| # Model Architecture & Design Choices |
|
|
| ## 1. Design Philosophy |
|
|
| The project requires **lightweight models** (max 2h training per experiment). We prioritize: |
| - Simplicity over complexity β fewer layers, interpretable capacity |
| - Reproducibility β fixed seeds, deterministic operations |
| - Fair comparison β same preprocessing, same train/test split across all models |
|
|
| ## 2. Preprocessing Pipeline |
|
|
| ``` |
| Raw NSL-KDD (41 features + label) |
| β |
| ββ Categorical encoding: LabelEncoder for protocol_type (3), service (70), flag (11) |
| ββ Feature scaling: MinMaxScaler [0, 1] on all 41 features |
| ββ Label encoding: Binary (anomaly=0, normal=1) |
| β |
| ββ Output: X_train (151165, 41), X_test (34394, 41), float32 |
| ``` |
|
|
| **Why MinMaxScaler?** Network features have vastly different ranges (src_bytes: 0-1.3B vs. serror_rate: 0-1). Scaling to [0,1] prevents large-valued features from dominating gradient updates and makes perturbation-based explainability (Ξ΅-bounded noise) meaningful. |
|
|
| **Why LabelEncoder (not OneHot)?** OneHot would expand 3 categorical features to 84 columns. This makes SHAP/LIME explanations harder to interpret (84 binary features vs 41 semantic features). LabelEncoder preserves the original feature space for cleaner explanations. |
|
|
| ## 3. Model Architectures |
|
|
| ### 3.1 MLP (Primary Baseline) |
|
|
| ``` |
| Input (41) β Linear(256) β BatchNorm β ReLU β Dropout(0.3) |
| β Linear(128) β BatchNorm β ReLU β Dropout(0.2) |
| β Linear(64) β ReLU |
| β Linear(num_classes) |
| ``` |
|
|
| **Parameters**: ~50K |
| **Justification**: |
| - 3 hidden layers with decreasing width is standard for tabular classification |
| - BatchNorm stabilizes training, enables higher learning rates |
| - Dropout (0.3β0.2) regularizes; heavier in early layers where more parameters |
| - No final activation β CrossEntropyLoss includes LogSoftmax |
|
|
| ### 3.2 LSTM (Temporal Variant) |
|
|
| ``` |
| Input (41) β reshape to (41, 1) β LSTM(hidden=64, layers=2, dropout=0.2) |
| β take last hidden state β Linear(num_classes) |
| ``` |
|
|
| **Parameters**: ~35K |
| **Justification**: |
| - Treats 41 features as a sequence β captures inter-feature dependencies |
| - 2 layers with 64 hidden units is minimal while allowing feature interaction |
| - LSTM processes features in order: basicβcontentβtime-basedβhost-based |
| - This ordering has semantic meaning in NSL-KDD (groups of related features) |
|
|
| ### 3.3 1D-CNN (Spatial Variant) |
|
|
| ``` |
| Input (41) β reshape to (1, 41) β Conv1d(64, k=3, pad=1) β ReLU |
| β Conv1d(128, k=3, pad=1) β ReLU β AdaptiveAvgPool1d(8) |
| β Flatten β Linear(64) β ReLU β Linear(num_classes) |
| ``` |
|
|
| **Parameters**: ~45K |
| **Justification**: |
| - 1D convolutions learn local feature patterns (neighboring features) |
| - Kernel size 3 captures triplets of features |
| - AdaptiveAvgPool compresses to fixed size regardless of input length |
| - Useful for detecting patterns in rate-based features (contiguous block) |
|
|
| ## 4. Training Configuration |
|
|
| | Parameter | Value | Justification | |
| |-----------|-------|---------------| |
| | Optimizer | Adam | Standard for neural networks; adaptive lr per parameter | |
| | Learning rate | 1e-3 | Default Adam lr; works well for tabular tasks | |
| | Weight decay | 1e-4 | Light L2 regularization prevents overfitting | |
| | Batch size | 256 | Good balance of speed and gradient stability | |
| | Epochs | 50 | Sufficient for convergence on NSL-KDD (~151K samples) | |
| | Loss | CrossEntropyLoss | Standard for multi-class; includes class weights for imbalance | |
| | Class weights | Inverse frequency | Addresses class imbalance between normal (53%) and anomaly (47%) | |
| | Seed | 42 | Fixed for reproducibility | |
|
|
| ## 5. Why These Models for Explainability |
|
|
| | Model | SHAP Method | Speed | Explanation Quality | |
| |-------|-------------|-------|-------------------| |
| | MLP | KernelExplainer | Medium | Clean, model-agnostic attributions | |
| | LSTM | KernelExplainer | Medium | Sequential attributions may differ | |
| | 1D-CNN | KernelExplainer | Medium | Convolutional attributions capture local patterns | |
|
|
| All three use **KernelExplainer** (model-agnostic SHAP), enabling: |
| - Direct comparison of feature attributions across architectures |
| - Analysis of whether model architecture affects explanation stability |
| - Consistent methodology across all models |
|
|
| ## 6. Expected Baseline Performance |
|
|
| Based on published NSL-KDD benchmarks (Tavallaee et al., Revathi & Malathi 2013): |
|
|
| | Model | Binary Accuracy | Binary Weighted F1 | |
| |-------|----------------|---------------------| |
| | MLP | 78-85% | 78-83% | |
| | LSTM | 76-82% | 75-80% | |
| | 1D-CNN | 77-83% | 76-81% | |
|
|
| **Known challenge**: Test set has more anomaly (65%) than train (47%) β distribution shift tests generalization. |
|
|
