INTERPRETABLE MACHINE LEARNING FRAMEWORK FOR ANOMALY DETECTION IN INTRUSION DETECTION SYSTEMS USING XAI TECHNIQUES

 Machine learning (ML) is vital for robust cybersecurity, especially in intrusion detection systems (IDS). Yet complex ML models often act as "black boxes," hindering the trust and transparency crucial for security. This study tackles this by presenting a lightweight, interpretable ML framework for anomaly detection, building on prior research in secure authentication and anomaly detection.

Our framework employs Decision Trees and Random Forests, developing explainable classifiers trained on the public NSL-KDD dataset. We refined the preprocessing pipeline with normalization and one-hot encoding for optimal training. Model performance is rigorously assessed using standard metrics like accuracy, precision, recall, F1-score, and AUC-ROC. To clarify the models' decision-making, we integrate Explainable AI (XAI) techniques: SHAP (Shapley Additive Explanations) and LIME (Local Interpretable Model-Agnostic Explanations). Our findings highlight the trade-off between model complexity and interpretability, showing that simpler models can achieve competitive detection performance while offering clear reasoning for their predictions. The interpretability analysis, using SHAP summary plots, SHAP force plots, and LIME explanations, precisely identifies key features influencing detection decisions, explaining why certain network connections are flagged as anomalies.

This research emphasizes how XAI-driven transparency boosts trust in ML-powered security predictions. We also discuss relevant ethical considerations, including data privacy and potential adversarial misuse of interpretable models. Overall, this work significantly advances trustworthy IDS design by demonstrating that integrating accurate tree-based models with advanced XAI techniques can achieve both effective anomaly detection and profound, interpretable security insights. Furthermore, by preserving computing efficiency, the framework shows that it is practically ready for deployment in real-time security operations centers. This is a forward-looking addition to reliable cybersecurity systems, as future additions might incorporate integration with adaptive IDS methods and adversarial defense strategies.