Explaining Tree Model Decisions in Natural Language for Network Intrusion Detection Article Swipe
Noah Ziems
,
Gang Liu
,
John A. Flanagan
,
Meng Jiang
·
YOU?
·
· 2023
· Open Access
·
· DOI: https://doi.org/10.48550/arxiv.2310.19658
YOU?
·
· 2023
· Open Access
·
· DOI: https://doi.org/10.48550/arxiv.2310.19658
Network intrusion detection (NID) systems which leverage machine learning have been shown to have strong performance in practice when used to detect malicious network traffic. Decision trees in particular offer a strong balance between performance and simplicity, but require users of NID systems to have background knowledge in machine learning to interpret. In addition, they are unable to provide additional outside information as to why certain features may be important for classification. In this work, we explore the use of large language models (LLMs) to provide explanations and additional background knowledge for decision tree NID systems. Further, we introduce a new human evaluation framework for decision tree explanations, which leverages automatically generated quiz questions that measure human evaluators' understanding of decision tree inference. Finally, we show LLM generated decision tree explanations correlate highly with human ratings of readability, quality, and use of background knowledge while simultaneously providing better understanding of decision boundaries.
Related Topics
Concepts
Metadata
- Type
- preprint
- Language
- en
- Landing Page
- http://arxiv.org/abs/2310.19658
- https://arxiv.org/pdf/2310.19658
- OA Status
- green
- Cited By
- 6
- Related Works
- 10
- OpenAlex ID
- https://openalex.org/W4388110131
All OpenAlex metadata
Raw OpenAlex JSON
- OpenAlex ID
-
https://openalex.org/W4388110131Canonical identifier for this work in OpenAlex
- DOI
-
https://doi.org/10.48550/arxiv.2310.19658Digital Object Identifier
- Title
-
Explaining Tree Model Decisions in Natural Language for Network Intrusion DetectionWork title
- Type
-
preprintOpenAlex work type
- Language
-
enPrimary language
- Publication year
-
2023Year of publication
- Publication date
-
2023-10-30Full publication date if available
- Authors
-
Noah Ziems, Gang Liu, John A. Flanagan, Meng JiangList of authors in order
- Landing page
-
https://arxiv.org/abs/2310.19658Publisher landing page
- PDF URL
-
https://arxiv.org/pdf/2310.19658Direct link to full text PDF
- Open access
-
YesWhether a free full text is available
- OA status
-
greenOpen access status per OpenAlex
- OA URL
-
https://arxiv.org/pdf/2310.19658Direct OA link when available
- Concepts
-
Computer science, Decision tree, Readability, Machine learning, Leverage (statistics), Artificial intelligence, Inference, Intrusion detection system, Decision tree learning, Data science, Data mining, Programming languageTop concepts (fields/topics) attached by OpenAlex
- Cited by
-
6Total citation count in OpenAlex
- Citations by year (recent)
-
2025: 2, 2024: 4Per-year citation counts (last 5 years)
- Related works (count)
-
10Other works algorithmically related by OpenAlex
Full payload
| id | https://openalex.org/W4388110131 |
|---|---|
| doi | https://doi.org/10.48550/arxiv.2310.19658 |
| ids.doi | https://doi.org/10.48550/arxiv.2310.19658 |
| ids.openalex | https://openalex.org/W4388110131 |
| fwci | |
| type | preprint |
| title | Explaining Tree Model Decisions in Natural Language for Network Intrusion Detection |
| biblio.issue | |
| biblio.volume | |
| biblio.last_page | |
| biblio.first_page | |
| topics[0].id | https://openalex.org/T10400 |
| topics[0].field.id | https://openalex.org/fields/17 |
