2024 International Conference on Distributed Computing and Optimization Techniques (ICDCOT)
Intrusion Detection System in Explainable Artificial
Intelligence by Using Different Algorithms
1st D. Satyanarayana
Computer Science and Engineering
Chaitanya (Deemed to be) University, Hyderabad, India
Santhiram Engineering College
Nandyal, India
[email protected]
[email protected]
2024 International Conference on Distributed Computing and Optimization Techniques (ICDCOT) | 979-8-3503-8295-2/24/$31.00 ©2024 IEEE | DOI: 10.1109/ICDCOT61034.2024.10515463
Abstract—The Internet of Things (IoT) is a rapidly
established technology that combines various domains and such
technology permits devices to process, transfer, and receive
information without the involvement of humans. However,
privacy and security problems remain a major difficulty in the
IoT. An Intrusion Detection System (IDS) is needed for securing
attacks on this platform. Recently, various researchers
identified significant ways for ID by employing Explainable
Artificial Intelligence (XAI) approaches to Machine Learning
(ML) and Deep Learning (DL) techniques. This research
indicates various methodologies like Balanced and Stacked
Random Forest (RF), Decision Tree (DT), Support Vector
Machine (SVM), Extreme Gradient Boosting (XGB), Naïve
Bayes (NB), Ada-Boost (AB), Cat-Boost (CB), Long Short-Term
Memory (LSTM), Deep Neural Network (DNN), and
Bidirectional-LSTM (Bi-LSTM) that are utilized for IDS.
Accuracy, f1-score, recall, Area Under Curve (AUC), precision,
score time, and False Alarm Rate (FAR) are employed as the
performance metrics for this study.
Keywords—deep learning, internet of things, intrusion
detection system, machine learning, security
I. INTRODUCTION
The development of IoT technology promotes various
devices' connection directly to the Internet. One of the primary
tools employed to protect against cyberattacks is IDS, which
is utilized to secure the network of the IoT platforms. IDS is a
device that monitors the traffic of the network from
cybersecurity to protect its confidentiality, availability, and
integrity [1]. It is significant in ensuring cybersecurity by
keeping track of software and hardware configuration in a
network [2]. There are two kinds of IDS: Signature-based
IDS's goal is to compare the incoming traffic signatures with
predetermined signature data from earlier known attacks.
Anomaly-based Network IDS’s (NIDS) goal is to solve the
limitations of signature IDS by employing advanced statistical
techniques that have allowed researchers to evaluate the
network traffic’s behavioral pattern [3]. To list the intrusion,
the deviation between the current technique and the observed
behavior is utilized. The anomaly-based NIDS testing and
training stage learns the training stage of a normal traffic
profile and examines the abnormal behavior in the testing
stage [4].
Traditional security approaches are less effective and
efficient in managing intricate threats and attacks in IoT
security, which facilitates the development in ML and DL-
based IDS [5]. With the development of growth, flexible
technology, and cost-effectiveness, AI has been highly
employed [6]. XAI is developed because of its important parts,
which include dependency and trust in decisions provided by
XAI techniques. Additionally, XAI shifts the liability of
decisions toward AI approaches and generates human
979-8-3503-8295-2/24/$31.00 ©2024 IEEE
Authorized licensed use limited to: VIT University. Downloaded on September 08,2024 at 17:23:09 UTC from IEEE Xplore. Restrictions apply.
2nd E. Saikiran
Computer Science and Engineering
Chaitanya (Deemed to be) University
Hyderabad, India
operators with the justification of decisions. XAI techniques
are developed to explain decisions by AI approaches
depending on the feature decisions. XAI techniques are
categorized into local and global approaches to explain a
single decision by AI or all decisions. [7]. DL is a subfield of
ML techniques that promote the process of IDS. It is
significantly effective at learning representation, which will
be of high benefit in preventing feature engineering and
challenges. It provides an effective set of techniques for neural
network learning to enhance classification [8].
The remaining sections are organized as follows: Section
2 indicates the literature survey. Section 3 illustrates
taxonomy. Section 4 represents the comparative analysis.
Section 5 indicates the problem statement, and Section 6
discusses the summary.
II. LITERATURE SURVEY
The related works about IDS using XAI are discussed here
along with their advantages and limitations.
