TY - GEN
T1 - Everybody's Got ML, Tell Me What Else You Have
T2 - 44th IEEE Symposium on Security and Privacy, SP 2023
AU - Mink, Jaron
AU - Benkraouda, Hadjer
AU - Yang, Limin
AU - Ciptadi, Arridhana
AU - Ahmadzadeh, Ali
AU - Votipka, Daniel
AU - Wang, Gang
N1 - This work was supported in part by NSF grants CNS-2030521, CNS-2055233, CNS-1955719, an Amazon Research Award, C3.AI Research, IBM-Illinois Discovery Accelerator Institute, and the Graduate Research Fellowship Program (DGE-1746047).
PY - 2023
Y1 - 2023
N2 - Significant efforts have been investigated to develop machine learning (ML) based tools to support security operations. However, they still face key challenges in practice. A generally perceived weakness of machine learning is the lack of explanation, which motivates researchers to develop machine learning explanation techniques. However, it is not yet well understood how security practitioners perceive the benefits and pain points of machine learning and corresponding explanation methods in the context of security operations. To fill this gap and understand "what is needed", we conducted semi-structured interviews with 18 security practitioners with diverse roles, duties, and expertise. We find practitioners generally believe that ML tools should be used in conjunction with (instead of replacing) traditional rule-based methods. While ML's output is perceived as difficult to reason, surprisingly, rule-based methods are not strictly easier to interpret. We also find that only few practitioners considered security (robustness to adversarial attacks) as a key factor for the choice of tools. Regarding ML explanations, while recognizing their values in model verification and understanding security events, practitioners also identify gaps between existing explanation methods and the needs of their downstream tasks. We collect and synthesize the suggestions from practitioners regarding explanation scheme designs, and discuss how future work can help to address these needs.
AB - Significant efforts have been investigated to develop machine learning (ML) based tools to support security operations. However, they still face key challenges in practice. A generally perceived weakness of machine learning is the lack of explanation, which motivates researchers to develop machine learning explanation techniques. However, it is not yet well understood how security practitioners perceive the benefits and pain points of machine learning and corresponding explanation methods in the context of security operations. To fill this gap and understand "what is needed", we conducted semi-structured interviews with 18 security practitioners with diverse roles, duties, and expertise. We find practitioners generally believe that ML tools should be used in conjunction with (instead of replacing) traditional rule-based methods. While ML's output is perceived as difficult to reason, surprisingly, rule-based methods are not strictly easier to interpret. We also find that only few practitioners considered security (robustness to adversarial attacks) as a key factor for the choice of tools. Regarding ML explanations, while recognizing their values in model verification and understanding security events, practitioners also identify gaps between existing explanation methods and the needs of their downstream tasks. We collect and synthesize the suggestions from practitioners regarding explanation scheme designs, and discuss how future work can help to address these needs.
UR - http://www.scopus.com/inward/record.url?scp=85166468517&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85166468517&partnerID=8YFLogxK
U2 - 10.1109/SP46215.2023.10179321
DO - 10.1109/SP46215.2023.10179321
M3 - Conference contribution
AN - SCOPUS:85166468517
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 2068
EP - 2085
BT - Proceedings - 44th IEEE Symposium on Security and Privacy, SP 2023
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 22 May 2023 through 25 May 2023
ER -