| topics[0].field.display_name | Computer Science |
| topics[0].score | 0.9970999956130981 |
| topics[0].domain.id | https://openalex.org/domains/3 |
| topics[0].domain.display_name | Physical Sciences |
| topics[0].subfield.id | https://openalex.org/subfields/1705 |
| topics[0].subfield.display_name | Computer Networks and Communications |
| topics[0].display_name | Network Security and Intrusion Detection |
| topics[1].id | https://openalex.org/T11512 |
| topics[1].field.id | https://openalex.org/fields/17 |
| topics[1].field.display_name | Computer Science |
| topics[1].score | 0.9919999837875366 |
| topics[1].domain.id | https://openalex.org/domains/3 |
| topics[1].domain.display_name | Physical Sciences |
| topics[1].subfield.id | https://openalex.org/subfields/1702 |
| topics[1].subfield.display_name | Artificial Intelligence |
| topics[1].display_name | Anomaly Detection Techniques and Applications |
| topics[2].id | https://openalex.org/T10028 |
| topics[2].field.id | https://openalex.org/fields/17 |
| topics[2].field.display_name | Computer Science |
| topics[2].score | 0.9894999861717224 |
| topics[2].domain.id | https://openalex.org/domains/3 |
| topics[2].domain.display_name | Physical Sciences |
| topics[2].subfield.id | https://openalex.org/subfields/1702 |
| topics[2].subfield.display_name | Artificial Intelligence |
| topics[2].display_name | Topic Modeling |
| is_xpac | False |
| apc_list | |
| apc_paid | |
| concepts[0].id | https://openalex.org/C41008148 |
| concepts[0].level | 0 |
| concepts[0].score | 0.7611255049705505 |
| concepts[0].wikidata | https://www.wikidata.org/wiki/Q21198 |
| concepts[0].display_name | Computer science |
| concepts[1].id | https://openalex.org/C84525736 |
| concepts[1].level | 2 |
| concepts[1].score | 0.7313995361328125 |
| concepts[1].wikidata | https://www.wikidata.org/wiki/Q831366 |
| concepts[1].display_name | Decision tree |
| concepts[2].id | https://openalex.org/C2778143727 |
| concepts[2].level | 2 |
| concepts[2].score | 0.6680614948272705 |
| concepts[2].wikidata | https://www.wikidata.org/wiki/Q1820650 |
| concepts[2].display_name | Readability |
| concepts[3].id | https://openalex.org/C119857082 |
| concepts[3].level | 1 |
| concepts[3].score | 0.6441407203674316 |
| concepts[3].wikidata | https://www.wikidata.org/wiki/Q2539 |
| concepts[3].display_name | Machine learning |
| concepts[4].id | https://openalex.org/C153083717 |
| concepts[4].level | 2 |
| concepts[4].score | 0.62852942943573 |
| concepts[4].wikidata | https://www.wikidata.org/wiki/Q6535263 |
| concepts[4].display_name | Leverage (statistics) |
| concepts[5].id | https://openalex.org/C154945302 |
| concepts[5].level | 1 |
| concepts[5].score | 0.5519595742225647 |
| concepts[5].wikidata | https://www.wikidata.org/wiki/Q11660 |
| concepts[5].display_name | Artificial intelligence |
| concepts[6].id | https://openalex.org/C2776214188 |
| concepts[6].level | 2 |
| concepts[6].score | 0.5354020595550537 |
| concepts[6].wikidata | https://www.wikidata.org/wiki/Q408386 |
| concepts[6].display_name | Inference |
| concepts[7].id | https://openalex.org/C35525427 |
| concepts[7].level | 2 |
| concepts[7].score | 0.5190199613571167 |
| concepts[7].wikidata | https://www.wikidata.org/wiki/Q745881 |
| concepts[7].display_name | Intrusion detection system |
| concepts[8].id | https://openalex.org/C5481197 |
| concepts[8].level | 3 |
| concepts[8].score | 0.4732271432876587 |
| concepts[8].wikidata | https://www.wikidata.org/wiki/Q16766476 |
| concepts[8].display_name | Decision tree learning |
| concepts[9].id | https://openalex.org/C2522767166 |
