Deriving Interpretable Rules for IoT Discovery Through Attention

Abstract

Due to their high vulnerability, IoT has become a primary target for cybercriminals (e.g., botnets, network infiltration). As a result, many solutions have been developed to help users and administrators identify IoT devices. While solutions based on deep learning have been shown to outperform traditional approaches in other domains, their lack of explanation and their inference latency present major obstacles for their adoption in network traffic analysis, where throughputs of Gbps are typically expected. Extracting rules from a trained neural network presents a compelling solution, but existing methods are limited to feedforward networks, and RNN/LSTM. In contrast, attention-based models are a more recent architecture, and are replacing RNN/LSTM due to their higher performance. In this paper, we therefore propose a novel efficient algorithm to extract rules from a trained attention-based model. Evaluations on actual packet traces of more than 100 IoT devices demonstrate that the proposed algorithm reduces the storage requirements and inference latency by 4 orders of magnitude while still achieving an average f1-score of 0.995 and a fidelity score of 98.94%. Further evaluation on an independent dataset also shows improved generalization performance: The extracted rules achieve better performance, especially thanks to their inherent capability to identify unknown devices.