Hong Liu et al. [9] implemented a Framework for
improving Artificial Intelligence Explainability of Intrusion
Detection (FAIXID) that combines the cleaning of data and
AI explainability for intrusion detection’s data analytics
process. This approach utilizes data-cleaning techniques to
remove noise through data measurement, assessment of data
quality, and low-quality data filtration. Then, the XAI
technique was performed to ensure the AI approach among
cybersecurity analysts. The FAIXID improves the
interpretability score by using the data-cleaning approach.
However, the FAIXID approach did not generate scalability
because of a resource-intensive process that affects effective
application in an environment of large scale.
Ayodeji Oseni et al. [10] presented an explainable DL-
based IDS that contains a Convolutional Neural Network
(CNN) for resilient IDS in the transportation system of IoT.
The SHapley Addictive exPlanations (SHAP) technique was
employed for intercepting decisions enabled by DL-based IDS
to ensure the security of the IoT network. In cooperative game
theory, the SHAP technique has a solid theoretical foundation
and has been widely employed in various applications of
computer vision to analyze the CNN technique’s output. This
approach enhances the resilience and transparency of CNN.
However, utilizing SHAP in this approach was
computationally expensive and intensive to run.
Kudzai Sauka et al. [11] introduced an adversarial robust
and explainable IDS based on DNN using adversarial and XAI
approaches. The min-max scaling was employed on a dataset
to have the same scale feature. The SHAP was performed to
extract significant features employed by the approach to
classification. This approach was established with a lesser
number of adversarial attacks. However, the introduced
approach lacks generalizability due to not containing modern
attacks.
Thi-Thu-Huong Le et al. [12] developed an ML-based
ensemble tree technique that contains DT and RF to increase
the type of attack rate detection. Initially, model selection was
employed to evaluate the optimal approach for tuning with
adjusted hyperparameters in pre-processing. The SHAP was
utilized in XAI for local and global explanation of the
developed approach for binary and multi-class classifiers to
maximize the trust ability of prediction outcomes. The
developed approach was accurate and effective, and it also had
less complexity and greater resource computing requirements.
However, this ML-based IDS approach had data imbalance
issues.
S. Sivamohan and S. S. Sridhar [13] implemented a
BiLSTM-based XAI for IDS. Initially, the pre-processing is
established by employing normalization and data cleaning to
improve the quality of the data for IDS. The important features
were chosen by utilizing Krill Herd Optimization (KHO). At
last, the classification was performed employing Bi-LSTM-
XAI, which classified the data and accurately detected the
IDS. The Local Interpretable Model-Agnostic Explanation
(LIME) and SHAP were employed to increase the
interpretation of prediction outcomes. This approach
generates greater privacy and security within the system of the
network industry. However, this approach failed to detect the
unknown attacks.
III. TAXONOMY
A taxonomy for two different methods namely ML and DL
is established in this section for IDS by utilizing XAI. These
two categories contain numerous approaches to the IDS that
generate better outcomes compared to the traditional
approaches. Figure 1 indicates the taxonomy diagram for the
IDS.
Fig. 1. Taxonomy diagram for the IDS
A. Machine Learning Approaches (ML)
Different ML approaches are employed namely Stacked
RF, DT, RF, SVM, XGBoost, NB, XGB, AB and CB, and
these approaches are briefly discussed below.
Authorized licensed use limited to: VIT University. Downloaded on September 08,2024 at 17:23:09 UTC from IEEE Xplore. Restrictions apply.
1) Balanced and Stacked RF: Tahmina Zebin et al. [14]
presented an XAI-based ML approach that contained
balanced and stacked RF to generate accurate detection and
classification of Domain Name Service (DNS) over
Hypertext Transfer Protocol Secure (HTTPS) attacks. The
min-max normalization was employed for normalizing the
data. Two primary functional phases were employed
including balanced and stacked RF for IDS detection and
classification. A balanced training layer with various sub-
techniques and stacked classifiers was applied to DNS over
HTTPS features for classification. A simple form of stacking
was performed as an ensemble learning approach where
various classifier predictions were utilized as new features for
training a meta-classifier. The class-wise approach
performance for testing and training set was established for
the presented balanced stacked RF.
2) DT, RF, and SVM: Shruti Patil et al. [15] introduced
an ensemble ML that contains DT, RF, and SVM for IDS.
Then, the LIME explainable approach was employed to
predict the model for better understanding and explainability
of a black-box technique for reliable IDS. By employing
supervised learning techniques, the RF establishes DT with
training sets for maximizing their accuracy. RF employs the
bagging approach to create ensembles of DT and provides
various trees from bootstrapped subsamples of coaching data.
