presentation/TEACHER_PRESENTATION_GUIDE.md

Teacher Presentation Guide — Explainable Intrusion Detection System (X-IDS)

Repo: cathrica/deep-learning-project
Project: ICCN-INE2 Deep Learning — Project 5: Explainable IDS
Dataset: NSL-KDD | Models: MLP, LSTM, 1D-CNN | XAI: SHAP + LIME

---

1. The 30-Second Elevator Pitch

We built an Explainable Intrusion Detection System that detects malicious network connections using deep learning, then explains why each decision was made using SHAP and LIME. We also evaluated whether those explanations are stable, faithful, and safe to expose in a security environment.

Best model: LSTM with weighted F1 = 0.7800, ROC-AUC = 0.9434, PR-AUC = 0.9222. SHAP and LIME did not agree (Spearman = 0.0714), and explanations lost stability as input perturbations grew. Security analysis showed that exposing raw explanations can help attackers evade detection, so access must be controlled.

---

2. Why This Project Matters (Motivation)

• Traditional IDS alerts are black-box — analysts get a flag but no evidence.
• Deep learning improves detection but hides reasoning.
• In cybersecurity, a false positive wastes analyst time; a false negative lets attacks through.
• Explainability can help defenders prioritize alerts and verify model behavior.
• Risk: if attackers see which features matter most, they can craft evasion attacks.
• Our project asks: Can we explain IDS decisions without destroying trust or security?

---

3. Dataset — NSL-KDD

Property	Value
Source	UNB Canadian Institute for Cybersecurity
HF Hub	Mireu-Lab/NSL-KDD
Records	Train: 151,165 / Test: 34,394
Features	41 (3 categorical + 38 numerical)
Categorical	protocol_type (3), service (70), flag (11)
Task	Binary classification: Normal vs Anomaly
Train distribution	53% Normal / 47% Anomaly
Test distribution	34% Normal / 66% Anomaly

Important detail: The test set has a distribution shift — more anomalies than training. This makes generalization harder and is worth mentioning as a realistic challenge.

Preprocessing Choices

Step	Method	Why
Categorical encoding	LabelEncoder	Preserves 41-feature structure so SHAP/LIME outputs map cleanly to original features. OneHot would explode to 84 columns and hurt interpretability.
Scaling	MinMaxScaler [0,1]	Features have wildly different ranges (e.g., src_bytes up to 1.3B vs serror_rate 0–1). Scaling stabilizes training and makes ε-perturbations meaningful for stability testing.
Reproducibility	Seed 42, fixed splits	Every experiment is deterministic.

Teacher might ask: Why LabelEncoder instead of OneHot?
Answer: OneHot would create 84 binary features. SHAP and LIME would then explain binary columns instead of semantic features, making interpretation much harder for analysts. The trade-off is artificial ordering in categorical variables, which we acknowledge as a limitation.

---

4. Models & Architecture Choices

We compared three lightweight architectures with the same training config:

Parameter	Value
Optimizer	Adam
Learning rate	1e-3
Weight decay	1e-4
Batch size	256
Epochs	50
Loss	CrossEntropyLoss with inverse-frequency class weights

4.1 MLP (Baseline)

Input(41) → Linear(256) → BatchNorm → ReLU → Dropout(0.3)
          → Linear(128) → BatchNorm → ReLU → Dropout(0.2)
          → Linear(64)  → ReLU
          → Linear(2 classes)

• Parameters: ~50K
• Why: Standard tabular baseline. BatchNorm stabilizes gradients; dropout regularizes.

4.2 LSTM (Best Performer)

Input(41) → reshape to (41, 1) → 2-layer LSTM(hidden=64, dropout=0.2)
          → last hidden state → Linear(2 classes)

• Parameters: ~35K
• Why: Treats the 41 features as a sequence. NSL-KDD features are semantically grouped (basic → content → time-based → host-based). LSTM can learn dependencies between these groups. This inductive bias helped it generalize best despite having fewer parameters than the CNN.

4.3 1D-CNN

Input(41) → reshape to (1, 41) → Conv1d(64, k=3, pad=1) → ReLU
          → Conv1d(128, k=3, pad=1) → ReLU → AdaptiveAvgPool1d(8)
          → Flatten → Linear(64) → ReLU → Linear(2 classes)

• Parameters: ~45K
• Why: Learns local patterns between neighboring features. Good for rate-based feature blocks. However, it underperformed the LSTM, showing that more parameters ≠ better if the architecture bias mismatches the data structure.

