XI2S-IDS: An Explainable Intelligent 2-Stage Intrusion Detection System
The rapid evolution of technologies such as the Internet of Things (IoT), 5G, and cloud computing has exponentially increased the complexity of cyber attacks. Modern Intrusion Detection Systems (IDSs) must be capable of identifying not only frequent, well-known attacks but also low-frequency, subtle...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-01-01
|
| Series: | Future Internet |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1999-5903/17/1/25 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1832588394764435456 |
|---|---|
| author | Maiada M. Mahmoud Yasser Omar Youssef Ayman A. Abdel-Hamid |
| author_facet | Maiada M. Mahmoud Yasser Omar Youssef Ayman A. Abdel-Hamid |
| author_sort | Maiada M. Mahmoud |
| collection | DOAJ |
| description | The rapid evolution of technologies such as the Internet of Things (IoT), 5G, and cloud computing has exponentially increased the complexity of cyber attacks. Modern Intrusion Detection Systems (IDSs) must be capable of identifying not only frequent, well-known attacks but also low-frequency, subtle intrusions that are often missed by traditional systems. The challenge is further compounded by the fact that most IDS rely on black-box machine learning (ML) and deep learning (DL) models, making it difficult for security teams to interpret their decisions. This lack of transparency is particularly problematic in environments where quick and informed responses are crucial. To address these challenges, we introduce the XI2S-IDS framework—an Explainable, Intelligent 2-Stage Intrusion Detection System. The XI2S-IDS framework uniquely combines a two-stage approach with SHAP-based explanations, offering improved detection and interpretability for low-frequency attacks. Binary classification is conducted in the first stage followed by multi-class classification in the second stage. By leveraging SHAP values, XI2S-IDS enhances transparency in decision-making, allowing security analysts to gain clear insights into feature importance and the model’s rationale. Experiments conducted on the UNSW-NB15 and CICIDS2017 datasets demonstrate significant improvements in detection performance, with a notable reduction in false negative rates for low-frequency attacks, while maintaining high precision, recall, and F1-scores. |
| format | Article |
| id | doaj-art-19a6d0a120764a0ca85991f460c91cb1 |
| institution | Kabale University |
| issn | 1999-5903 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Future Internet |
| spelling | doaj-art-19a6d0a120764a0ca85991f460c91cb12025-01-24T13:33:36ZengMDPI AGFuture Internet1999-59032025-01-011712510.3390/fi17010025XI2S-IDS: An Explainable Intelligent 2-Stage Intrusion Detection SystemMaiada M. Mahmoud0Yasser Omar Youssef1Ayman A. Abdel-Hamid2College of Computing and Information Technology, Arab Academy for Science, Technology, and Maritime Transport, Cairo P.O. Box 2033, EgyptSchool of Library and Information Studies, University of Oklahoma, Norman, OK 73019, USACollege of Computing and Information Technology, Arab Academy for Science, Technology, and Maritime Transport, Alexandria P.O. Box 1029, EgyptThe rapid evolution of technologies such as the Internet of Things (IoT), 5G, and cloud computing has exponentially increased the complexity of cyber attacks. Modern Intrusion Detection Systems (IDSs) must be capable of identifying not only frequent, well-known attacks but also low-frequency, subtle intrusions that are often missed by traditional systems. The challenge is further compounded by the fact that most IDS rely on black-box machine learning (ML) and deep learning (DL) models, making it difficult for security teams to interpret their decisions. This lack of transparency is particularly problematic in environments where quick and informed responses are crucial. To address these challenges, we introduce the XI2S-IDS framework—an Explainable, Intelligent 2-Stage Intrusion Detection System. The XI2S-IDS framework uniquely combines a two-stage approach with SHAP-based explanations, offering improved detection and interpretability for low-frequency attacks. Binary classification is conducted in the first stage followed by multi-class classification in the second stage. By leveraging SHAP values, XI2S-IDS enhances transparency in decision-making, allowing security analysts to gain clear insights into feature importance and the model’s rationale. Experiments conducted on the UNSW-NB15 and CICIDS2017 datasets demonstrate significant improvements in detection performance, with a notable reduction in false negative rates for low-frequency attacks, while maintaining high precision, recall, and F1-scores.https://www.mdpi.com/1999-5903/17/1/25IDSXAISHAPLSTMUNSW-NB15CICIDS2017 |
| spellingShingle | Maiada M. Mahmoud Yasser Omar Youssef Ayman A. Abdel-Hamid XI2S-IDS: An Explainable Intelligent 2-Stage Intrusion Detection System Future Internet IDS XAI SHAP LSTM UNSW-NB15 CICIDS2017 |
| title | XI2S-IDS: An Explainable Intelligent 2-Stage Intrusion Detection System |
| title_full | XI2S-IDS: An Explainable Intelligent 2-Stage Intrusion Detection System |
| title_fullStr | XI2S-IDS: An Explainable Intelligent 2-Stage Intrusion Detection System |
| title_full_unstemmed | XI2S-IDS: An Explainable Intelligent 2-Stage Intrusion Detection System |
| title_short | XI2S-IDS: An Explainable Intelligent 2-Stage Intrusion Detection System |
| title_sort | xi2s ids an explainable intelligent 2 stage intrusion detection system |
| topic | IDS XAI SHAP LSTM UNSW-NB15 CICIDS2017 |
| url | https://www.mdpi.com/1999-5903/17/1/25 |
| work_keys_str_mv | AT maiadammahmoud xi2sidsanexplainableintelligent2stageintrusiondetectionsystem AT yasseromaryoussef xi2sidsanexplainableintelligent2stageintrusiondetectionsystem AT aymanaabdelhamid xi2sidsanexplainableintelligent2stageintrusiondetectionsystem |