DT permits an organization or individual to employ the
possibilities, costs, and benefits of every action towards each
other and utilize them to compare potential results. SVM
establishes a boundary of decision that addresses the
optimization issue for dividing various class labels.
3) XG-Boost: Pieter Barnard et al. [16] developed a two-
stage pipeline for IDS that includes XG-Boost and SHAP.
Initially, the XG-Boost was employed to generate supervised
IDS and employed the SHAP technique to construct model
explanations. In the second phase, these explanations were
utilized for training the autoencoder to differentiate between
prior and unseen attacks. The XG-Boost technique was
generally challenging in intercepting the structure of an
intricate ensemble, so an XAI approach was utilized to
establish post-hoc explanation in the sub-block pipeline. The
SHAP approach was performed to obtain an accurate tree-
based model explanation with a polynomial complexity of
time.
4) DT, NB, RF, XGB, AB, and CB: Nida Aslam et al. [17]
implemented an XAI approach using ensemble ML to detect
malicious domains. The ML techniques in this study
contained DT, NB, and black box ensemble approaches such
as RF, XGB, AB, and CB. Then, the SHAP and LIME
techniques were employed to provide an XGB prediction
explanation. A DT was related to a flowchart with each inner
node representing an attribute test, each branch indicating test
outcomes, and each leaf node storing class labels. NB was an
approach to classification that followed the Bayes theorem
and every feature was inappropriate for other features. RF
was a classification approach to compute the mean of the DT
collection with numerous dataset subgroups to increase
accuracy. XGB's primary goal was to maximize the
performance and speed of the ML approach. AB employed
detection from tiny one-level DT for providing a single
detection. Various features were categorical and for non- explore non-linear and linear techniques containing global
categorical attributes data encoding was established, so CB and local explanations. The XAI-based DNN technique
was utilized. decreased the data sample probability to normal.
3) Bi-LSTM: S. Sivamohan et al. [20] developed a
B. Deep Learning Approaches (DL)
Trustworthy Explainable AI-Enhanced Krill Herd
Different kinds of DL approaches are employed such as Optimization-IDS (TEA-EKHO-IDS) to identify breaches in
LSTM, DNN, and Bi-LSTM and these approaches are briefly
Industrial Cyber-Physical systems (CPS). The IDS
discussed below.
performance was optimized by the combination of XAI, Bi-
1) LSTM: Marwa Keshk et al. [18] presented an LSTM, and Bayesian Optimization (BO) for effective
explainable Shapley Addictive explanation, Permutation classification. The Bi-LSTM hyperparameter was fine-tuned
feature importance, individual conditional expectation, and with BO to generate a robustly developed technique. Various
Partial dependence plot (SPIP) for IDS in an IoT network. features that impacted the approach’s final prediction were
The DL-based LSTM was employed to detect cyberattacks analyzed by employing SHAP to understand DL and the
and interpret the model’s decision. These employ an input conventional classifier’s behavior. The developed approach
feature set that was extracted by the SPIP technique for employed XAI-EKO for feature selection which had the
training and evaluating the LSTM technique. This generated capabilities of global searching and rapid convergence time
LSTM approach has interpretability depending on input by computing the factor of decision-weight. However, this
features. The extracted relationship by SPIP matches the approach suffered from overfitting issues due to the count of
features of a specific attack class. The SPIP increases the epochs becoming too high which caused the accuracy to drop.
deployment of AI-based IDS in the system of cyber-defense.
2) DNN: Zakaria Abou El Houda et al. [19] introduced an IV. COMPARATIVE ANALYSIS
XAI-based DNN approach to not only identify intrusions in The IDS systems are compared with existing techniques to
the network of IoT but also explain critical decisions maximize the model’s performance. The comparative analysis
generated by DL-based IDS. Hence, the DL-based DNN is essential in establishing and effectively increasing the
technique was developed to detect IoT attacks in real time. performance of the model. Different performance evaluations
like Accuracy, f1-score, recall, precision, AUC, Score time,
Then, various XAI approaches like SHAP and RuleFit were
and False Alarm Rate (FAR) are employed to evaluate the
established on the DNN technique to enable greater suggested approach’s performance. Table 1 indicates the
transparency, trust, and decision explanation enabled by DL- comparative analysis of existing approaches.
