EXPLAINABLE DEEP LEARNING FRAMEWORK FOR REAL-TIME NETWORK INTRUSION DETECTION AND ATTACK CLASSIFICATION
DOI:
https://doi.org/10.70917/ijcisim-2026-2060Keywords:
Network intrusion detection, deep learning, CNN-LSTM, explainable AI, SHAP, LIME, attack classification, CIC-IDS2017, CSE-CIC-IDS2018, cybersecurityAbstract
The escalating volume and sophistication of cyber-attacks demand network intrusion detection systems (NIDS) that are simultaneously accurate, fast and transparent. Conventional machine-learning detectors struggle to model the joint spatial and temporal structure of network traffic, and modern deep models are frequently opaque, which impedes analyst trust and forensic auditing. This paper proposes an explainable deep-learning framework that couples a one-dimensional convolutional neural network (1D-CNN) for spatial feature extraction with a long short-term memory (LSTM) network for temporal dependency modelling, followed by a softmax layer for multi-class attack classification. Post-hoc explainability is provided through SHapley Additive exPlanations (SHAP) and Local Interpretable Model-agnostic Explanations (LIME), which rank the flow features responsible for each decision. The framework is evaluated on the public CIC-IDS2017 and CSE-CIC-IDS2018 benchmarks for multi-class detection of seven traffic categories. The proposed CNN-LSTM attains 99.21% accuracy, 99.10% macro F1-score and a micro-average AUC of 0.9995, outperforming a deep neural network, a 1D-CNN and a bidirectional LSTM baseline by 0.7–2.3 percentage points. Ablation studies confirm the complementary value of the convolutional and recurrent components and of class-imbalance handling, while SHAP and LIME analyses reveal that flow-duration, packet-length and inter-arrival-time features dominate the decisions, in agreement with domain knowledge. The framework offers an accurate and interpretable solution suitable for real-time deployment in security operations..