The detection of malicious URLs is a critical task in cybersecurity, as they are often used to distribute malware, steal sensitive information, and conduct phishing attacks. Traditional machine learning models for malicious URL detection, while effective, often lack interpretability, making it difficult to justify decisions in legal or investigative contexts. In this study, we propose a complementary framework that integrates Explainable AI (XAI) techniques to enhance trust, transparency, and interpretability in malicious URL detection, thereby facilitating audits and adherence to standards in cybersecurity practices. We employ convex optimization, valued for its global interpretability, to classify URLs based on lexical features such as URL length, special character count, and domain information. This approach not only improves the comprehensibility of the model’s decisions but also aligns with industry standards for accountability in AI systems. To supplement this global interpretability, we apply Local Interpretable Model-agnostic Explanations (LIME) to provide local, instance-specific explanations for individual predictions. This dual-layered interpretability ensures that stakeholders can confidently assess model outputs, thus meeting regulatory requirements and enhancing the overall robustness of malicious URL detection processes. Contrary to our initial hypothesis, our findings reveal that local explanations provided by LIME do not always align with the global feature importance derived from convex optimization. Instead, the two methods offer distinct yet complementary insights. This highlights the need for a two-stage framework, where convex optimization provides global trends, and LIME offers granular, instance-specific explanations. This parallel approach addresses both global and local interpretability requirements, enhancing the overall transparency and reliability of malicious URL detection systems. The models are evaluated using standard metrics such as accuracy, precision, recall, and F1-score. Our results demonstrate the effectiveness of the proposed framework in balancing global and local explainability, making it a robust and interpretable solution for cybersecurity applications. This work contributes to the field of explainable AI in cybersecurity by offering a transparent and accountable approach to detecting malicious URLs and integrating global and local perspectives on interpretability.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Beyond Classification: Understanding Why URLs Are Malicious with Transparent Convex Optimization and Interpretable XAI

  • Yi Anson Lam,
  • Kam-Pui Chow,
  • Siu-Ming Yiu

摘要

The detection of malicious URLs is a critical task in cybersecurity, as they are often used to distribute malware, steal sensitive information, and conduct phishing attacks. Traditional machine learning models for malicious URL detection, while effective, often lack interpretability, making it difficult to justify decisions in legal or investigative contexts. In this study, we propose a complementary framework that integrates Explainable AI (XAI) techniques to enhance trust, transparency, and interpretability in malicious URL detection, thereby facilitating audits and adherence to standards in cybersecurity practices. We employ convex optimization, valued for its global interpretability, to classify URLs based on lexical features such as URL length, special character count, and domain information. This approach not only improves the comprehensibility of the model’s decisions but also aligns with industry standards for accountability in AI systems. To supplement this global interpretability, we apply Local Interpretable Model-agnostic Explanations (LIME) to provide local, instance-specific explanations for individual predictions. This dual-layered interpretability ensures that stakeholders can confidently assess model outputs, thus meeting regulatory requirements and enhancing the overall robustness of malicious URL detection processes. Contrary to our initial hypothesis, our findings reveal that local explanations provided by LIME do not always align with the global feature importance derived from convex optimization. Instead, the two methods offer distinct yet complementary insights. This highlights the need for a two-stage framework, where convex optimization provides global trends, and LIME offers granular, instance-specific explanations. This parallel approach addresses both global and local interpretability requirements, enhancing the overall transparency and reliability of malicious URL detection systems. The models are evaluated using standard metrics such as accuracy, precision, recall, and F1-score. Our results demonstrate the effectiveness of the proposed framework in balancing global and local explainability, making it a robust and interpretable solution for cybersecurity applications. This work contributes to the field of explainable AI in cybersecurity by offering a transparent and accountable approach to detecting malicious URLs and integrating global and local perspectives on interpretability.