Hybrid Explainable Intrusion Detection System: Global vs. Local Approach

Intrusion Detection Systems (IDSs) play a major role in detecting suspicious activities and alerting users of potential malicious adversaries. Security operators investigate these alerts and attempt to mitigate the risks and damage. Many IDS-related studies have focused on improving detection accuracy and reducing false positives; however, the operators need to understand the rationale behind IDS engines issuing an alert. In contrast to conventional rule-based engines, machine-learning-based engines use a detection mechanism that is like a black box, i.e., it is not designed to indicate a rationale. In this paper, we introduce an explainable IDS (X-IDS) that copes with the well-used XAI techniques to ensure that the system can explain the decisions. To this end, we used local interpretable model-agnostic explanations and Shapley additive explanations, and we evaluated their differing characteristics. We proposed our explanation framework that consists of the variable importance plot, individual value plot, and partial dependence plot. Furthermore, we conclude by discussing future issues regarding better explainable IDS.