EXPLAINABLE DEEP LEARNING FRAMEWORK FOR REAL-TIME NETWORK INTRUSION DETECTION AND ATTACK CLASSIFICATION

Authors

  • Nagesh R. Department of Computer Science and Engineering, School of Engineering, Sapthagiri NPS University, Bangalore, India.
  • Pallavi G. B. Department of Computer Science and Engineering (ICB), B.M.S. College of Engineering (BMSCE), Bengaluru, India.
  • Vinay T. R. Ramaiah Institute of Technology, Bangalore, India.
  • C. Sathish Department of Information Technology, Er. Perumal Manimekalai College of Engineering, Hosur, India.
  • N. Shunmuga Karpagam Department of Computer Science and Engineering, Er. Perumal Manimekalai College of Engineering, Hosur, India.
  • Santhrupth B. C. Department of AI and Data Science Engineering, Christ University, Bengaluru, Karnataka – 560069, India.

DOI:

https://doi.org/10.70917/ijcisim-2026-2060

Keywords:

Network intrusion detection, deep learning, CNN-LSTM, explainable AI, SHAP, LIME, attack classification, CIC-IDS2017, CSE-CIC-IDS2018, cybersecurity

Abstract

The escalating volume and sophistication of cyber-attacks demand network intrusion detection systems (NIDS) that are simultaneously accurate, fast and transparent. Conventional machine-learning detectors struggle to model the joint spatial and temporal structure of network traffic, and modern deep models are frequently opaque, which impedes analyst trust and forensic auditing. This paper proposes an explainable deep-learning framework that couples a one-dimensional convolutional neural network (1D-CNN) for spatial feature extraction with a long short-term memory (LSTM) network for temporal dependency modelling, followed by a softmax layer for multi-class attack classification. Post-hoc explainability is provided through SHapley Additive exPlanations (SHAP) and Local Interpretable Model-agnostic Explanations (LIME), which rank the flow features responsible for each decision. The framework is evaluated on the public CIC-IDS2017 and CSE-CIC-IDS2018 benchmarks for multi-class detection of seven traffic categories. The proposed CNN-LSTM attains 99.21% accuracy, 99.10% macro F1-score and a micro-average AUC of 0.9995, outperforming a deep neural network, a 1D-CNN and a bidirectional LSTM baseline by 0.7–2.3 percentage points. Ablation studies confirm the complementary value of the convolutional and recurrent components and of class-imbalance handling, while SHAP and LIME analyses reveal that flow-duration, packet-length and inter-arrival-time features dominate the decisions, in agreement with domain knowledge. The framework offers an accurate and interpretable solution suitable for real-time deployment in security operations..

Downloads

Download data is not yet available.

Downloads

Published

2026-06-23

How to Cite

Nagesh R., Pallavi G. B., Vinay T. R., C. Sathish, N. Shunmuga Karpagam, & Santhrupth B. C. (2026). EXPLAINABLE DEEP LEARNING FRAMEWORK FOR REAL-TIME NETWORK INTRUSION DETECTION AND ATTACK CLASSIFICATION. International Journal of Computer Information Systems and Industrial Management Applications, 18(2s), 1277–1290. https://doi.org/10.70917/ijcisim-2026-2060

Issue

Section

Original Articles