{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,5]],"date-time":"2026-02-05T09:28:15Z","timestamp":1770283695959,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":77,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Key R&D Program of China","award":["2022YFB3102902"],"award-info":[{"award-number":["2022YFB3102902"]}]},{"DOI":"10.13039\/501100006374","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62172251"],"award-info":[{"award-number":["62172251"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"name":"National Cybersecurity R&D Programme","award":["NCRP25-P04-TAICeN"],"award-info":[{"award-number":["NCRP25-P04-TAICeN"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3670375","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"4509-4523","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Rules Refine the Riddle: Global Explanation for Deep Learning-Based Anomaly Detection in Security Applications"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0807-5934","authenticated-orcid":false,"given":"Dongqi","family":"Han","sequence":"first","affiliation":[{"name":"Tsinghua University &amp; Zhongguancun Laboratory, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6587-820X","authenticated-orcid":false,"given":"Zhiliang","family":"Wang","sequence":"additional","affiliation":[{"name":"Tsinghua University &amp; Zhongguancun Laboratory, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9080-6865","authenticated-orcid":false,"given":"Ruitao","family":"Feng","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7198-2687","authenticated-orcid":false,"given":"Minghui","family":"Jin","sequence":"additional","affiliation":[{"name":"State Grid Shanghai Municipal Electric Power Company, Shanghai, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2326-8766","authenticated-orcid":false,"given":"Wenqi","family":"Chen","sequence":"additional","affiliation":[{"name":"Tsinghua University &amp; Zhongguancun Laboratory, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-7516-9534","authenticated-orcid":false,"given":"Kai","family":"Wang","sequence":"additional","affiliation":[{"name":"Tsinghua University &amp; Zhongguancun Laboratory, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7094-8890","authenticated-orcid":false,"given":"Su","family":"Wang","sequence":"additional","affiliation":[{"name":"Zhongguancun Laboratory, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6109-6737","authenticated-orcid":false,"given":"Jiahai","family":"Yang","sequence":"additional","affiliation":[{"name":"Tsinghua University &amp; Zhongguancun Laboratory, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6487-9526","authenticated-orcid":false,"given":"Xingang","family":"Shi","sequence":"additional","affiliation":[{"name":"Tsinghua University &amp; Zhongguancun Laboratory, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3374-544X","authenticated-orcid":false,"given":"Xia","family":"Yin","sequence":"additional","affiliation":[{"name":"Tsinghua University &amp; Zhongguancun Laboratory, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7300-9215","authenticated-orcid":false,"given":"Yang","family":"Liu","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2023. Snort IDS. https:\/\/www.snort.org\/."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2015.11.016"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3474369.3486864"},{"key":"e_1_3_2_1_4_1","volume-title":"Bracha Shapira, and Lior Rokach.","author":"Antwarg Liat","year":"2021","unstructured":"Liat Antwarg, Ronnie Mindlin Miller, Bracha Shapira, and Lior Rokach. 2021. Explaining anomalies detected by autoencoders using Shapley Additive Explanations. Expert systems with applications 186 (2021), 115736."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1111\/rssb.12377"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2021.116100"},{"key":"e_1_3_2_1_7_1","volume-title":"Detecting Lateral Movement in Enterprise Computer Networks with Unsupervised Graph AI. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 257--268","author":"Bowman Benjamin","year":"2020","unstructured":"Benjamin Bowman, Craig Laprade, Yuede Ji, and H Howie Huang. 2020. Detecting Lateral Movement in Enterprise Computer Networks with Unsupervised Graph AI. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID). 257--268."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2783258.2788613"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1038\/538020a"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1541880.1541882"},{"key":"e_1_3_2_1_11_1","unstructured":"Chun-Hao Chang Elliot Creager Anna Goldenberg and David Duvenaud. 2019. Explaining Image Classifiers by Counterfactual Generation. In ICLR. OpenReview. net."},{"key":"e_1_3_2_1_12_1","volume-title":"Beyond Fidelity: Explaining Vulnerability Localization of Learning-based Detectors. arXiv preprint arXiv:2401.02686","author":"Cheng Baijun","year":"2024","unstructured":"Baijun Cheng, Shengming Zhao, Kailong Wang, Meizhen Wang, Guangdong Bai, Ruitao Feng, Yao Guo, Lei Ma, and Haoyu Wang. 2024. Beyond Fidelity: Explaining Vulnerability Localization of Learning-based Detectors. arXiv preprint arXiv:2401.02686 (2024)."},{"key":"e_1_3_2_1_13_1","volume-title":"Real time image saliency for black box classifiers. Advances in neural information processing systems 30","author":"Dabkowski Piotr","year":"2017","unstructured":"Piotr Dabkowski and Yarin Gal. 2017. Real time image saliency for black box classifiers. Advances in neural information processing systems 30 (2017)."