{"id":"https://openalex.org/W4407938051","doi":"https://doi.org/10.5220/0013180700003899","title":"Evaluating Explainable AI for Deep Learning-Based Network Intrusion Detection System Alert Classification","display_name":"Evaluating Explainable AI for Deep Learning-Based Network Intrusion Detection System Alert Classification","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W4407938051","doi":"https://doi.org/10.5220/0013180700003899"},"language":"en","primary_location":{"id":"doi:10.5220/0013180700003899","is_oa":true,"landing_page_url":"https://doi.org/10.5220/0013180700003899","pdf_url":null,"source":null,"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 11th International Conference on Information Systems Security and Privacy","raw_type":"proceedings-article"},"type":"preprint","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.5220/0013180700003899","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101916839","display_name":"Rajesh Kalakoti","orcid":"https://orcid.org/0000-0001-7390-8034"},"institutions":[{"id":"https://openalex.org/I111112146","display_name":"Tallinn University of Technology","ror":"https://ror.org/0443cwa12","country_code":"EE","type":"education","lineage":["https://openalex.org/I111112146"]}],"countries":["EE"],"is_corresponding":true,"raw_author_name":"Rajesh Kalakoti","raw_affiliation_strings":["Department of Software Science, Tallinn University of Technology, Tallinn, Estonia"],"affiliations":[{"raw_affiliation_string":"Department of Software Science, Tallinn University of Technology, Tallinn, Estonia","institution_ids":["https://openalex.org/I111112146"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5069019755","display_name":"Risto Vaarandi","orcid":"https://orcid.org/0000-0001-7781-5863"},"institutions":[{"id":"https://openalex.org/I111112146","display_name":"Tallinn University of Technology","ror":"https://ror.org/0443cwa12","country_code":"EE","type":"education","lineage":["https://openalex.org/I111112146"]}],"countries":["EE"],"is_corresponding":false,"raw_author_name":"Risto Vaarandi","raw_affiliation_strings":["Department of Software Science, Tallinn University of Technology, Tallinn, Estonia"],"affiliations":[{"raw_affiliation_string":"Department of Software Science, Tallinn University of Technology, Tallinn, Estonia","institution_ids":["https://openalex.org/I111112146"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5075157158","display_name":"Hayretdin Bah\u015fi","orcid":"https://orcid.org/0000-0001-8882-4095"},"institutions":[{"id":"https://openalex.org/I111112146","display_name":"Tallinn University of Technology","ror":"https://ror.org/0443cwa12","country_code":"EE","type":"education","lineage":["https://openalex.org/I111112146"]},{"id":"https://openalex.org/I203172682","display_name":"Northern Arizona University","ror":"https://ror.org/0272j5188","country_code":"US","type":"education","lineage":["https://openalex.org/I203172682"]}],"countries":["EE","US"],"is_corresponding":false,"raw_author_name":"Hayretdin Bah\u015fi","raw_affiliation_strings":["Department of Software Science, Tallinn University of Technology, Tallinn, Estonia","School of Informatics, Computing, and Cyber Systems, Northern Arizona University, U.S.A"],"affiliations":[{"raw_affiliation_string":"Department of Software Science, Tallinn University of Technology, Tallinn, Estonia","institution_ids":["https://openalex.org/I111112146"]},{"raw_affiliation_string":"School of Informatics, Computing, and Cyber Systems, Northern Arizona University, U.S.A","institution_ids":["https://openalex.org/I203172682"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5081748391","display_name":"Sven N\u00f5mm","orcid":"https://orcid.org/0000-0001-5571-1692"},"institutions":[{"id":"https://openalex.org/I111112146","display_name":"Tallinn University of Technology","ror":"https://ror.org/0443cwa12","country_code":"EE","type":"education","lineage":["https://openalex.org/I111112146"]}],"countries":["EE"],"is_corresponding":false,"raw_author_name":"Sven N\u00f5mm","raw_affiliation_strings":["Department of Software Science, Tallinn University of Technology, Tallinn, Estonia"],"affiliations":[{"raw_affiliation_string":"Department of Software Science, Tallinn University of Technology, Tallinn, Estonia","institution_ids":["https://openalex.org/I111112146"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5101916839"],"corresponding_institution_ids":["https://openalex.org/I111112146"],"apc_list":null,"apc_paid":null,"fwci":16.3513,"has_fulltext":false,"cited_by_count":12,"citation_normalized_percentile":{"value":0.99002972,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":98,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"47","last_page":"58"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9886000156402588,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9886000156402588,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7727383375167847},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.7596837282180786},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.6609992384910583},{"id":"https://openalex.org/keywords/deep-learning","display_name":"Deep