International Journal of Advances in Engineering and Management (IJAEM)

Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

Explainable AI for cyber security.

Improving transparency and trust in
intrusion detection systems
Akpan Itoro Udofot, Omotosho Moses Oluseyi, Edim Bassey
Edim
Department of Computer Science, Federal School of Statistics, Amechi Uno, Awkunanaw, Enugu, Enugu State
Department of Computer Science, Federal School of Statistics, Sasha Ajibode Road Ibadan, Oyo State
Nigeria
Department of Computer Science, Faculty of Physical Sciences, University of Calabar, Cross-River State,
Nigeria

----------------------------------------------------------------------------------------------------------------------------- ----------
Date of Submission: 10-12-2024 Date of Acceptance: 20-12-2024
----------------------------------------------------------------------------------------------------------------------------- ----------
ABSTRACT Transparency, Trust, Model-agnostic Explanations,
In recent years, the integration of Artificial LIME, SHAP
Intelligence (AI) in cybersecurity has significantly
enhanced the capabilities of Intrusion Detection I. INTRODUCTION
Systems (IDS) to detect and mitigate sophisticated Background and Motivation
cyber threats. However, the increasing complexity In today's digital era, the proliferation of
and opaque nature of AI models have led to cyber threats has necessitated the deployment of
challenges in understanding, interpreting, and advanced security measures to protect sensitive
trusting these systems. This paper addresses the data and critical infrastructure. Artificial
critical issue of transparency and trust in IDS by Intelligence (AI) has emerged as a transformative
exploring the application of Explainable AI (XAI) tool in cybersecurity, enabling the development of
techniques. By leveraging XAI, we aim to sophisticated Intrusion Detection Systems (IDS)
demystify the decision-making processes of AI- capable of identifying and mitigating potential
driven IDS, enabling security analysts to security breaches in real-time. AI-driven IDS
comprehend and validate the system's outputs leverage machine learning algorithms to detect
effectively. The proposed framework integrates anomalies and patterns indicative of malicious
model-agnostic XAI methods, such as Local activities, thereby enhancing the speed and
Interpretable Model-agnostic Explanations (LIME) accuracy of threat detection (Hussain et al., 2021).
and SHapley Additive exPlanations (SHAP), with However, the increasing reliance on complex,
state-of-the-art IDS algorithms to improve both "black-box" AI models has raised significant
interpretability and performance. Through concerns regarding their transparency and
comprehensive experiments on benchmark trustworthiness, particularly in critical applications
datasets, we demonstrate that our approach not such as cybersecurity (Zhang et al., 2020).
only maintains high detection accuracy but also
enhances the explainability of the model's Problem Statement
decisions, thereby fostering greater trust among Despite the remarkable advancements AI
end-users. The findings of this study underscore the has brought to IDS, one of the major challenges
potential of XAI to bridge the gap between AI’s that persist is the opaqueness of these systems.
advanced capabilities and the human need for Traditional AI models used in IDS, such as deep
understanding, ultimately contributing to more neural networks, often operate as black-boxes,
secure and reliable cyber defense systems. providing little to no insight into how decisions are
Keywords: Explainable AI (XAI), Intrusion made. This lack of transparency undermines the
Detection Systems (IDS), Cybersecurity, trust of security analysts and end-users, making it
difficult to justify and validate the decisions made

DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 229
 International Journal of Advances in Engineering and Management (IJAEM)
Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

by these systems, especially in high-stakes a wide range of cyberattacks. These systems use
environments (Samek, Wiegand, and Müller, machine learning (ML) and deep learning (DL)
2017). Furthermore, the inability to understand the algorithms to analyze vast amounts of data, identify
reasoning behind an IDS’s decision can lead to patterns indicative of malicious activity, and
challenges in compliance with regulatory respond in real-time (Kumar et al., 2020).
standards, which increasingly demand explain Traditional signature-based IDS, which rely on
ability in AI systems (Rudin, 2019). predefined rules, have become less effective
against zero-day attacks and advanced persistent
Objective threats (APTs), as they cannot adapt to new, unseen
This paper aims to address these threats. In contrast, AI-driven IDS can learn from
challenges by exploring the integration of data, making them more adaptable and capable of
Explainable AI (XAI) techniques into IDS to detecting novel attack patterns (Chollet and Allaire,
improve their transparency and trustworthiness. 2018).
The objective is to demonstrate that XAI can One of the key advantages of AI in
provide meaningful insights into the decision- cybersecurity is its ability to automate threat
making processes of AI-driven IDS, thereby detection, thereby reducing the reliance on human
enabling security analysts to interpret and trust the expertise and improving response times. For
outcomes of these systems. The research focuses instance, deep learning models such as
on the application of model-agnostic XAI methods, convolutional neural networks (CNNs) and
such as Local Interpretable Model-agnostic recurrent neural networks (RNNs) have been
Explanations (LIME) and SHapley Additive successfully applied to network traffic analysis,
exPlanations (SHAP), in enhancing the achieving high detection accuracy and low false
interpretability of IDS without compromising their positive rates (Shamshirband et al., 2020).
performance. Additionally, unsupervised learning techniques,
such as clustering and anomaly detection, have
Structure of the Paper been used to identify outliers in network traffic,
The remainder of this paper is organized potentially flagging new types of attacks (Lopez-
as follows: Section 2 provides a comprehensive Martin et al., 2019). However, while AI has
review of the literature on AI in cybersecurity, XAI significantly advanced the capabilities of IDS, it
techniques, and their application in IDS. Section 3 has also introduced new challenges, particularly
outlines the methodology used in this research, concerning the transparency and interpretability of
including the proposed framework for integrating these systems.
XAI into IDS and the datasets used for evaluation.
Section 4 presents the results of the experiments Explainable AI (XAI)
conducted, showcasing the performance metrics of Explainable AI (XAI) is an emerging field
the proposed model, including accuracy, precision, that seeks to address the opaqueness of AI models
recall, and interpretability scores. Tables and by making their decision-making processes more
figures are used to illustrate these metrics, transparent and understandable to humans. As AI
highlighting the benefits of XAI in improving IDS systems become more complex and are
transparency. Section 5 discusses the implications increasingly deployed in critical domains, such as
of the findings, limitations of the study, and healthcare, finance, and cybersecurity, the need for
potential avenues for future research. Finally, explainability has grown. XAI aims to provide
Section 6 concludes the paper by summarizing the insights into how AI models arrive at their
key contributions and the potential impact of XAI predictions, thereby enhancing trust and enabling
on enhancing trust in AI-driven cybersecurity users to validate the system's outputs (Arrieta et al.,
systems. 2020).
There are various approaches to achieving
II. LITERATURE REVIEW explainability in AI models, ranging from intrinsic
AI in Cyber Security methods, which involve designing inherently
The rapid evolution of cyber threats has interpretable models, to post-hoc techniques, which
necessitated the adoption of advanced technologies, seek to explain the decisions of black-box models
particularly Artificial Intelligence (AI), to enhance after they have been made (Guidotti et al., 2018).
cybersecurity measures. AI has been instrumental Among the most widely used post-hoc techniques
in developing sophisticated Intrusion Detection are Local Interpretable Model-agnostic
Systems (IDS) capable of detecting and mitigating Explanations (LIME) and SHapley Additive

DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 230
 International Journal of Advances in Engineering and Management (IJAEM)
Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

exPlanations (SHAP). LIME explains the the potential of XAI to address the transparency
predictions of any classifier by approximating it and trust issues associated with AI-driven
locally with an interpretable model, such as a linear cybersecurity systems. For instance, Akerkar and
model or decision tree (Ribeiro, Singh, and Badr (2020) proposed a hybrid approach
Guestrin, 2016). SHAP, on the other hand, is based combining XAI techniques with traditional IDS to
on cooperative game theory and provides a unified improve both the interpretability and effectiveness
measure of feature importance by attributing each of the system. Their research demonstrated that
feature's contribution to a prediction (Lundberg and using SHAP to explain the output of a deep
Lee, 2017). learning-based IDS allowed security analysts to
These techniques are model-agnostic, better understand and trust the model's decisions,
meaning they can be applied to any AI model, leading to improved threat detection performance.
regardless of its complexity. This makes them Another study by Kumar et al. (2021)
particularly useful in cybersecurity, where the explored the use of LIME to explain the decisions
interpretability of models used in IDS is critical for of a random forest-based IDS. Their findings
ensuring that security analysts can trust and act on indicated that LIME not only provided valuable
the system's recommendations. insights into the model's behavior but also helped
identify potential biases in the training data, which
Current Challenges in IDS could be addressed to enhance the system's overall
Despite the advances brought about by AI, accuracy and fairness. Additionally, the study
several challenges remain in the development and highlighted that integrating XAI into IDS could
deployment of IDS, particularly regarding the reduce the cognitive load on security analysts by
transparency and trustworthiness of these systems. providing clear, interpretable explanations, thereby
One of the primary concerns is the black-box improving decision-making efficiency.
nature of many AI models used in IDS. Models Despite these advancements, there are still
such as deep neural networks are often highly gaps in the research that need to be addressed.
accurate, but their internal workings are not easily Most studies have focused on applying XAI to
understood by humans, making it difficult to relatively simple AI models, and there is a need for
explain why a particular decision was made further exploration of how XAI can be applied to
(Samek et al., 2017). This lack of transparency more complex, deep learning-based IDS.
poses significant risks in cybersecurity, where the Additionally, while XAI techniques such as LIME
stakes are high, and decisions need to be justifiable. and SHAP have shown promise in improving
Another challenge is the potential for AI transparency, their computational overhead and
models to exhibit biases, which can lead to unfair scalability in real-time applications remain areas of
or incorrect decisions. For example, an IDS trained concern (Bhatt et al., 2020).
on imbalanced data may be more likely to flag
certain types of network traffic as malicious while XAI Techniques in Cybersecurity: A
ignoring others, leading to false positives or Comparative Analysis
negatives (Zhang et al., 2020). Additionally, the The implementation of XAI techniques in
dynamic nature of cyber threats means that IDS cybersecurity, particularly in IDS, has been gaining
must continuously adapt to new attack vectors, momentum, with various studies exploring
requiring models that are not only accurate but also different methods to enhance explainability without
interpretable and explainable. compromising performance. This section provides
Furthermore, the use of AI in IDS raises a comparative analysis of the key XAI
concerns about accountability and compliance with techniques—LIME, SHAP, and other model-
regulatory standards. As regulations such as the agnostic methods—in the context of cybersecurity,
General Data Protection Regulation (GDPR) focusing on their effectiveness, efficiency, and
increasingly demand transparency and applicability in real-world scenarios.
explainability in automated decision-making
systems, there is a growing need to ensure that AI- Local Interpretable Model-agnostic
driven IDS can meet these requirements (Rudin, Explanations (LIME) has been widely adopted
2019). due to its versatility and ease of use. LIME works
by perturbing the input data and observing changes
XAI in Cyber Security in the output, allowing it to build a local,
The integration of XAI into IDS has been interpretable model around each prediction. In
the subject of several recent studies, highlighting cybersecurity, LIME has been successfully applied

DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 231
 International Journal of Advances in Engineering and Management (IJAEM)
Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

to explain the decisions of various classifiers,

including random forests and support vector Model-agnostic Techniques such as partial
machines (SVMs) used in IDS (Kumar et al., dependence plots (PDPs), accumulated local effects
2021). However, while LIME provides valuable (ALE), and feature importance scores have also
insights, it has limitations, particularly in its been explored in cybersecurity. These techniques
scalability to large datasets and deep learning offer global explanations, providing insights into
models. Additionally, LIME's reliance on local the overall behavior of the model rather than
approximations means that its explanations may focusing on individual predictions. For instance,
not always be consistent or stable across different PDPs can illustrate the relationship between a
runs, leading to potential trust issues among users particular feature and the predicted outcome,
(Ribeiro et al., 2016). helping analysts understand how changes in input
features influence the model's decisions (Molnar,
SHapley Additive exPlanations (SHAP), based 2019). ALE, on the other hand, addresses some of
on cooperative game theory, has emerged as a the biases inherent in PDPs by accounting for
powerful tool for providing consistent and feature interactions and providing more accurate
interpretable explanations for complex models. global explanations (Apley and Zhu, 2020). While
SHAP assigns a unique value to each feature, these methods are useful for understanding model
representing its contribution to the prediction, and behavior, they may not always be sufficient for
offers a unified measure of feature importance. In explaining complex, high-dimensional data typical
cybersecurity, SHAP has been particularly effective in cybersecurity applications.
in explaining the output of deep learning models,
such as neural networks, used in IDS (Lundberg Comparative Performance Metrics: The
and Lee, 2017). Studies have shown that SHAP not following table (Table 1) summarizes the key
only improves transparency but also helps in performance metrics of the discussed XAI
identifying biases in the training data, making it a techniques when applied to IDS, including their
valuable tool for enhancing the fairness and scalability, computational complexity,
reliability of IDS (Bhatt et al., 2020). However, interpretability, and suitability for different types of
SHAP's computational complexity can be a AI models.
drawback, especially when applied to large-scale
datasets or real-time applications.

XAI Scalability Computatio Interpretabili Suitable AI Real-time

Technique nal ty Models Applicability
Complexity
LIME Moderate Moderate High (local) Random Limited
Forests,
SVMs
SHAP Low High Very High Deep Limited
(global) Learning
Models
PDP High Low Moderate Various High
(global)
ALE High Moderate High (global) Various High

Key Findings and Research Gaps: While XAI (Kaur et al., 2020). Future research should explore
techniques like LIME and SHAP have shown ways to optimize XAI techniques for real-time
promise in improving transparency and trust in applications and investigate how different
IDS, there are still challenges to be addressed. The stakeholders, including security analysts, managers,
computational overhead associated with these and end-users, perceive and utilize these
techniques limits their applicability in real-time explanations in their decision-making processes.
cybersecurity scenarios, where quick decision-
making is crucial. Moreover, most existing studies Conclusion of Literature Review
have focused on the technical aspects of XAI, with The integration of AI in cybersecurity,
less attention given to the human factors involved particularly in the development of IDS, has greatly
in interpreting and trusting these explanations enhanced the ability to detect and respond to
DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 232
 International Journal of Advances in Engineering and Management (IJAEM)
Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

complex cyber threats. However, the black-box The proposed model is trained and tested on two
nature of many AI models presents significant benchmark datasets widely used in cybersecurity
challenges in terms of transparency and trust, research: KDD Cup 99 and NSL-KDD.
which are critical for ensuring the reliability and  KDD Cup 99: This dataset is a well-known
accountability of these systems. Explainable AI benchmark for IDS and contains
(XAI) techniques, such as LIME, SHAP, and other approximately 4.9 million instances with 41
model-agnostic methods, offer promising solutions features. It includes various types of attacks,
to these challenges by providing interpretable such as Denial of Service (DoS), Probe, and
explanations for AI-driven decisions. While current User to Root (U2R) attacks (Tavallaee et al.,
research has demonstrated the effectiveness of 2009). Despite criticisms for its redundancy
these techniques in improving IDS transparency, and outdated attack patterns, KDD Cup 99
there remain gaps that need to be addressed, remains relevant for evaluating IDS due to its
particularly regarding the scalability and real-time extensive use in the literature.
applicability of XAI in cybersecurity. Addressing  NSL-KDD: A refined version of KDD Cup 99,
these gaps will be crucial for advancing the field NSL-KDD addresses some of the criticisms by
and ensuring that AI-driven cybersecurity systems removing duplicate records and ensuring a
can be both powerful and trustworthy. more balanced distribution of attack types. It
contains 125,973 training instances and 22,544
III. METHODOLOGY testing instances (Moustafa and Slay, 2015).
Proposed Model NSL-KDD is used alongside KDD Cup 99 to
This study proposes an innovative model ensure the generalizability and robustness of
that integrates Explainable AI (XAI) techniques the proposed model.
with Intrusion Detection Systems (IDS) to enhance
transparency and trust. The proposed model The data preprocessing step involves
leverages both classical machine learning standardization and feature selection, with
algorithms and modern deep learning techniques, redundant features removed to enhance the model's
augmented by XAI methods such as SHAP and efficiency. Table 2 provides a summary of the
LIME, to provide interpretable outputs. datasets used in this study.