},{"key":"e_1_3_2_1_14_1","volume-title":"AnoShift: A Distribution Shift Benchmark for Unsupervised Anomaly Detection. Neural Information Processing Systems NeurIPS, Datasets and Benchmarks Track","author":"Dragoi Marius","year":"2022","unstructured":"Marius Dragoi, Elena Burceanu, Emanuela Haller, Andrei Manolache, and Florin Brad. 2022. AnoShift: A Distribution Shift Benchmark for Unsupervised Anomaly Detection. Neural Information Processing Systems NeurIPS, Datasets and Benchmarks Track (2022)."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363226"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134015"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW53761.2021.00009"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3021924"},{"key":"e_1_3_2_1_19_1","volume-title":"Understanding Deep Networks via Extremal Perturbations and Smooth Masks","author":"Fong Ruth","unstructured":"Ruth Fong, Mandela Patrick, and Andrea Vedaldi. 2019. Understanding Deep Networks via Extremal Perturbations and Smooth Masks. In ICCV. IEEE, 2950--2958."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2017.371"},{"key":"e_1_3_2_1_21_1","volume-title":"Greedy function approximation: a gradient boosting machine. Annals of statistics","author":"Friedman Jerome H","year":"2001","unstructured":"Jerome H Friedman. 2001. Greedy function approximation: a gradient boosting machine. Annals of statistics (2001), 1189--1232."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1093\/comjnl\/bxt044"},{"key":"e_1_3_2_1_23_1","volume-title":"30th ISOC Network and Distributed System Security Symposium (NDSS'23)","author":"Goyal Akul","year":"2023","unstructured":"Akul Goyal, Xueyuan Han, Gang Wang, and Adam Bates. 2023. Sometimes, You Arent What You Do: Mimicry Attacks against Provenance Graph Host Intrusion Detection Systems. In 30th ISOC Network and Distributed System Security Symposium (NDSS'23), San Diego, CA, USA."},{"key":"e_1_3_2_1_24_1","volume-title":"A survey of methods for explaining black box models. ACM computing surveys (CSUR) 51, 5","author":"Guidotti Riccardo","year":"2018","unstructured":"Riccardo Guidotti, Anna Monreale, Salvatore Ruggieri, Franco Turini, Fosca Giannotti, and Dino Pedreschi. 2018. A survey of methods for explaining black box models. ACM computing surveys (CSUR) 51, 5 (2018), 1--42."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2016.06.021"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243792"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24830"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484589"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2020.01.036"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3306618.3314230"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1080\/10618600.2021.2007935"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560609"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2020.107198"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2013.08.066"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.24107"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2020.113187"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3117075"},{"key":"e_1_3_2_1_38_1","volume-title":"Interpreting Unsupervised Anomaly Detection in Security via Rule Extraction. Advances in Neural Information Processing Systems 36","author":"Li Ruoyu","year":"2024","unstructured":"Ruoyu Li, Qing Li, Yu Zhang, Dan Zhao, Yong Jiang, and Yong Yang. 2024. Interpreting Unsupervised Anomaly Detection in Security via Rule Extraction. Advances in Neural Information Processing Systems 36 (2024)."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/CNS56114.2022.9947235"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2018\/341"},{"key":"e_1_3_2_1_41_1","volume-title":"Classification and regression trees","author":"Loh Wei-Yin","year":"2011","unstructured":"Wei-Yin Loh. 2011. Classification and regression trees. Wiley interdisciplinary reviews: data mining and knowledge discovery 1, 1 (2011), 14--23."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2021.3102637"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/658"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"crossref","unstructured":"Zili Meng Minhu Wang Jiasong Bai Mingwei Xu Hongzi Mao and Hongxin Hu. 2020. Interpreting Deep Learning-Based Networking Systems. In Proceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications technologies architectures and protocols for computer communication (SIGCOMM). 154--171.","DOI":"10.1145\/3387514.3405859"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23204"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/CICYBS.2013.6597201"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2016.11.008"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3359992.3366639"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140451"},{"key":"e_1_3_2_1_50_1","volume-title":"Model agnostic supervised local explanations. Advances in neural information processing systems 31","author":"Plumb Gregory","year":"2018","unstructured":"Gregory Plumb, Denali Molitor, and Ameet S Talwalkar. 2018. Model agnostic supervised local explanations. Advances in neural information processing systems 31 (2018)."