected by the defense rules, and the blocking strategy chooses the assertive block strategy with better malicious traffic blocking effect and normal traffic passing effect in [20], specifically, the industrial network managers are more inclined to trust the rules automatically generated by the corresponding DL-IIDS and xIIRS.

3.2.3. Generating Unified Defense Rules

To support defense tools that use different rule syntaxes, we adopt the unified defense rule representation in [20], where each unified defense rule consists of 4 tuples: ⟨Entity, Action, Priority, Timeout⟩. Entity is the target of application defense actions (network flow, connection, IP address, etc.). Action is the specific defense action to be performed for all network flows of the entity. Priority is the order of operations to resolve potential conflicts by applying the rule with the highest priority when a single instance of network traffic matches multiple unified defense rules. Timeout indicates the effective time of the defense rule.

To generate defense rules, we create defense rule entities by filling the corresponding fields with values matching important features related to the scope and security constraints of the defense rule. Two basic operations, drop_flow and drop_host, are defined, and for per-flow, the drop_flow operation is used to block malicious traffic. For per-host, the drop_host operation is used to block malicious hosts. For multi-host, the drop_flow operation is used to recursively block malicious flows.

4. Experimental Evaluation

This section verifies the proposed xIIRS scheme from three aspects: experimental settings, explanation method evaluation experiment, and industrial intrusion response evaluation experiment. Firstly, Section 4.1 mainly introduces the experimental environment, comprising three parts: the dataset description, the evaluation metrics, and the target system performance. Secondly, Section 4.2 systematically evaluates the explanation effect of the improved explanation method from four aspects of fidelity, sparsity, completeness, and stability. Finally, Section 4.3 implements the evaluation of industrial intrusion response through response latency evaluation experiment and response effectiveness evaluation experiment.

4.1. Experiment Settings

Method Implementation. The experiment is carried out on the Ubuntu 22.04.3 LTS platform with Intel Xeon Gold 5118 CPU (128 G) and two 10 G network cards. The Python package asgl [33] was used to implement xIIRS and grid search was used to adjust parameters to improve performance. Finally, OpenFlow was selected from multiple defense tools to verify the effectiveness of the generated defense rules.

Target DL-IIDS. We use widely used deep learning models as the target DL-IIDS, specifically employing the AutoEncoder and the commonly used LSTM model in RNNs for the DL-IIDS.

Comparison Baselines. The baseline methods we compare are LIME, SHAP, LEMNA, IG, LRP, and xNIDS.

4.1.1. Dataset Description

The experiments were conducted on two datasets: TON_IoT dataset [34] and natural gas pipeline dataset [35].

The TON_IoT dataset contains nine types of labeled IoT network traffic data aggregated from heterogeneous data sources, including Normal, Scanning attacks, Denial of Service (DoS) attacks, and distributed DoS (DDoS) attacks, Ransomware attacks, Backdoor attacks, Injection attacks, Cross-Site Scripting (XSS) attacks, Password Cracking attacks (PWA) and Man-In-The-Middle attacks (MITM). The data contains about 22 M log entries with 46 features and 9 devices. A sample of these data is used in this study, and the data are divided into two subsets: 80% of the data are used for training, and 20% are used for testing.

Another dataset used in this paper is the natural gas pipeline dataset, which was established by the Mississippi State University’s critical Infrastructure protection center, and the data source is the network layer data of the natural gas pipeline SCADA control system. Compared with traditional enterprise networks, SCADA network topology and services are relatively fixed. There are two categories of features in the dataset: network traffic features and payload content features. Network traffic features are used to describe normal traffic patterns to detect malicious activities, including device address, function code, length of packet, packet error checking information, and time intervals between packets. Payload content features describe the current state of the SCADA system, including sensor measurements, supervisory control inputs, and distributed control states, which are used to detect attacks that cause abnormal behavior of the device. This dataset collects network data of normal natural gas pipeline operation and network data of 7 types of network attacks. Each network data includes 26 features and 1 label. A total of 80% of the data are used for model training and 20% for testing.

4.1.2. Evaluation Metrics

In order to evaluate the explanation performance of the proposed xIIRS, this study used four common indicators in study [20] to evaluate the explanation effect of the detection method: Average Descriptive Accuracy (ADA), Mass Around Zero (MAZ), the proportion of abnormal samples that generate non-degenerate explanations (Anomaly) and the Average Stability Score (Stability). To measure the effectiveness of the defense rules, we used indicators such as latency and block rate.

1.

