Explainable Machine Learning for Intrusion Detection

Intrusion detection systems (IDS) are essential tools to maintain robust cybersecurity. Machine learning (ML)-based IDS provides promising results. However, such IDS are recognized as black-box and lack trust and transparency. There is a limited number of explainable IDS (X-IDS). Moreover, several X-IDS used outdated datasets. Some papers used deep neural network which is computationally expensive. This paper proposes lightweight tree-based X-IDS using a recent IDS dataset. We explore the effectiveness of explainable artificial intelligence (XAI) techniques in increasing ML-based IDS transparency. Four ML algorithms are employed; viz. LightGBM, random forests, AdaBoost, and XGBoost; to classify a given network flow as benign or malicious. Network flows extracted from the CSE-CIC-IDS2018 dataset are used to evaluate the IDS models. The best F1-score results of 0.979 and 0.978 are achieved with LightGBM and XGBoost, respectively. We use SHapley Additive exPlanations (SHAP) and Local Model-Agnostic Explanations (LIME) techniques to provide global and local explanations for predictions made by the LightGBM. The obtained explanations in the form of graphs provide measurable insights for cybersecurity experts regarding the most important features that impact the detection of intrusions.