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939778"},{"key":"e_1_3_2_1_52_1","volume-title":"Neural network explanation using inversion. Neural networks 20, 1","author":"Saad Emad W","year":"2007","unstructured":"Emad W Saad and Donald C Wunsch II. 2007. Neural network explanation using inversion. Neural networks 20, 1 (2007), 78--93."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.5220\/0006639801080116"},{"key":"e_1_3_2_1_54_1","first-page":"108","article-title":"Toward generating a newintrusion detection dataset and intrusion traffic characterization","volume":"1","author":"Sharafaldin Iman","year":"2018","unstructured":"Iman Sharafaldin, Arash Habibi Lashkari, and Ali A Ghorbani. 2018. Toward generating a newintrusion detection dataset and intrusion traffic characterization. ICISSp 1 (2018), 108--116.","journal-title":"ICISSp"},{"key":"e_1_3_2_1_55_1","volume-title":"International Conference on Machine Learning(ICML). 3145--3153","author":"Shrikumar Avanti","year":"2017","unstructured":"Avanti Shrikumar, Peyton Greenside, and Anshul Kundaje. 2017. Learning important features through propagating activation differences. In International Conference on Machine Learning(ICML). 3145--3153."},{"key":"e_1_3_2_1_56_1","volume-title":"Smoothgrad: removing noise by adding noise. arXiv preprint arXiv:1706.03825","author":"Smilkov Daniel","year":"2017","unstructured":"Daniel Smilkov, Nikhil Thorat, Been Kim, Fernanda Vi\u00e9gas, and Martin Wattenberg. 2017. Smoothgrad: removing noise by adding noise. arXiv preprint arXiv:1706.03825 (2017)."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDMW.2018.00204"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/1978672.1978676"},{"key":"e_1_3_2_1_59_1","volume-title":"ICML (Proceedings of Machine Learning Research","volume":"3328","author":"Sundararajan Mukund","year":"2017","unstructured":"Mukund Sundararajan, Ankur Taly, and Qiqi Yan. 2017. Axiomatic attribution for deep networks. In ICML (Proceedings of Machine Learning Research, Vol. 70). PMLR, 3319--3328."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM41043.2020.9155278"},{"key":"e_1_3_2_1_61_1","volume-title":"Proceedings of the 13th International Conference on Web Search and Data Mining (WSDM). 894--896","author":"Nie Kexin","year":"2020","unstructured":"RuoyingWang, Kexin Nie, TieWang, Yang Yang, and Bo Long. 2020. Deep Learning for Anomaly Detection. In Proceedings of the 13th International Conference on Web Search and Data Mining (WSDM). 894--896."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3208815"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP48549.2020.00018"},{"key":"e_1_3_2_1_64_1","volume-title":"XNIDS: Explaining Deep Learning-based Network Intrusion Detection Systems for Active Intrusion Responses. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Wei Feng","year":"2023","unstructured":"Feng Wei, Hongda Li, Ziming Zhao, and Hongxin Hu. 2023. XNIDS: Explaining Deep Learning-based Network Intrusion Detection Systems for Active Intrusion Responses. In 32nd USENIX Security Symposium (USENIX Security 23), Anaheim, CA, USA."},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v32i1.11501"},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3178876.3185996"},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3449868"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/1629575.1629587"},{"key":"e_1_3_2_1_69_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Yang Fan","year":"2023","unstructured":"Fan Yang, Jiacen Xu, Chunlin Xiong, Zhou Li, and Kehuan Zhang. 2023. {PROGRAPHER}: An Anomaly Detection System based on Provenance Graph Embedding. In 32nd USENIX Security Symposium (USENIX Security 23). 4355--4372."},{"key":"e_1_3_2_1_70_1","volume-title":"CADE: Detecting and Explaining Concept Drift Samples for Security Applications. In 30th USENIX Security Symposium (USENIX Security).","author":"Yang Limin","year":"2021","unstructured":"Limin Yang, Wenbo Guo, Qingying Hao, Arridhana Ciptadi, Ali Ahmadzadeh, Xinyu Xing, and Gang Wang. 2021. CADE: Detecting and Explaining Concept Drift Samples for Security Applications. In 30th USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.datak.2021.101946"},{"key":"e_1_3_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3001350"},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM.2018.00088"},{"key":"e_1_3_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833669"},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2006.7"},{"key":"e_1_3_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1145\/3097983.3098052"},{"key":"e_1_3_2_1_77_1","unstructured":"Luisa M. Zintgraf Taco S. Cohen Tameem Adel and Max Welling. 2017. Visualizing Deep Neural Network Decisions: Prediction Difference Analysis. In ICLR. OpenReview.net."}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","location":"Salt Lake City UT USA","acronym":"CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3670375","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3670375","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T06:11:05Z","timestamp":1755843065000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3670375"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":77,"alternative-id":["10.1145\/3658644.3670375","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3670375","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}