| concepts[9].level | 1 |
| concepts[9].score | 0.3430122137069702 |
| concepts[9].wikidata | https://www.wikidata.org/wiki/Q2374463 |
| concepts[9].display_name | Data science |
| concepts[10].id | https://openalex.org/C124101348 |
| concepts[10].level | 1 |
| concepts[10].score | 0.32067835330963135 |
| concepts[10].wikidata | https://www.wikidata.org/wiki/Q172491 |
| concepts[10].display_name | Data mining |
| concepts[11].id | https://openalex.org/C199360897 |
| concepts[11].level | 1 |
| concepts[11].score | 0.0 |
| concepts[11].wikidata | https://www.wikidata.org/wiki/Q9143 |
| concepts[11].display_name | Programming language |
| keywords[0].id | https://openalex.org/keywords/computer-science |
| keywords[0].score | 0.7611255049705505 |
| keywords[0].display_name | Computer science |
| keywords[1].id | https://openalex.org/keywords/decision-tree |
| keywords[1].score | 0.7313995361328125 |
| keywords[1].display_name | Decision tree |
| keywords[2].id | https://openalex.org/keywords/readability |
| keywords[2].score | 0.6680614948272705 |
| keywords[2].display_name | Readability |
| keywords[3].id | https://openalex.org/keywords/machine-learning |
| keywords[3].score | 0.6441407203674316 |
| keywords[3].display_name | Machine learning |
| keywords[4].id | https://openalex.org/keywords/leverage |
| keywords[4].score | 0.62852942943573 |
| keywords[4].display_name | Leverage (statistics) |
| keywords[5].id | https://openalex.org/keywords/artificial-intelligence |
| keywords[5].score | 0.5519595742225647 |
| keywords[5].display_name | Artificial intelligence |
| keywords[6].id | https://openalex.org/keywords/inference |
| keywords[6].score | 0.5354020595550537 |
| keywords[6].display_name | Inference |
| keywords[7].id | https://openalex.org/keywords/intrusion-detection-system |
| keywords[7].score | 0.5190199613571167 |
| keywords[7].display_name | Intrusion detection system |
| keywords[8].id | https://openalex.org/keywords/decision-tree-learning |
| keywords[8].score | 0.4732271432876587 |
| keywords[8].display_name | Decision tree learning |
| keywords[9].id | https://openalex.org/keywords/data-science |
| keywords[9].score | 0.3430122137069702 |
| keywords[9].display_name | Data science |
| keywords[10].id | https://openalex.org/keywords/data-mining |
| keywords[10].score | 0.32067835330963135 |
| keywords[10].display_name | Data mining |
| language | en |
| locations[0].id | pmh:oai:arXiv.org:2310.19658 |
| locations[0].is_oa | True |
| locations[0].source.id | https://openalex.org/S4306400194 |
| locations[0].source.issn | |
| locations[0].source.type | repository |
| locations[0].source.is_oa | True |
| locations[0].source.issn_l | |
| locations[0].source.is_core | False |
| locations[0].source.is_in_doaj | False |
| locations[0].source.display_name | arXiv (Cornell University) |
| locations[0].source.host_organization | https://openalex.org/I205783295 |
| locations[0].source.host_organization_name | Cornell University |
| locations[0].source.host_organization_lineage | https://openalex.org/I205783295 |
| locations[0].license | |
| locations[0].pdf_url | https://arxiv.org/pdf/2310.19658 |
| locations[0].version | submittedVersion |
| locations[0].raw_type | text |
| locations[0].license_id | |
| locations[0].is_accepted | False |
| locations[0].is_published | False |
| locations[0].raw_source_name | |
| locations[0].landing_page_url | http://arxiv.org/abs/2310.19658 |
| locations[1].id | doi:10.48550/arxiv.2310.19658 |
| locations[1].is_oa | True |
| locations[1].source.id | https://openalex.org/S4306400194 |