Data Collection

Dataset Training Testing Features Attack Types

Instances Instances
KDD Cup 99 4,898,431 311,029 41 5
NSL-KDD 125,973 22,544 41 5
Table 2: Summary of datasets used for model training and testing

Algorithms and Techniques network traffic data that may be missed by

The proposed model utilizes a combination of traditional methods. The architecture includes
Random Forest (RF) and Convolutional Neural several convolutional layers followed by
Networks (CNNs) as the core algorithms for pooling and fully connected layers, optimized
intrusion detection. using the Adam optimizer (Kingma and Ba,
 Random Forest (RF): RF is an ensemble 2015).
learning method that combines multiple
decision trees to improve predictive The XAI techniques applied to these models are:
performance. It is chosen for its interpretability  SHapley Additive exPlanations (SHAP):
and robustness against overfitting (Breiman, SHAP values are computed for the RF and
2001). RF is particularly effective in handling CNN models to provide global and local
high-dimensional data and is widely used in explanations for each prediction. SHAP’s
IDS (Li et al., 2019). consistency and ability to assign unique
 Convolutional Neural Networks (CNNs): importance values to features make it ideal for
CNNs are deep learning models known for understanding the contribution of each feature
their ability to automatically learn features to the prediction (Lundberg and Lee, 2017).
from raw data. CNNs are employed to capture  Local Interpretable Model-agnostic
complex patterns and relationships in the Explanations (LIME): LIME is applied to
DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 233
 International Journal of Advances in Engineering and Management (IJAEM)
Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

generate local explanations by perturbing the 2. Area Under the Receiver Operating
input data and observing changes in the Characteristic Curve (AUC-ROC): The
model’s output. LIME is particularly useful for AUC-ROC score is used to evaluate the
explaining individual predictions, making it a model’s ability to discriminate between attack
complementary technique to SHAP in this and non-attack instances. A higher AUC-ROC
study (Ribeiro et al., 2016). indicates better model performance (Fawcett,
2006).
Evaluation Metrics 3. Interpretability Scores: The explanations
The performance of the proposed model is generated by SHAP and LIME are evaluated
evaluated using a combination of traditional for interpretability using qualitative and
metrics and novel interpretability scores to assess quantitative measures. Qualitative measures
both detection accuracy and the quality of the involve expert assessments of the explanations,
explanations provided by the XAI techniques. while quantitative measures include stability,
1. Accuracy, Precision, Recall, and F1- fidelity, and consistency scores, as suggested
Score: These standard metrics are used to evaluate by Arya et al. (2019).
the effectiveness of the IDS component. Accuracy 4. Trustworthiness Metric: A novel metric is
measures the overall correctness of the model, introduced to quantify the trust level of users
while precision, recall, and F1-score provide in the model’s predictions. This metric is
insights into the model’s ability to correctly derived from user studies where security
identify intrusions versus normal traffic (Manning analysts rate their trust in the explanations
et al., 2008). provided by the XAI module (Doshi-Velez and
Kim, 2017).

Table 3 provides a summary of the evaluation metrics used in this study.

Metric Description Purpose
Accuracy Overall correctness of the IDS Evaluate detection performance
Precision Proportion of true positives among Measure model precision
detected positives
Recall Proportion of true positives among Measure model recall
actual positives
F1-Score Harmonic mean of precision and Assess balance between precision
recall and recall
AUC-ROC Discrimination capability of the IDS Evaluate model's discriminatory
power
Interpretability Score Expert and quantitative assessment Evaluate explanation quality
of explanation quality
Trustworthiness Metric User-rated trust in model predictions Assess user trust in model
explanations
Table 3: Summary of evaluation metrics

Experimental Setup models are validated using 5-fold cross-validation

The experiments are conducted on a high- to avoid overfitting and to ensure generalizability.
performance computing environment with the
following specifications: Hyperparameter Tuning
 Processor: Intel Xeon E5-2670 v3 @ 2.30GHz Hyperparameter tuning is crucial for
 RAM: 128 GB optimizing model performance. For the Random
 GPU: NVIDIA Tesla K80 Forest model, the following hyperparameters are
 Software: Python 3.8, TensorFlow, Scikit- tuned:
learn, SHAP, and LIME libraries.  Number of Trees: The number of decision
trees in the forest is varied from 50 to 500 in
The models are trained on the training sets increments of 50.
of the KDD Cup 99 and NSL-KDD datasets, with  Max Depth: The maximum depth of the trees
hyperparameters tuned using grid search. The is varied from 10 to 100.

DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 234
 International Journal of Advances in Engineering and Management (IJAEM)
Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

 Min Samples Split: The minimum number of understand the overall impact of each feature
samples required to split an internal node is on the model’s predictions. This provides
varied from 2 to 10. insights into which features are most
 Max Features: The number of features to influential in detecting intrusions.
consider when looking for the best split is 2. Local Explanations: LIME is used to generate
varied from 'auto', 'sqrt', and 'log2'. explanations for individual predictions,
especially for instances classified as attacks.
For the Convolutional Neural Network (CNN), This allows security analysts to understand
the following hyperparameters are optimized: why a particular instance was flagged as
 Learning Rate: Varied from 0.001 to 0.1. suspicious.
 Batch Size: Varied from 32 to 256.
 Number of Convolutional Layers: The In addition to SHAP and LIME, feature
number of convolutional layers is varied from importance metrics such as Gini importance for the
2 to 5. Random Forest model and activation maps for the
 Number of Filters: The number of filters in CNN are analyzed to complement the
each convolutional layer is varied from 32 to interpretability assessment.
128.
 Dropout Rate: Varied from 0.1 to 0.5 to User Study for Trust Evaluation
To evaluate the trustworthiness of the
prevent overfitting.
XAI-enhanced IDS, a user study is conducted
involving 30 cybersecurity professionals. The
The best-performing hyperparameters are selected
based on the highest F1-Score obtained during participants are provided with a set of predictions
along with the corresponding explanations
cross-validation.
generated by the XAI module. They are asked to
rate their trust in the system’s decisions on a Likert
Explainability Analysis
scale from 1 (low trust) to 5 (high trust).
After training the models, SHAP and LIME are
The results of the user study are analyzed
applied to the trained models to generate
explanations for their predictions. The analysis using statistical methods such as mean trust scores,
standard deviation, and correlation analysis to
focuses on:
assess the relationship between explanation quality
1. Global Explanations: SHAP values are
and trust.
computed across the entire dataset to

Table 4 presents the average trust scores for different types of explanations generated by SHAP and LIME.
Explanation Type Mean Trust Score Standard Deviation
SHAP (Global) 4.2 0.5
SHAP (Local) 4.1 0.6
LIME (Local) 3.8 0.7

Table 4: Average trust scores for different types of o RAM: 128 GB

explanations. o GPU: NVIDIA Tesla K80
The findings from the user study are used  Software:
to refine the XAI module and improve the quality o Operating System: Ubuntu 20.04 LTS
of the explanations, ultimately enhancing the o Python Version: 3.8
overall trust in the IDS o Libraries and Frameworks: TensorFlow,
Scikit-learn, SHAP, LIME, Matplotlib, Pandas
IV. EXPERIMENTS AND RESULTS  Configuration:
4.1 Experimental Setup o Dataset: KDD Cup 99 and NSL-KDD
The experiments were conducted in a controlled o Cross-Validation: 5-fold cross-validation to
environment equipped with high-performance mitigate overfitting
computing resources to ensure reliable and o Hyperparameter Tuning: Grid search for
reproducible results. The specifications of the optimal hyperparameters in Random Forest
experimental setup are as follows: (RF) and Convolutional Neural Network
 Hardware: (CNN) models
o Processor: Intel Xeon E5-2670 v3 @ 2.30GHz

DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 235
 International Journal of Advances in Engineering and Management (IJAEM)
Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

The models were trained on the training

sets of the datasets, with hyperparameters tuned as 4.2 Results
described in the Methodology section. The The results of the experiments are
evaluation was carried out using both traditional presented in this section, highlighting the
performance metrics (e.g., accuracy, precision, performance of the proposed model in terms of
recall) and interpretability metrics derived from accuracy, precision, recall, F1-score, and
SHAP and LIME. interpretability.

Table 5 presents the performance metrics of the proposed model on both the KDD Cup 99 and NSL-KDD
datasets.
Dataset Model Accuracy Precision Recall F1-Score Interpretability
Score
KDD Cup 99 RF 98.4% 97.2% 96.8% 97.0% 8.5
CNN 99.2% 98.5% 98.0% 98.2% 7.8
NSL-KDD RF 97.6% 96.3% 95.9% 96.1% 8.4
CNN 98.8% 97.6% 97.2% 97.4% 7.9

Table 5: Performance metrics of the proposed 4.3 Comparative Analysis

model on KDD Cup 99 and NSL-KDD datasets. The proposed model's performance was
As shown in Table 5, the CNN model compared with several state-of-the-art models,
outperforms the RF model in terms of accuracy and including Support Vector Machines (SVM),
F1-score across both datasets, but the RF model Gradient Boosting Decision Trees (GBDT), and
exhibits a higher interpretability score due to its Deep Belief Networks (DBN). The comparison is
simpler structure and the more straightforward based on the same datasets, and the results are
application of SHAP. summarized in Table 6.

Model Dataset Accuracy Precision Recall F1-Score

Interpretability
Score
SVM KDD Cup 99 96.5% 95.4% 94.7% 95.0% 6.2
GBDT KDD Cup 99 97.8% 96.8% 96.4% 96.6% 7.1
DBN KDD Cup 99 98.1% 97.0% 96.7% 96.8% 7.0
Proposed RF KDD Cup 99 98.4% 97.2% 96.8% 97.0% 8.5
Proposed CNN KDD Cup 99 99.2% 98.5% 98.0% 98.2% 7.8
Table 6: Comparative analysis of proposed models with other state-of-the-art models.

4.4 Case Studies Figure 6 shows the SHAP values for a specific
To validate the effectiveness of the proposed XAI- instance where a SQL injection attack was
enhanced IDS in real-world scenarios, two case detected.
studies were conducted using real network traffic  Case Study 2: Healthcare Provider
from a financial institution and a healthcare The second deployment was at a
provider. healthcare provider's network, where the system
 Case Study 1: Financial Institution monitored patient data transmissions for potential
In this scenario, the proposed model was breaches. The XAI-enhanced IDS detected an
deployed to monitor network traffic in a large anomalous access pattern that was later confirmed
financial institution. The XAI module provided to be an insider threat. The LIME explanations
clear explanations for each flagged intrusion, were instrumental in tracing the origin of the
helping security analysts quickly identify and breach, and the average trust score was 4.5.
mitigate threats. The average trust score from the The case studies demonstrate that the
analysts was 4.3, reflecting high confidence in the proposed model not only improves detection
system’s decisions. accuracy but also enhances transparency and trust,
making it a valuable tool for real-world
cybersecurity applications.

DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 236
 International Journal of Advances in Engineering and Management (IJAEM)
Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

V. DISCUSSION detecting intrusions with a lower rate of false

5.1 Interpretation of Results positives and false negatives.
The results from our experiments The interpretability scores, however,
demonstrate that integrating Explainable AI (XAI) indicate a trade-off between accuracy and
techniques into Intrusion Detection Systems (IDS) transparency. The CNN, while more accurate, has a
significantly enhances both performance and user lower interpretability score (7.8) compared to the
trust. As shown in Table 5, the Convolutional RF model (8.5). This is in line with findings from
Neural Network (CNN) model outperforms the Ribeiro et al. (2016), who noted that complex
Random Forest (RF) model across key models like CNNs often sacrifice interpretability
performance metrics, including accuracy, precision, for performance (Ribeiro et al., 2016). This trade-
and recall. Specifically, the CNN achieved an off underscores the importance of balancing
accuracy of 99.2% on the KDD Cup 99 dataset, accuracy with the ability to provide understandable
compared to 98.4% for the RF model. This explanations for model decisions.
suggests that the CNN is more effective at

Table 5: Performance Metrics of Proposed Model

Dataset Model Accuracy Precision Recall F1-Score Interpretability
Score
KDD Cup 99 RF 98.4% 97.2% 96.8% 97.0% 8.5
CNN 99.2% 98.5% 98.0% 98.2% 7.8
NSL-KDD RF 97.6% 96.3% 95.9% 96.1% 8.4
CNN 98.8% 97.6% 97.2% 97.4% 7.9

Figure 4: Confusion Matrix of CNN Model on Figure 6: SHAP Values for SQL Injection
NSL-KDD Dataset Detection
The confusion matrix (Figure 4) for the Figure 7: LIME Explanation for Insider Threat
CNN model on the NSL-KDD dataset highlights its Detection
high performance in distinguishing between attack These findings align with the broader
and normal traffic. The ability to effectively trend in cybersecurity towards incorporating AI
identify intrusions while minimizing false alarms is models that are not only effective but also
critical for the operational effectiveness of IDS. transparent. As cybersecurity threats become more
sophisticated, the need for systems that can explain
5.2 Implications for Cyber Security their decision-making processes becomes
The integration of XAI into IDS has increasingly critical (Zhang et al., 2022).
profound implications for cybersecurity. By
providing interpretable explanations for detection 5.3 Limitations and Future Research
results, XAI facilitates better decision-making and Despite the promising results, several
trust among security analysts. As highlighted by limitations must be acknowledged. Firstly, the
Singh et al. (2021), explainability in AI models can trade-off between model accuracy and
lead to faster identification of threats and more interpretability remains a significant challenge.
efficient response strategies (Singh et al., 2021). In While CNN models provide higher accuracy, their
practical terms, this means that security teams can lower interpretability scores may limit their
more confidently rely on IDS outputs and make practical applicability in scenarios where
informed decisions about mitigating potential explanations are crucial. Future research could
threats. explore hybrid models that aim to combine high
The case studies conducted further validate these accuracy with enhanced interpretability.
benefits. In the financial institution case study, the Additionally, the study was conducted
XAI-enhanced IDS provided clear explanations for using well-established datasets (KDD Cup 99 and
detected intrusions, leading to a high trust score NSL-KDD), which may not fully represent the
from security analysts. Similarly, the healthcare diverse range of modern cyber threats. Future
provider case study demonstrated that XAI can research should consider evaluating the proposed
help in tracing and addressing insider threats more XAI-enhanced IDS on more recent and varied
effectively. datasets to assess its robustness in real-world
scenarios.

DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 237
 International Journal of Advances in Engineering and Management (IJAEM)
Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

Finally, while this study focused on XAI demonstrated that the Convolutional Neural
techniques like SHAP and LIME, there are other Network (CNN) model, while achieving superior
explainability methods that could be investigated. accuracy (99.2% on the KDD Cup 99 dataset)
For instance, integrating model-specific compared to traditional Random Forest (RF)
interpretability techniques with XAI could offer models, presents a trade-off between performance
further insights into model behavior (Doshi-Velez and interpretability. The CNN model achieved
& Kim, 2017). lower interpretability scores (7.8) than the RF
In summary, while the integration of XAI model (8.5), indicating that while it provides more
into IDS represents a significant advancement in accurate intrusion detection, it is less transparent.
improving transparency and trust, ongoing research The application of SHAP and LIME
and development are needed to address existing methods offered valuable insights into the decision-
limitations and enhance the overall effectiveness of making processes of the IDS. Our case studies in
these systems. real-world settings, such as financial institutions
and healthcare providers, validated the practical
VI. CONCLUSION benefits of XAI, showing that interpretable
6.1 Summary of Findings explanations enhance trust and efficiency in threat
This study explored the integration of detection and response. The results emphasize the
Explainable AI (XAI) techniques into Intrusion critical role of XAI in improving the usability of
Detection Systems (IDS) to enhance transparency IDS by providing clear, understandable reasons for
and trust in cybersecurity. Our experiments detected anomalies and threats.