based IDS among cybersecurity experts. The XAI aim was to
TABLE I. COMPARATIVE ANALYSIS OF EXISTING APPROACHES
Author Methods Advantages Limitations Performances Evaluation
The packet length mode from the transaction
Tahmina XAI-based ML increased the privacy of
XAI-based mode was less which affected the level of Accuracy, fi-score, recall,
Zebin et al. users on the Internet by using the DNS
ML approach model confidence in the XAI-based ML AUC, and precision
[14] protocol
approach
This approach minimized the
Shruti Patil et Ensemble ML Ensemble ML was not fully reliable in the Accuracy, f1-score, recall,
overfitting issues and processing time
al. [15] techniques greatly required working processes and precision
with improved model accuracy
Two-stage pipeline provided greater
XG-Boost suffered from overfitting issues
Pieter Barnard Two-stage performance by using XG-Boost and Accuracy, recall, and
due to various trees employed in the two-
et al. [16] pipeline had the ability to manage missing precision
stage pipeline approach
values
Nida Aslam et XAI-based This approach enhanced the XAI-based ensemble ML was required to Accuracy, f1-score, recall,
al. [17] ensemble ML interpretability of the model improve the performance with larger datasets precision, and score time
The SPIP increased the deployment of Explainable SPIP did not particularly
Marwa Keshk Explainable Accuracy, fi-score, recall,
the AI-based IDS in the system of determine the vulnerability that an attack
et al. [18] SPIP and precision
cyber-defense class exploits.
Zakaria Abou The XAI-based DNN technique
XAI-based The DNN approach took longer time to
El Houda et al. decreased the data sample probability to Feature score
DNN detect IDS.
[19] be normal
This approach employs XAI-EKO for
feature selection which had the TEA-EKHO-IDS suffered from overfitting
S. Sivamohan TEA-EKHO- Accuracy, F1-score, recall,
capabilities of global searching and issues due to the count of epochs becoming
et al. [20] IDS precision, and FAR
rapid convergence time by computing too high which caused the accuracy to drop
the factor of decision-weight

less flexible to unforeseen deviations in the patterns of

V. PROBLEM STATEMENT data.
The problems found with the general issues in the IDS are
• Due to bad packets provided by bugs corrupting local
discussed below:
packets and DNS data, the effectiveness of IDS is
• Due to its dependency on established norms for limited, which leads to a high FAR.
interpretation, the XAI does not efficiently manage
• There is a lag between the discovery of a new threat in
novel and sophisticated pattern attacks which makes it
the signature-based IDS and its signature being

Authorized licensed use limited to: VIT University. Downloaded on September 08,2024 at 17:23:09 UTC from IEEE Xplore. Restrictions apply.
 employed in the IDS. Therefore, the identification of
threats in IDS was inadequate during this time.
• Due to the rapid improvement of sophisticated attacks
and cyber threats, IDS struggles to provide timely
detection and response to cyber threat growth which
increases security risk.
VI. SUMMARY
IDS analyzes network traffic for malicious transaction and
transfers immediate alerts when they are detected. It is
software that examines a system or network for policy
violations and malicious activity. It evaluates the flow of data
by network to look for signs and patterns of abnormal
behavior. It identifies any performance problems on the
network that are solved to increase the performance of the
network. In this survey, different techniques are analyzed for
IDS in XAI. The Balanced and Stacked RF, DT, SVM, NB,
XGB, AB, and CB are employed as ML as well as LSTM,
DNN, and Bi-LSTM, which are employed as DL for IDS.
These techniques significantly develop and maximize the
performance of a model in IDS.
REFERENCES
[1] Ayantayo, A., Kaur, A., Kour, A., Schmoor, X., Shah, F., Vickers, I.,
Kearney, P. and Abdelsamea, M.M., 2023. Network intrusion detection
using feature fusion with deep learning. Journal of Big Data, 10(1),
p.167.
[2] Siva Shankar, S., Hung, B.T., Chakrabarti, P., Chakrabarti, T. and
Parasa, G., 2023. A novel optimization based deep learning with
artificial intelligence approach to detect intrusion attack in network
system. Education and Information Technologies, pp.1-25.
[3] Sarhan, M., Layeghy, S., Moustafa, N., Gallagher, M. and Portmann,
M., 2022. Feature extraction for machine learning-based intrusion
detection in IoT networks. Digital Communications and Networks.
