EXPLAINABLE TRANSFORMER-BASED INTRUSION DETECTION SYSTEM FOR ZERO-DAY CYBER ATTACK DETECTION USING SHAP AND LIME

Abstract

With more sophisticated methods, Traditional IDS have proven inadequate to address the increasing number of cyberattacks. Moreover, the advent of zero-day attacks has added to their inadequacies because while deep learning methods tend to be effective at detecting malicious network activity, there is often limited transparency into how they arrive at these conclusions, making it difficult to trust them in many security settings where transparency and trust are essential. To relieve these issues, this research proposes a Explainable Transformer-based Intrusion Detection System (XTIDS) that combines a Transformer neural network with Explainable Artificial Intelligence (XAI) tools such as SHapley Additive exPlanations (SHAP) and Local Interpretable Model-Agnostic Explanations (LIME). The framework presented will be able to correctly identify both known and unknown cyber-attacks as well as explain the predictions of the models. For evaluation, the experimental evaluation was carried out on benchmark intrusion detection datasets such as CICIDS2017, CSE-CIC-IDS2018 and UNSW-NB15. To ensure data quality and relevance, the data underwent rigorous preprocessing, including cleaning, feature selection, normalization, and partitioning into datasets. Before training the models, a comprehensive data preprocessing pipeline was developed, which involved cleaning, feature selection, normalization, and partitioning of the datasets. Multi-head self-attention mechanisms were used to learn complex relationships between network traffic features, using the Transformer architecture. Moreover, SHAP and LIME were combined to provide explanations for decisions regarding attack classification both at a global and local level. The experimental results show that the proposed XTIDS framework achieves an accuracy of 98.5%, precision of 97.7%, recall of 97.9%, F1 score of 97.8%, and ROC-AUC of 99.2% which is higher than the conventional models in the field of machine learning and deep learning. The framework also showed high performance in the detection of zero-day attacks with an 82% detection rate for new attack categories. Although the analyses of meaningful feature attributions and improvements in model transparency through SHAP and LIME analyses did not significantly affect predictive accuracy, they did provide useful contributions. As these results illustrate, the proposed framework attains an adequate balance between detection accuracy and interpretability and generalization, thus it can be considered as a reliable and practical solution for the existing Cyber Security scenarios.