| locations[1].source.issn | |
| locations[1].source.type | repository |
| locations[1].source.is_oa | True |
| locations[1].source.issn_l | |
| locations[1].source.is_core | False |
| locations[1].source.is_in_doaj | False |
| locations[1].source.display_name | arXiv (Cornell University) |
| locations[1].source.host_organization | https://openalex.org/I205783295 |
| locations[1].source.host_organization_name | Cornell University |
| locations[1].source.host_organization_lineage | https://openalex.org/I205783295 |
| locations[1].license | cc-by |
| locations[1].pdf_url | |
| locations[1].version | |
| locations[1].raw_type | article |
| locations[1].license_id | https://openalex.org/licenses/cc-by |
| locations[1].is_accepted | False |
| locations[1].is_published | |
| locations[1].raw_source_name | |
| locations[1].landing_page_url | https://doi.org/10.48550/arxiv.2310.19658 |
| indexed_in | arxiv, datacite |
| authorships[0].author.id | https://openalex.org/A5032058128 |
| authorships[0].author.orcid | |
| authorships[0].author.display_name | Noah Ziems |
| authorships[0].author_position | first |
| authorships[0].raw_author_name | Ziems, Noah |
| authorships[0].is_corresponding | False |
| authorships[1].author.id | https://openalex.org/A5100739873 |
| authorships[1].author.orcid | https://orcid.org/0000-0003-4204-731X |
| authorships[1].author.display_name | Gang Liu |
| authorships[1].author_position | middle |
| authorships[1].raw_author_name | Liu, Gang |
| authorships[1].is_corresponding | False |
| authorships[2].author.id | https://openalex.org/A5034093625 |
| authorships[2].author.orcid | |
| authorships[2].author.display_name | John A. Flanagan |
| authorships[2].author_position | middle |
| authorships[2].raw_author_name | Flanagan, John |
| authorships[2].is_corresponding | False |
| authorships[3].author.id | https://openalex.org/A5100670646 |
| authorships[3].author.orcid | https://orcid.org/0000-0003-0509-8927 |
| authorships[3].author.display_name | Meng Jiang |
| authorships[3].author_position | last |
| authorships[3].raw_author_name | Jiang, Meng |
| authorships[3].is_corresponding | False |
| has_content.pdf | False |
| has_content.grobid_xml | False |
| is_paratext | False |
| open_access.is_oa | True |
| open_access.oa_url | https://arxiv.org/pdf/2310.19658 |
| open_access.oa_status | green |
| open_access.any_repository_has_fulltext | False |
| created_date | 2025-10-10T00:00:00 |
| display_name | Explaining Tree Model Decisions in Natural Language for Network Intrusion Detection |
| has_fulltext | False |
| is_retracted | False |
| updated_date | 2025-11-06T06:51:31.235846 |
| primary_topic.id | https://openalex.org/T10400 |
| primary_topic.field.id | https://openalex.org/fields/17 |
| primary_topic.field.display_name | Computer Science |
| primary_topic.score | 0.9970999956130981 |
| primary_topic.domain.id | https://openalex.org/domains/3 |
| primary_topic.domain.display_name | Physical Sciences |
| primary_topic.subfield.id | https://openalex.org/subfields/1705 |
| primary_topic.subfield.display_name | Computer Networks and Communications |
| primary_topic.display_name | Network Security and Intrusion Detection |
| related_works | https://openalex.org/W2122022187, https://openalex.org/W2115529843, https://openalex.org/W2591672004, https://openalex.org/W1982169401, https://openalex.org/W2356463514, https://openalex.org/W4319437832, https://openalex.org/W2592385415, https://openalex.org/W2030894524, https://openalex.org/W4243803609, https://openalex.org/W2350430350 |
| cited_by_count | 6 |
| counts_by_year[0].year | 2025 |