[4] Selvapandian, D. and Santhosh, R., 2021. Deep learning approach for
intrusion detection in IoT-multi cloud environment. Automated
Software Engineering, 28, p.19.
[5] Kunang, Y.N., Nurmaini, S., Stiawan, D. and Suprapto, B.Y., 2024. An
end-to-end intrusion detection system with IoT dataset using deep
learning with unsupervised feature extraction. International Journal of
Information Security.
[6] Bacha, S., Aljuhani, A., Abdellafou, K.B., Taouali, O., Liouane, N. and
Alazab, M., 2022. Anomaly-based intrusion detection system in IoT
using kernel extreme learning machine. Journal of Ambient
Intelligence and Humanized Computing, pp.1-12.
[7] Younisse, R., Ahmad, A. and Abu Al-Haija, Q., 2022. Explaining
intrusion detection-based convolutional neural networks using shapley
Authorized licensed use limited to: VIT University. Downloaded on September 08,2024 at 17:23:09 UTC from IEEE Xplore. Restrictions apply.
additive explanations (shap). Big Data and Cognitive Computing, 6(4),
p.126.
[8] Mohamed, S. and Ejbali, R., 2023. Deep SARSA-based reinforcement
learning approach for anomaly network intrusion detection
system. International Journal of Information Security, 22(1), pp.235-
247.
[9] Liu, H., Zhong, C., Alnusair, A. and Islam, S.R., 2021. FAIXID: a
framework for enhancing ai explainability of intrusion detection results
using data cleaning techniques. Journal of network and systems
management, 29(4), p.40.
[10] Oseni, A., Moustafa, N., Creech, G., Sohrabi, N., Strelzoff, A., Tari, Z.
and Linkov, I., 2022. An explainable deep learning framework for
resilient intrusion detection in IoT-enabled transportation
networks. IEEE Transactions on Intelligent Transportation
Systems, 24(1), pp.1000-1014.
[11] Sauka, K., Shin, G.Y., Kim, D.W. and Han, M.M., 2022. Adversarial
robust and explainable network intrusion detection systems based on
deep learning. Applied Sciences, 12(13), p.6451.
[12] Le, T.T.H., Kim, H., Kang, H. and Kim, H., 2022. Classification and
explanation for intrusion detection system based on ensemble trees and
SHAP method. Sensors, 22(3), p.1154.
[13] Sivamohan, S. and Sridhar, S.S., 2023. An optimized model for
network intrusion detection systems in industry 4.0 using XAI based
Bi-LSTM framework. Neural Computing and Applications, 35(15),
pp.11459-11475.
[14] Zebin, T., Rezvy, S. and Luo, Y., 2022. An explainable AI-based
intrusion detection system for DNS over HTTPS (DoH) attacks. IEEE
Transactions on Information Forensics and Security, 17, pp.2339-
2349.
[15] Patil, S., Varadarajan, V., Mazhar, S.M., Sahibzada, A., Ahmed, N.,
Sinha, O., Kumar, S., Shaw, K. and Kotecha, K., 2022. Explainable
artificial intelligence for intrusion detection
system. Electronics, 11(19), p.3079.
[16] Barnard, P., Marchetti, N. and DaSilva, L.A., 2022. Robust network
intrusion detection through explainable artificial intelligence
(XAI). IEEE Networking Letters, 4(3), pp.167-171.
[17] Aslam, N., Khan, I.U., Mirza, S., AlOwayed, A., Anis, F.M., Aljuaid,
R.M. and Baageel, R., 2022. Interpretable machine learning models for
malicious domains detection using explainable artificial intelligence
(XAI). Sustainability, 14(12), p.7375.
[18] Keshk, M., Koroniotis, N., Pham, N., Moustafa, N., Turnbull, B. and
Zomaya, A.Y., 2023. An explainable deep learning-enabled intrusion
detection framework in IoT networks. Information Sciences, 639,
p.119000.
[19] Abou El Houda, Z., Brik, B. and Senouci, S.M., 2022. A novel iot-
based explainable deep learning framework for intrusion detection
systems. IEEE Internet of Things Magazine, 5(2), pp.20-23.
[20] Sivamohan, S., Sridhar, S.S. and Krishnaveni, S., 2023. TEA-EKHO-
IDS: An intrusion detection system for industrial CPS with trustworthy
explainable AI and enhanced krill herd optimization. Peer-to-Peer
Networking and Applications, 16(4), pp.1993-2021.