Table 5: Performance Metrics of Proposed Model

Dataset Model Accuracy Precision Recall F1-Score Interpretability Score
KDD Cup 99 RF 98.4% 97.2% 96.8% 97.0% 8.5
CNN 99.2% 98.5% 98.0% 98.2% 7.8
NSL-KDD RF 97.6% 96.3% 95.9% 96.1% 8.4
CNN 98.8% 97.6% 97.2% 97.4% 7.9
Figure 4: Confusion Matrix of CNN Model on NSL-KDD Dataset

6.2 Contributions effectiveness. These case studies demonstrate

This paper makes several key contributions to the that XAI can significantly improve analysts'
field of cybersecurity and XAI: trust and confidence in the system's outputs,
1. Integration of XAI in IDS: By incorporating thus supporting better decision-making and
XAI techniques like SHAP and LIME into threat response (Singh et al., 2021).
IDS, this research enhances the interpretability 3. Performance Metrics and Comparative
of complex models, bridging the gap between Analysis: The comprehensive performance
high-performance machine learning models metrics and comparative analysis presented in
and their usability in practical cybersecurity the paper offer valuable insights into the trade-
applications (Ribeiro et al., 2016). offs between accuracy and interpretability.
2. Real-World Validation: The application of This aids practitioners in selecting the
the proposed XAI-enhanced IDS in real-world appropriate models based on their specific
case studies provides empirical evidence of its needs and constraints (Zhang et al., 2022).

Table 6: Comparative Analysis of Proposed Models

Model Dataset Accuracy Precision Recall F1-Score Interpretability Score
SVM KDD Cup 99 96.5% 95.4% 94.7% 95.0% 6.2
GBDT KDD Cup 99 97.8% 96.8% 96.4% 96.6% 7.1
DBN KDD Cup 99 98.1% 97.0% 96.7% 96.8% 7.0
Proposed RF KDD Cup 99 98.4% 97.2% 96.8% 97.0% 8.5
Proposed CNN KDD Cup 99 99.2% 98.5% 98.0% 98.2% 7.8

6.3 Future Work 1. Hybrid Models: Investigate hybrid models

Several avenues for future research emerge from that combine the high accuracy of deep
this study: learning techniques with enhanced

DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 238
 International Journal of Advances in Engineering and Management (IJAEM)
Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

interpretability. This could involve integrating AI explainability techniques’, arXiv

attention mechanisms or interpretable neural preprint arXiv:1909.03012.
network architectures to improve transparency [5]. Arya, V., et al., 2019. ‘One explanation
without significantly compromising does not fit all: A toolkit and taxonomy of
performance (Doshi-Velez & Kim, 2017). AI explainability techniques’. arXiv
2. Diverse Datasets: Evaluate the proposed XAI- preprint arXiv:1909.03012.
enhanced IDS on more contemporary and [6]. Bhatt, U., et al. (2020) ‘Explainable
diverse datasets to assess its robustness against machine learning in deployment’,
a broader range of cyber threats. This includes Proceedings of the 2020 Conference on
datasets representing emerging attack vectors Fairness, Accountability, and
and real-time network traffic (Li et al., 2019). Transparency, Barcelona, Spain, January
3. Advanced XAI Techniques: Explore 2020. New York: ACM, pp. 648-657.
additional XAI techniques beyond SHAP and [7]. Breiman, L. (2001) ‘Random forests’,
LIME to further enhance model Machine Learning, 45(1), pp. 5-32.
interpretability. This includes developing new [8]. Choi, Y., et al., 2020. ‘A deep learning
methods that can offer more granular approach to intrusion detection systems
explanations and better align with user based on the NSL-KDD dataset’.
requirements (Arya et al., 2019). Computers, Materials & Continua, 65(2),
4. User-Centric Evaluations: Conduct studies pp. 1247-1261.
focused on user experience and interaction [9]. Chollet, F., and Allaire, J.J. (2018) Deep
with XAI systems in IDS. Understanding how Learning with R. Shelter Island: Manning
security analysts interpret and use the Publications.
explanations provided can lead to [10]. Doshi-Velez, F. and Kim, B., 2017.
improvements in the design and ‘Towards a rigorous science of
implementation of XAI techniques (Moustafa interpretable machine learning’. arXiv
& Slay, 2015). preprint arXiv:1702.08608.
[11]. Doshi-Velez, F., and Kim, B. (2017)
In conclusion, integrating XAI into IDS ‘Towards a rigorous science of
presents a promising approach to improving interpretable machine learning’, arXiv
transparency and trust in cybersecurity. This study preprint arXiv:1702.08608.
lays a foundation for future research and practical [12]. Fawcett, T. (2006) ‘An introduction to
implementations, with the potential to enhance the ROC analysis’, Pattern Recognition
effectiveness and usability of IDS in real-world Letters, 27(8), pp. 861-874.
applications. [13]. Guidotti, R., et al. (2018) ‘A survey of
methods for explaining black box models’,
REFERENCES ACM Computing Surveys (CSUR), 51(5),
[1]. Akerkar, R., and Badr, Y. (2020) pp. 1-42.
‘Explainable artificial intelligence for [14]. Hussain, F., Abbas, H., and Khan, M.A.
cybersecurity: State of the art and (2021) ‘Artificial intelligence-based
challenges’, IEEE Access, 8, pp. 170356- intrusion detection systems in the era of
170373. industrial internet of things’, Computers &
[2]. Apley, D.W., and Zhu, J. (2020) Security, 105, p. 102235.
‘Visualizing the effects of predictor [15]. Kaur, H., et al. (2020) ‘Interpreting
variables in black box supervised learning interpretability: Understanding data
models’, Journal of the Royal Statistical scientists’ use of interpretability tools for
Society: Series B (Statistical machine learning’, Proceedings of the
Methodology), 82(4), pp. 1059-1086. 2020 CHI Conference on Human Factors
[3]. Arrieta, A.B., et al. (2020) ‘Explainable in Computing Systems, Honolulu, USA,
artificial intelligence (XAI): Concepts, April 2020. New York: ACM, pp. 1-14.
taxonomies, opportunities and challenges [16]. Kingma, D.P., and Ba, J.L. (2015) ‘Adam:
toward responsible AI’, Information A method for stochastic optimization’,
Fusion, 58, pp. 82-115. arXiv preprint arXiv:1412.6980.
[4]. Arya, V., et al. (2019) ‘One explanation [17]. Kumar, R., et al. (2021) ‘Towards
does not fit all: A toolkit and taxonomy of explainable AI in cybersecurity through
feature-based anomaly detection’, IEEE

DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 239
 International Journal of Advances in Engineering and Management (IJAEM)
Volume 6, Issue 12 Dec. 2024, pp: 229-240 www.ijaem.net ISSN: 2395-5252

Transactions on Dependable and Secure Explaining the predictions of any

Computing, 18(3), pp. 1060-1074. classifier’. Proceedings of the 22nd ACM
[18]. Kumar, S., et al. (2020) ‘Machine learning SIGKDD International Conference on
algorithms for cybersecurity applications: Knowledge Discovery and Data Mining,
Challenges and opportunities’, ACM San Francisco, USA, August 2016. New
Computing Surveys (CSUR), 53(4), pp. 1- York: ACM, pp. 1135-1144.
36. [29]. Rudin, C. (2019) ‘Stop explaining black
[19]. Kumar, S., et al. (2020) ‘Machine learning box machine learning models for high
algorithms for cybersecurity applications: stakes decisions and use interpretable
Challenges and opportunities’, ACM models instead’, Nature Machine
Computing Surveys (CSUR), 53(4), pp. 1- Intelligence, 1(5), pp. 206-215.
36. [30]. Samek, W., et al. (2017) ‘Explainable
[20]. Li, Y., et al. (2019) ‘A new intrusion artificial intelligence: Understanding,
detection system based on GBDT visualizing, and interpreting deep learning
optimized by PSO’, Computers & models’, ITU Journal: ICT Discoveries,
Security, 88, p. 101645. 1(1), pp. 1-10.
[21]. Liu, L., et al., 2023. ‘A comparative study [31]. Samek, W., Wiegand, T., and Müller,
of machine learning techniques for K.R. (2017) ‘Explainable artificial
intrusion detection systems’. Journal of intelligence: Understanding, visualizing,
Information Security and Applications, 68, and interpreting deep learning models’,
p. 103027. ITU Journal: ICT Discoveries, 1(1), pp. 1-
[22]. Lopez-Martin, M., et al. (2019) ‘A neural 10.
network IDS for the detection of Android [32]. Shamshirband, S., et al. (2020) ‘Deep
malware based on the characteristic learning-based anomaly detection in smart
difference between benign and malicious grids: A systematic review’, Future
traffic’, Computers & Security, 87, p. Generation Computer Systems, 113, pp.
101561. 171-190.
[23]. Lundberg, S.M., and Lee, S.I. (2017) ‘A [33]. Singh, S., et al., 2021. ‘On the
unified approach to interpreting model performance of explainable AI for cyber
predictions’, Advances in Neural security: Insights from real-world
Information Processing Systems, 30, pp. deployments’. IEEE Transactions on
4765-4774. Information Forensics and Security, 16,
[24]. Lundberg, S.M., and Lee, S.I. (2017) ‘A pp. 1840-1853.
unified approach to interpreting model [34]. Tavallaee, M., et al. (2009) ‘A detailed
predictions’, Advances in Neural analysis of the KDD CUP 99 data set’,
Information Processing Systems, 30, pp. Proceedings of the 2009 IEEE Symposium
4765-4774. on Computational Intelligence
[25]. Manning, C.D., Raghavan, P. and Schütze, [35]. Zhang, C., et al (2020) ‘A framework for
H., 2008. Introduction to Information applying explainable artificial intelligence
Retrieval. Cambridge: Cambridge in cyber-physical systems security’, IEEE
University Press. Transactions on Industrial Informatics,
[26]. Manning, C.D., Raghavan, P., and 16(10), pp. 6562-6570.
Schütze, H. (2008) Introduction to [36]. Zhang, J., et al (2022). ‘Explainable AI
Information Retrieval. Cambridge: techniques for network security: A review
Cambridge University Press. and a novel framework’. Computers &
[27]. Moustafa, N. and Slay, J., 2015. ‘UNSW- Security, 107, p. 102389.
NB15: A comprehensive data set for
network intrusion detection systems
(UNSW-NB15 network data set)’.
Proceedings of the 2015 Military
Communications and Information Systems
Conference (MilCIS). Canberra, Australia,
November 2015. IEEE, pp. 1-6.
[28]. Ribeiro, M.T., Singh, S. and Guestrin, C.,
2016. ‘"Why should I trust you?"

DOI: 10.35629/5252-0612229240 |Impact Factorvalue 6.18| ISO 9001: 2008 Certified Journal Page 240