ADA: We use the evaluation metric below to evaluate the fidelity of the explanation methods.

$$ADA\left(\mathrm{D}\right)={\displaystyle \frac{1}{n}}\sum _{i=1}^n{f}_N{\left(x_i\mid x_{i1}=0,\dots ,x_{ik}=0\right)}_{c_i}$$

(9)

where D is the dataset, x is a sample in D, the size of the dataset D is n, $f_N$ is the prediction function, $x_{ik}$ denotes the k-th feature of the i-th sample, and $c_i$ denotes the class of the i-th sample is c. A steep decline in ADA indicates better fidelity of the explanation method.

2.

MAZ: We use the evaluation metric below to evaluate the sparsity of the explanation methods.

$$MAZ\left(\beta \right)={\int }_0^{1}h\left(x\right)dx$$

(10)

where $\beta$ is the importance score scaled to a range of [0,1]. The larger the slope of MAZ near 0 and the smaller the slope near 1, the better the sparsity of the explanation method.

3.

Anomaly: We use the evaluation metric below to evaluate the completeness of the explanation methods, measuring the completeness of the historical inputs by calculating the percentage of anomaly samples able to generate non-degenerate explanations.

$$\mathrm{Anomaly}={\displaystyle \frac{N_{\mathrm{valid}}}{N_{\mathrm{total}}}}$$

(11)

where $N_{valid}$ is the number of abnormal samples for generating non-degenerate explanations and $N_{total}$ is the total number of abnormal samples, and the larger the result of Anomaly indicates the better the completeness of the explanation method.

4.

Stability: We use the evaluation metric below to evaluate the stability of the explanation methods. To check the stability of the explanation, we calculated the size of the first K feature intersections of the explanation results concerning the same inputs from different tests.

$$\mathrm{Stability}={\displaystyle \frac{1}{K}}{∥\left\{top\left({\beta }^1\right)\cap top\left({\beta }^2\right)\dots \cap top\left({\beta }^n\right)\right\}∥}_1$$

(12)

where ${\beta }_n$ denotes the set of the first K important features obtained from the n-th explanation, and the closer the result of Stability is to 1 indicates the better the stability of the explanation method.

4.1.3. Target System Performance

Table 2. Target system intrusion detection model performance.

Dataset	System	Accuracy (%)	Precision (%)	Recall (%)	F1-Score (%)
TON_IoT	AE-IDS	92.15	94.11	96.57	95.32
	LSTM-IDS	98.43	98.87	99.24	99.05
Gas Pipeline	AE-IDS	95.86	96.09	92.40	94.21
	LSTM-IDS	98.05	96.70	98.00	97.34

is the target system where we need to conduct explanation method evaluation experiments and industrial intrusion response evaluation experiments. It shows the intrusion detection performance of different models under the two selected datasets.

4.2. Explanation Methods Evaluation Experiments

We conducted experiments on two widely used industrial network traffic datasets to perform an explanation evaluation of xIIRS, and the results are as follows.

4.2.1. Fidelity Evaluation Experiment

This experiment evaluates the degree of trustworthiness of the explanation method in capturing important features that contribute to a particular detection result. This fidelity evaluation experiment focuses on the effect on the ADA of the dataset after modifying the first k relevant features for normal and abnormal samples. There are two ways of modifying the k relevant features as described in [20]. For abnormal samples it is to set the k important features to 0, and for normal samples, it is to replace the first k relevant features of the benign samples with the corresponding features of the nearest abnormal samples.

For the abnormal traffic samples, as shown in Figure 3 and

Table 3. Area under the ADA curve.

Dataset	System	LIME	SHAP	LEMNA	IG	LRP	xNIDS	xIIRS
TON_IoT	AE-IDS	0.399	0.410	0.433	0.420	0.376	0.338	0.320
	LSTM-IDS	0.348	0.334	0.324	0.336	0.319	0.302	0.290
Gas Pipeline	AE-IDS	0.494	0.501	0.517	0.509	0.462	0.449	0.431
	LSTM-IDS	0.358	0.337	0.328	0.344	0.314	0.305	0.293

, xIIRS has the largest decrease in ADA and the smallest area under the curve compared with the baseline method on both datasets, which shows that the features selected by xIIRS are highly correlated with the detection results. Similarly, to validate the fidelity of the explanation method in the case of the normal samples, as shown in

Table 4. Comparison of setting benign features to zero and replacing abnormal features.

Dataset	System	Setting to Zero	Replacement
TON_IoT	AE-IDS	0.070	0.207
	LSTM-IDS	0.075	0.242
Gas Pipeline	AE-IDS	0.062	0.194
	LSTM-IDS	0.064	0.218

, we observe that the replacement of normal features by abnormal features significantly increases the anomaly rate by at least 3 times on all datasets, which shows that the features selected by our explanation method still have a good fidelity effect in the case of the normal traffic samples.

