Explainable Machine Learning for Network Intrusion Detection Using SHAP-Based Feature Interpretation
Abstract
Network Intrusion Detection Systems (NIDS) play a crucial role in protecting computer networks from increasingly sophisticated cyberattacks. Although machine learning techniques have demonstrated high detection performance, many models operate as black-box systems, making it difficult for security analysts to understand the reasoning behind prediction outcomes. This study proposes an explainable machine learning framework for network intrusion detection using the Random Forest algorithm and SHAP (SHapley Additive exPlanations)-based feature interpretation. The CICIDS2017 Friday-WorkingHours-Afternoon-DDos dataset was utilized to evaluate the effectiveness of the proposed approach. Data preprocessing included data cleaning, handling missing values, label encoding, and dataset partitioning. The Random Forest classifier was trained and evaluated using Accuracy, Precision, Recall, and F1-Score metrics. Experimental results demonstrated excellent classification performance, achieving an accuracy of 99.9889%, precision of 99.9922%, recall of 99.9883%, and F1-score of 99.9902%. Furthermore, SHAP analysis was employed to improve model interpretability by identifying the contribution of individual features to intrusion detection decisions. The results revealed that Fwd Packet Length Max, Destination Port, Avg Fwd Segment Size, and Fwd Packet Length Mean were among the most influential features affecting classification outcomes. The integration of Random Forest and SHAP not only achieved highly accurate intrusion detection but also enhanced transparency and trustworthiness by providing meaningful explanations for model predictions. Therefore, the proposed framework offers an effective and interpretable solution for network intrusion detection in modern cybersecurity environments.
References
P. W. Singer, A. Friedman, P. W. Singer, and A. Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know®. in What Everyone Needs To Know®. Oxford, New York: Oxford University Press, 2014.
“ENISA Threat Landscape 2023 | ENISA.” Accessed: Jun. 03, 2026. [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023
“Cost of a data breach 2025 | IBM.” Accessed: Jun. 03, 2026. [Online]. Available: https://www.ibm.com/reports/data-breach
R. Sommer and V. Paxson, “Outside the Closed World: On Using Machine Learning for Network Intrusion Detection,” in 2010 IEEE Symposium on Security and Privacy, Oakland, CA, USA: IEEE, 2010, pp. 305–316. doi: 10.1109/SP.2010.25.
A. L. Buczak and E. Guven, “A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection,” IEEE Commun. Surv. Tutor., vol. 18, no. 2, pp. 1153–1176, 2016, doi: 10.1109/COMST.2015.2494502.
I. Sharafaldin, A. Habibi Lashkari, and A. A. Ghorbani, “Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization:,” in Proceedings of the 4th International Conference on Information Systems Security and Privacy, Funchal, Madeira, Portugal: SCITEPRESS - Science and Technology Publications, 2018, pp. 108–116. doi: 10.5220/0006639801080116.
L. Breiman, “Random Forests,” Mach. Learn., vol. 45, no. 1, pp. 5–32, Oct. 2001, doi: 10.1023/A:1010933404324.
J. Han, J. Pei, and H. Tong, Data mining: concepts and techniques, Fourth edition. Cambridge, MA, United States: Morgan Kaufmann Publishers, an imprint of Elsevier, 2023. doi: 10.1016/C2013-0-18660-6.
Z. C. Lipton, “The Mythos of Model Interpretability: In machine learning, the concept of interpretability is both important and slippery.,” Queue, vol. 16, no. 3, pp. 31–57, Jun. 2018, doi: 10.1145/3236386.3241340.
D. Gunning and D. W. Aha, “DARPA’s Explainable Artificial Intelligence Program,” AI Mag., vol. 40, no. 2, pp. 44–58, Jun. 2019, doi: 10.1609/aimag.v40i2.2850.
A. Barredo Arrieta et al., “Explainable Artificial Intelligence (XAI): Concepts, taxonomies, opportunities and challenges toward responsible AI,” Inf. Fusion, vol. 58, pp. 82–115, Jun. 2020, doi: 10.1016/j.inffus.2019.12.012.
S. Lundberg and S.-I. Lee, “A Unified Approach to Interpreting Model Predictions,” 2017, arXiv. doi: 10.48550/ARXIV.1705.07874.
S. Patil et al., “Explainable Artificial Intelligence for Intrusion Detection System,” Electronics, vol. 11, no. 19, p. 3079, Sep. 2022, doi: 10.3390/electronics11193079.
N. Capuano, G. Fenza, V. Loia, and C. Stanzione, “Explainable Artificial Intelligence in CyberSecurity: A Survey,” IEEE Access, vol. 10, pp. 93575–93600, 2022, doi: 10.1109/ACCESS.2022.3204171.
G. Rjoub et al., “A Survey on Explainable Artificial Intelligence for Cybersecurity,” IEEE Trans. Netw. Serv. Manag., vol. 20, no. 4, pp. 5115–5140, Dec. 2023, doi: 10.1109/TNSM.2023.3282740.
S. Neupane et al., “Explainable Intrusion Detection Systems (X-IDS): A Survey of Current Methods, Challenges, and Opportunities,” 2022, arXiv. doi: 10.48550/ARXIV.2207.06236.
T.-T.-H. Le, H. Kim, H. Kang, and H. Kim, “Classification and Explanation for Intrusion Detection System Based on Ensemble Trees and SHAP Method,” Sensors, vol. 22, no. 3, p. 1154, Feb. 2022, doi: 10.3390/s22031154.
I. C. Obagbuwa, M. N. Ngafeeson, O. F. Obagbuwa, and A. Tsetse, “Machine Learning and Explainable Artificial Intelligence for Network Intrusion Detection:,” Int. J. Inf. Secur. Priv., vol. 20, no. 1, pp. 1–22, Feb. 2026, doi: 10.4018/IJISP.402900.
Copyright (c) 2026 Eka Wahyu Sholeha, Dery Yuswanto Jaya, Qorry Aina Fitroh
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