Performance Results

Model	Weighted F1	ROC-AUC	PR-AUC	Training Time
LSTM	0.7800	0.9434	0.9222	162.9s
MLP	0.7639	0.9231	0.8699	145.1s
1D-CNN	0.7579	0.9410	0.9182	173.1s

Teacher might ask: Why did LSTM win despite fewer parameters?
Answer: The LSTM's sequential processing matches the semantic grouping of NSL-KDD features. The CNN assumes local spatial patterns, which is less natural for this tabular feature ordering. The MLP treats all features independently, missing group-level dependencies.

---

5. Explainability — SHAP & LIME

We used post-hoc explainability (explaining a trained model, not building an interpretable one) because deep learning models are more expressive.

SHAP (SHapley Additive exPlanations)

• Method: KernelExplainer (model-agnostic)
• What it does: Estimates how much each feature pushes the prediction away from the average prediction, based on game-theoretic Shapley values.
• Top anomaly features: logged_in (0.0950), dst_host_rerror_rate (0.0619), protocol_type (0.0573), rerror_rate (0.0479), dst_host_serror_rate (0.0427)
• Why these make sense: Login status and error rates are classic intrusion indicators.

LIME (Local Interpretable Model-Agnostic Explanations)

• Method: LimeTabularExplainer
• What it does: Perturbs the input, observes predictions, fits a simple linear model locally to approximate the black-box model near that point.
• Top features (frequency in 30 explanations): wrong_fragment (30/30), rerror_rate (30/30), protocol_type (30/30), dst_host_rerror_rate (30/30)

Key Finding: SHAP vs LIME Disagreement

Metric	Value
Spearman rank correlation	0.0714
p-value	0.8665

Interpretation: The two methods rank features almost completely differently. This is critical: explanations are method-dependent. You cannot trust one method blindly.

Teacher might ask: Which method do you trust more?
Answer: SHAP has stronger theoretical foundations (game theory, consistency properties) and is deterministic. LIME is intuitive but stochastic and sensitive to perturbation settings. For security-critical decisions, I would prefer SHAP but still validate with stability and faithfulness tests.

---

6. Stability & Faithfulness

An explanation is only useful if it is reliable.

6.1 Stability — Perturbation Test

We added small ε-bounded noise to inputs and measured how much SHAP attributions changed using Pearson Correlation Coefficient (PCC).

Epsilon	PCC	Verdict
0.01	0.6293	✅ Stable (≥ 0.6 threshold)
0.03	0.5861	❌ Unstable
0.05	0.5676	❌ Unstable

Threshold 0.6 is inspired by the SAFARI framework (Huang et al. 2022).

LIME stochastic stability: Mean Spearman across 20 runs = 0.6054 — borderline stable.

6.2 Faithfulness — Feature Masking

If SHAP says a feature is important, removing it should hurt confidence.

Masked features	Confidence drop
Top 3	0.3355
Top 5	0.3592
Top 10	0.4938

Interpretation: The more top features we mask, the bigger the confidence drop. SHAP is identifying features the model actually uses.

Teacher might ask: What is the difference between stability and faithfulness?
Answer: Stability asks: "Do similar inputs get similar explanations?" Faithfulness asks: "Does the explanation actually reflect what the model cares about?" You need both for a trustworthy explanation.

---

7. Security Implications

7.1 The Dual-Edged Sword

• Good: Explanations help analysts verify alerts and prioritize investigations.
• Bad: If attackers see explanations, they learn which features to manipulate.

7.2 Feature Manipulability

Category	Manipulable?	Examples
Packet content	✅ Yes	src_bytes, dst_bytes, hot
Connection behavior	⚠️ Partially	duration, count, srv_count
Protocol fields	⚠️ Constrained	protocol_type, flag
Network statistics	❌ No	dst_host_count, dst_host_same_srv_rate
Error rates	⚠️ Partially	serror_rate, rerror_rate

Good news: Our top SHAP features include many non-manipulable host-based statistics, which makes evasion harder than if the model relied only on attacker-controlled payload fields.

7.3 Attack Scenarios

1. Evasion via explanation leakage: Attacker queries the explanation API, sees that serror_rate and count drive detection, then crafts traffic to spoof those features.
2. LIME inconsistency exploitation: LIME gives different rankings on rerun. Analysts waste time chasing inconsistent explanations.
3. Backdoor with clean explanations: A poisoned model misclassifies triggered inputs but shows plausible benign SHAP values.