4.2.2. Sparsity Evaluation Experiment

This experiment evaluates the sparsity of the explanation method. An ideal explanation method should select a limited number of features as the explanation result. We follow the experimental evaluation method in [20]. We first scale the feature-importance scores to the range [0,1], then fit $\beta$ to a semi-canonical histogram h, and then compute the MAZ. If the explanation method can be assigned to most of the features near 0 and achieve a sparse explanation, then the MAZ curve will have a steeper slope close to 0 and a larger area under the curve.

As shown in Figure 4 and

Table 5. Area under the MAZ curve.

Dataset	System	LIME	SHAP	LEMNA	IG	LRP	xNIDS	xIIRS
TON_IoT	AE-IDS	0.616	0.599	0.571	0.577	0.591	0.673	0.699
	LSTM-IDS	0.636	0.620	0.605	0.612	0.669	0.702	0.714
Gas Pipeline	AE-IDS	0.618	0.609	0.588	0.595	0.603	0.684	0.709
	LSTM-IDS	0.674	0.665	0.643	0.657	0.684	0.710	0.720

, xIIRS has the steepest slope and the largest area under the curve, which means that most of the feature-importance scores assigned by xIIRS are close to zero, and xIIRS is better than the baseline method in the sparsity criterion. Among them, LEMNA performs poorly in the sparsity criterion, which is due to the fact that LEMNA assumes that neighboring features contribute similarly to the detection results. In contrast, xIIRS takes into account the differences between the between- and within-group features and could achieve more accurate feature-level sparsity while guaranteeing group-level sparsity. Compared with the xNIDS method with traditional sparse group lasso, xIIRS reflects stronger sparsity.

4.2.3. Completeness Evaluation Experiment

This experiment evaluates the completeness of the explanation method, an ideal explanation method that creates suitable results for all possible input samples. We follow the experimental evaluation method in [20] and measure the completeness of the historical inputs by calculating the percentage of abnormal samples that are able to generate non-degenerate explanations.

As shown in

Table 6. Proportion of anomaly samples generating non-degenerate explanations.

Dataset	System	LIME	SHAP	LEMNA	IG	LRP	xNIDS	xIIRS
TON_IoT	AE-IDS	0.538	0.525	0.645	0.638	0.603	0.932	0.941
	LSTM-IDS	0.606	0.564	0.742	0.737	0.682	0.965	0.969
Gas Pipeline	AE-IDS	0.583	0.569	0.671	0.653	0.621	0.947	0.956
	LSTM-IDS	0.625	0.587	0.786	0.766	0.735	0.972	0.976

, at least about 22% of the anomaly samples of LIME, SHAP, LEMNA, IG, and LRP do not contain enough information to generate non-degenerate explanations because they ignore historical inputs. In contrast, only about 3% of the anomaly samples of our proposed xIIRS and xNIDS generate degenerate explanations due to considering the impact of historical inputs on the explanations and because our methods consider the differences between and within feature groups and optimize the selection of key features within groups, generating a higher proportion of non-degenerate explanations compared to xNIDS.

4.2.4. Stability Evaluation Experiment

This experiment evaluates the stability of the explanation method. An ideal explanation method should produce similar results for the same samples across many tests. We follow the experimental evaluation method in [20] and calculate the intersection size of the first K features in the explanation results for the same inputs under different test conditions. Since the explanation results of IG and LRP are deterministic, we focus on the stability of the perturbation-based methods LIME, SHAP, LEMNA, xNIDS, and xIIRS.

As shown in

Table 7. Average stability score for explanation methods.

Dataset	System	LIME	SHAP	LEMNA	xNIDS	xIIRS
TON_IoT	AE-IDS	0.487	0.562	0.418	0.734	0.826
	LSTM-IDS	0.581	0.688	0.513	0.805	0.893
Gas Pipeline	AE-IDS	0.523	0.617	0.473	0.785	0.867
	LSTM-IDS	0.611	0.723	0.547	0.837	0.916

, the average stability scores of xIIRS are all higher than those of LEMNA, SHAP, LIME, and xNIDS, which is due to the fact that xIIRS takes into account the differences in features between and within feature groups, and the dynamic adjustment of the feature weights enables the model to keep the key features more stably and reduce the fluctuation of the unimportant or redundant features in different testing conditions and thus improves the stability of the intersection size of the top K features in the explanation results.