| counts_by_year[0].cited_by_count | 2 |
| counts_by_year[1].year | 2024 |
| counts_by_year[1].cited_by_count | 4 |
| locations_count | 2 |
| best_oa_location.id | pmh:oai:arXiv.org:2310.19658 |
| best_oa_location.is_oa | True |
| best_oa_location.source.id | https://openalex.org/S4306400194 |
| best_oa_location.source.issn | |
| best_oa_location.source.type | repository |
| best_oa_location.source.is_oa | True |
| best_oa_location.source.issn_l | |
| best_oa_location.source.is_core | False |
| best_oa_location.source.is_in_doaj | False |
| best_oa_location.source.display_name | arXiv (Cornell University) |
| best_oa_location.source.host_organization | https://openalex.org/I205783295 |
| best_oa_location.source.host_organization_name | Cornell University |
| best_oa_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| best_oa_location.license | |
| best_oa_location.pdf_url | https://arxiv.org/pdf/2310.19658 |
| best_oa_location.version | submittedVersion |
| best_oa_location.raw_type | text |
| best_oa_location.license_id | |
| best_oa_location.is_accepted | False |
| best_oa_location.is_published | False |
| best_oa_location.raw_source_name | |
| best_oa_location.landing_page_url | http://arxiv.org/abs/2310.19658 |
| primary_location.id | pmh:oai:arXiv.org:2310.19658 |
| primary_location.is_oa | True |
| primary_location.source.id | https://openalex.org/S4306400194 |
| primary_location.source.issn | |
| primary_location.source.type | repository |
| primary_location.source.is_oa | True |
| primary_location.source.issn_l | |
| primary_location.source.is_core | False |
| primary_location.source.is_in_doaj | False |
| primary_location.source.display_name | arXiv (Cornell University) |
| primary_location.source.host_organization | https://openalex.org/I205783295 |
| primary_location.source.host_organization_name | Cornell University |
| primary_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| primary_location.license | |
| primary_location.pdf_url | https://arxiv.org/pdf/2310.19658 |
| primary_location.version | submittedVersion |
| primary_location.raw_type | text |
| primary_location.license_id | |
| primary_location.is_accepted | False |
| primary_location.is_published | False |
| primary_location.raw_source_name | |
| primary_location.landing_page_url | http://arxiv.org/abs/2310.19658 |
| publication_date | 2023-10-30 |
| publication_year | 2023 |
| referenced_works_count | 0 |
| abstract_inverted_index.a | 30, 99 |
| abstract_inverted_index.In | 52, 72 |
| abstract_inverted_index.as | 62 |
| abstract_inverted_index.be | 68 |
| abstract_inverted_index.in | 16, 27, 47 |
| abstract_inverted_index.of | 40, 79, 119, 136, 141, 149 |
| abstract_inverted_index.to | 12, 20, 43, 50, 57, 63, 84 |
| abstract_inverted_index.we | 75, 97, 124 |
| abstract_inverted_index.LLM | 126 |
| abstract_inverted_index.NID | 41, 94 |
| abstract_inverted_index.and | 35, 87, 139 |
| abstract_inverted_index.are | 55 |
| abstract_inverted_index.but | 37 |
| abstract_inverted_index.for | 70, 91, 104 |
| abstract_inverted_index.may | 67 |
| abstract_inverted_index.new | 100 |
| abstract_inverted_index.the | 77 |
| abstract_inverted_index.use | 78, 140 |
| abstract_inverted_index.why | 64 |
| abstract_inverted_index.been | 10 |
| abstract_inverted_index.have | 9, 13, 44 |
| abstract_inverted_index.quiz | 112 |
| abstract_inverted_index.show | 125 |
| abstract_inverted_index.that | 114 |
| abstract_inverted_index.they | 54 |
| abstract_inverted_index.this | 73 |
| abstract_inverted_index.tree | 93, 106, 121, 129 |
| abstract_inverted_index.used | 19 |
| abstract_inverted_index.when | 18 |