learning","score":0.6521468758583069},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.4739527702331543},{"id":"https://openalex.org/keywords/intrusion-prevention-system","display_name":"Intrusion prevention system","score":0.4425336718559265}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7727383375167847},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.7596837282180786},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.6609992384910583},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.6521468758583069},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.4739527702331543},{"id":"https://openalex.org/C27061796","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion prevention system","level":3,"score":0.4425336718559265}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.5220/0013180700003899","is_oa":true,"landing_page_url":"https://doi.org/10.5220/0013180700003899","pdf_url":null,"source":null,"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 11th International Conference on Information Systems Security and Privacy","raw_type":"proceedings-article"},{"id":"pmh:oai:arXiv.org:2506.07882","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2506.07882","pdf_url":"https://arxiv.org/pdf/2506.07882","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"acceptedVersion","is_accepted":true,"is_published":false,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"doi:10.5220/0013180700003899","is_oa":true,"landing_page_url":"https://doi.org/10.5220/0013180700003899","pdf_url":null,"source":null,"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 11th International Conference on Information Systems Security and Privacy","raw_type":"proceedings-article"},"sustainable_development_goals":[{"display_name":"Climate action","score":0.6899999976158142,"id":"https://metadata.un.org/sdg/13"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":["https://openalex.org/W2731899572","https://openalex.org/W2961085424","https://openalex.org/W3215138031","https://openalex.org/W4306674287","https://openalex.org/W3009238340","https://openalex.org/W4360585206","https://openalex.org/W4321369474","https://openalex.org/W4285208911","https://openalex.org/W4387369504","https://openalex.org/W3046775127"],"abstract_inverted_index":{"A":[0],"Network":[1],"Intrusion":[2],"Detection":[3],"System":[4],"(NIDS)":[5],"monitors":[6],"networks":[7],"for":[8,29,66,190],"cyber":[9],"attacks":[10],"and":[11,78,120,136,155,177,201,211],"other":[12,165],"unwanted":[13],"activities.":[14],"However,":[15],"NIDS":[16,45,72,84],"solutions":[17],"often":[18],"generate":[19],"an":[20],"overwhelming":[21],"number":[22],"of":[23,44,49,92,140,216],"alerts":[24],"daily,":[25],"making":[26],"it":[27],"challenging":[28],"analysts":[30],"to":[31,40,75,107],"prioritize":[32,108],"high-priority":[33],"threats.":[34],"While":[35],"deep":[36],"learning":[37],"models":[38,53],"promise":[39],"automate":[41],"the":[42,47,63,112,164,205,213],"prioritization":[43,116],"alerts,":[46],"lack":[48],"transparency":[50],"in":[51,57,71,98],"these":[52,141,198],"can":[54],"undermine":[55],"trust":[56,77],"their":[58,209],"decision-making.":[59],"This":[60],"study":[61],"highlights":[62],"critical":[64],"need":[65],"explainable":[67],"artificial":[68],"intelligence":[69],"(XAI)":[70],"alert":[73,85,115,192],"classification":[74],"improve":[76],"interpretability.":[79],"We":[80],"employed":[81],"a":[82,101,147],"real-world":[83],"dataset":[86],"from":[87],"Security":[88],"Operations":[89],"Center":[90],"(SOC)":[91],"TalTech":[93],"(Tallinn":[94],"University":[95],"Of":[96],"Technology)":[97],"Estonia,":[99],"developing":[100],"Long":[102],"Short-Term":[103],"Memory":[104],"(LSTM)":[105],"model":[106],"alerts.":[109],"To":[110],"explain":[111],"LSTM":[113],"model's":[114],"decisions,":[117],"we":[118,185],"implemented":[119],"compared":[121],"four":[122],"XAI":[123,142,166,206],"methods:":[124],"Local":[125],"Interpretable":[126],"Model-Agnostic":[127],"Explanations":[128],"(LIME),":[129],"SHapley":[130],"Additive":[131],"exPlanations":[132],"(SHAP),":[133],"Integrated":[134],"Gradients,":[135],"DeepLIFT.":[137],"The":[138,194],"quality":[139],"methods":[143,207],"was":[144],"assessed":[145],"using":[146],"comprehensive":[148],"framework":[149],"that":[150,160],"evaluated":[151],"faithfulness,":[152,172],"complexity,":[153,174],"robustness,":[154],"reliability.":[156,179],"Our":[157],"results":[158],"demonstrate":[159],"DeepLIFT":[161],"consistently":[162],"outperformed":[163],"methods,":[167],"providing":[168],"explanations":[169],"with":[170,182],"high":[171],"low":[173],"robust":[175],"performance,":[176],"strong":[178,195],"In":[180],"collaboration":[181],"SOC":[183],"analysts,":[184],"identified":[186],"key":[187],"features":[188,200],"essential":[189],"effective":[191],"classification.":[193],"alignment":[196],"between":[197],"analyst-identified":[199],"those":[202],"obtained":[203],"by":[204],"validates":[208],"effectiveness":[210],"enhances":[212],"practical":[214],"applicability":[215],"our":[217],"approach.":[218]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":10}],"updated_date":"2026-04-22T08:38:42.863108","created_date":"2025-10-10T00:00:00"}