7.4 Mitigations

• Restrict explanation access to trusted analysts
• Rate-limit explanation APIs
• Log all explanation queries
• Aggregate explanations instead of exposing raw per-sample values
• Never replace rule-based IDS with ML explanations alone

---

8. Limitations (Say These Confidently)

1. Dataset age: NSL-KDD is a benchmark from 2009. Modern traffic (TLS 1.3, encrypted payloads, IoT protocols) looks very different.
2. LabelEncoder trade-off: Preserves interpretability but imposes artificial ordering on categories.
3. Computational cost: Kernel SHAP is expensive; we used sampled subsets.
4. LIME stochasticity: Results vary across random seeds.
5. Scope: We evaluated explanation quality, not adversarial robustness of the classifier itself. That is a separate (harder) problem.

Teacher might ask: What would you improve with more time?
Answer: Test on modern datasets (CIC-IDS2017, UNSW-NB15), use embeddings or target encoding for categorical features, evaluate multiclass attack-type detection, and run adversarial evasion experiments using the top SHAP features.

---

9. Likely Teacher Questions & Model Answers

Q: What is your main contribution?

A: We didn't just build an IDS. We built an IDS + explainability pipeline + stability evaluation + security risk analysis. The contribution is showing that explainability in security requires trust evaluation, not just visualization.

Q: Why use deep learning if you need explainability?

A: Deep learning gives better detection performance. Post-hoc explainability (SHAP/LIME) lets us keep that performance while adding interpretability. Inherently interpretable models (decision trees, linear models) don't match the performance on this task.

Q: Why is PR-AUC more important than accuracy?

A: The dataset is imbalanced (especially test set: 66% anomaly). Accuracy would hide poor performance on the minority class. PR-AUC focuses on precision and recall of the positive class, which is what matters when false negatives (missed attacks) are costly.

Q: What is the practical takeaway for a SOC analyst?

A: The model can flag anomalies and show which features drove the decision (e.g., error rates, login status). The analyst uses this as supporting evidence, not as sole proof. Explanations are shown internally only, with access control and logging.

Q: Why binary classification instead of 5-class (DoS, Probe, R2L, U2R)?

A: Binary normal/anomaly is the core IDS problem and keeps the explainability evaluation clean. Multiclass is a natural next step — U2R has only ~52 samples in training, which is extremely challenging.

Q: What does it mean that SHAP and LIME disagree?

A: It means there is no single "true" explanation for a black-box model. Different methods make different assumptions. This is why we evaluate stability and faithfulness — to filter out unreliable explanations regardless of the method.

Q: How do you prevent attackers from using explanations against you?

A: Access control, rate limiting, logging, and aggregation. We also analyzed that the model relies partly on non-manipulable sensor-side statistics, which makes evasion harder than if it relied only on attacker-controlled fields.

---

10. Key Numbers Cheat Sheet

Memorize these for instant credibility:

Fact	Number
Train records	151,165
Test records	34,394
Features	41
Best model	LSTM
Best weighted F1	0.7800
Best ROC-AUC	0.9434
Best PR-AUC	0.9222
SHAP-LIME Spearman	0.0714
SHAP PCC at ε=0.01	0.6293 (stable)
SHAP PCC at ε=0.05	0.5676 (unstable)
LIME stochastic stability	0.6054 (borderline)
Top-10 masking confidence drop	0.4938
Random seed	42

---

11. Glossary of Terms

Term	Definition
IDS	Intrusion Detection System — monitors network traffic for malicious activity
X-IDS	Explainable Intrusion Detection System
NSL-KDD	Standard benchmark dataset for intrusion detection
MLP	Multi-Layer Perceptron — fully connected neural network
LSTM	Long Short-Term Memory — recurrent network with memory gates
1D-CNN	One-dimensional convolutional network
SHAP	Feature attribution based on Shapley values from game theory
LIME	Local surrogate model for explaining individual predictions
ROC-AUC	Threshold-independent ranking quality metric
PR-AUC	Precision-recall area — informative for imbalanced data
Weighted F1	F1-score averaged by class support
PCC	Pearson correlation — measures explanation similarity under perturbation
Spearman	Rank correlation — compares feature ranking between methods
SENS_MAX	Maximum explanation shift under bounded perturbation
Faithfulness	Whether highlighted features actually affect model predictions
Evasion	Attacker modifying traffic to avoid detection
Explanation leakage	Attacker learning model behavior from exposed explanations

---

12. Final One-Liner to Close

"Explainability makes IDS useful, but only stability, faithfulness, and security analysis make it trustworthy."

Good luck on the presentation! 🎓