| abstract_inverted_index.with | 133 |
| abstract_inverted_index.(NID) | 3 |
| abstract_inverted_index.human | 101, 116, 134 |
| abstract_inverted_index.large | 80 |
| abstract_inverted_index.offer | 29 |
| abstract_inverted_index.shown | 11 |
| abstract_inverted_index.trees | 26 |
| abstract_inverted_index.users | 39 |
| abstract_inverted_index.which | 5, 108 |
| abstract_inverted_index.while | 144 |
| abstract_inverted_index.work, | 74 |
| abstract_inverted_index.(LLMs) | 83 |
| abstract_inverted_index.better | 147 |
| abstract_inverted_index.detect | 21 |
| abstract_inverted_index.highly | 132 |
| abstract_inverted_index.models | 82 |
| abstract_inverted_index.strong | 14, 31 |
| abstract_inverted_index.unable | 56 |
| abstract_inverted_index.Network | 0 |
| abstract_inverted_index.balance | 32 |
| abstract_inverted_index.between | 33 |
| abstract_inverted_index.certain | 65 |
| abstract_inverted_index.explore | 76 |
| abstract_inverted_index.machine | 7, 48 |
| abstract_inverted_index.measure | 115 |
| abstract_inverted_index.network | 23 |
| abstract_inverted_index.outside | 60 |
| abstract_inverted_index.provide | 58, 85 |
| abstract_inverted_index.ratings | 135 |
| abstract_inverted_index.require | 38 |
| abstract_inverted_index.systems | 4, 42 |
| abstract_inverted_index.Decision | 25 |
| abstract_inverted_index.Finally, | 123 |
| abstract_inverted_index.Further, | 96 |
| abstract_inverted_index.decision | 92, 105, 120, 128, 150 |
| abstract_inverted_index.features | 66 |
| abstract_inverted_index.language | 81 |
| abstract_inverted_index.learning | 8, 49 |
| abstract_inverted_index.leverage | 6 |
| abstract_inverted_index.practice | 17 |
| abstract_inverted_index.quality, | 138 |
| abstract_inverted_index.systems. | 95 |
| abstract_inverted_index.traffic. | 24 |
| abstract_inverted_index.addition, | 53 |
| abstract_inverted_index.correlate | 131 |
| abstract_inverted_index.detection | 2 |
| abstract_inverted_index.framework | 103 |
| abstract_inverted_index.generated | 111, 127 |
| abstract_inverted_index.important | 69 |
| abstract_inverted_index.introduce | 98 |
| abstract_inverted_index.intrusion | 1 |
| abstract_inverted_index.knowledge | 46, 90, 143 |
| abstract_inverted_index.leverages | 109 |
| abstract_inverted_index.malicious | 22 |
| abstract_inverted_index.providing | 146 |
| abstract_inverted_index.questions | 113 |
| abstract_inverted_index.additional | 59, 88 |
| abstract_inverted_index.background | 45, 89, 142 |
| abstract_inverted_index.evaluation | 102 |
| abstract_inverted_index.inference. | 122 |
| abstract_inverted_index.interpret. | 51 |
| abstract_inverted_index.particular | 28 |
| abstract_inverted_index.boundaries. | 151 |
| abstract_inverted_index.evaluators' | 117 |
| abstract_inverted_index.information | 61 |
| abstract_inverted_index.performance | 15, 34 |
| abstract_inverted_index.simplicity, | 36 |
| abstract_inverted_index.explanations | 86, 130 |
| abstract_inverted_index.readability, | 137 |
| abstract_inverted_index.automatically | 110 |
| abstract_inverted_index.explanations, | 107 |
| abstract_inverted_index.understanding | 118, 148 |
| abstract_inverted_index.simultaneously | 145 |
| abstract_inverted_index.classification. | 71 |
| cited_by_percentile_year | |
| countries_distinct_count | 0 |
| institutions_distinct_count | 4 |
| sustainable_development_goals[0].id | https://metadata.un.org/sdg/16 |
| sustainable_development_goals[0].score | 0.6800000071525574 |
| sustainable_development_goals[0].display_name | Peace, Justice and strong institutions |
| citation_normalized_percentile |