4.3. Industrial Intrusion Response Evaluation Experiment

In order to verify the effectiveness of the generated defense rules, we deploy them on the widely used defense tool OpenFlow and carry out experiments on industrial internet intrusion response latency and response-effect evaluation.

4.3.1. Response Latency Evaluation Experiment

This experiment evaluates the explanation method latency and the generation of defense rule latency. As shown in Figure 5, more than 90% of the explanation delays of our method on the TON_IoT dataset and Gas Pipeline dataset are less than 900 ms and 800 ms, respectively. As shown in Figure 6, the maximum delay of generating the defense rules on the TON_IoT dataset is 51 ms against the MITM attack, and the average delay is about 39 ms. The maximum delay for generating the defense rules on the Gas Pipeline dataset is 40 ms for the MFCI attack, and the average delay is about 32 ms.

4.3.2. Response Effectiveness Evaluation Experiment

In order to verify the defense effectiveness of the generated defense rules, we compare them with the baseline method xNIDS based on the blocking rate, we replay the traffic of the relevant dataset and verify the change in traffic blocking rate before and after deploying the defense rules on the defense tool OpenFlow to quantitatively analyze the effectiveness of the generated defense rules.

As shown in Figure 7, before the deployment of the defense rule, the direct blocking of the relevant hosts is used, and it could be seen that the blocking rate of the malicious traffic and the normal traffic are both high, which leads to many normal industrial traffic being blocked by mistake. As shown in Figure 8 and Figure 9, after the deployment of defense rules, the blocking rate of malicious traffic on the TON_IoT dataset decreases by about 1.08% and rises by about 0.37% on average compared with that of xNIDS and xIIRS before the deployment of the defense rules, respectively, and at the same time reduces the blocking rate of normal traffic by about 12.39% and 12.81% on average, respectively. The blocking rate of malicious traffic on the Gas Pipeline dataset has increased by about 1.99% and 2.24% on average compared to xNIDS and xIIRS before the deployment of defense rules, while the blocking rate of normal traffic has decreased by about 15.7% and 16.1% on average. Finally, our proposed method achieves an average blocking rate of 93.17% for malicious traffic and 1.34% for normal traffic in the TON_IoT dataset and an average blocking rate of 96.01% for malicious traffic and 1.36% for normal traffic in the Gas Pipeline dataset. The above experimental results demonstrate that our generated defense rules can achieve better blocking for malicious traffic and better passing for normal traffic.

5. Discussion

We consider the impact of feature differences between feature groups and feature differences within feature groups on the traditional sparse group lasso in capturing feature dependencies and introduce the calculated dynamic weights according to the proposed evaluation criteria to obtain a more fine-grained explanation. The experimental results show that the improved explanation method is superior to the existing baseline methods in fidelity, sparsity, completeness, and stability, which also strongly demonstrates the effectiveness of feature group and within-group feature differentiation consideration. The industrial intrusion response method implemented based on the above explanation method has a 90% explanation delay of less than 900 ms on the two datasets, and the maximum delay time of defense rule generation is less than 40 ms, which is acceptable in most industrial scenarios. In terms of response effect, the average blocking rates of malicious traffic in TON_IoT and Gas Pipeline datasets reached 93.17% and 96.01%, and the average blocking rates of normal traffic were 1.34% and 1.36%, respectively. The experimental results show that the defense rules generated by us can achieve better blocking for malicious traffic and better passing for normal traffic.

In the face of increasingly complex industrial internet attacks, our proposed intrusion response scheme xIIRS for industrial Internet based on explainable deep learning can block malicious traffic and release normal traffic in a relatively short time, which realizes fine-grained management of industrial internet traffic. When the industrial internet traffic environment changes, our method can also dynamically adjust the defense rules for response disposal.

6. Conclusions and Future Work

In this paper, we proposed an industrial internet intrusion response method xIIRS based on explainable deep learning. Firstly, we improved an explanation method by approximating and sampling the historical input and calculating the sparse group lasso dynamic weighting according to the between and within feature group importance-evaluation criteria, which improves the ability of sparse group lasso to capture key features and implements fine-grained explanation. Then, we determined the defense rule scope based on the obtained explanation results and generated more fine-grained defense rules to implement intrusion response in combination with security constraints. Finally, we conducted a large number of experiments on TON_IoT, natural gas pipeline dataset, and the experimental results show the effectiveness of xIIRS. In future work, we will consider further improving the generation of defense rules and the generalizability for new attacks, and at the same time, to carry out a large number of tests and verifications in actual industrial scenarios to adapt to the more complex and changing real industrial network environment.