\documentclass[12pt,a4paper]{article} \usepackage[margin=2.5cm]{geometry} \usepackage{graphicx} \usepackage{booktabs} \usepackage{longtable} \usepackage{hyperref} \usepackage{xcolor} \usepackage{float} \usepackage{enumitem} \hypersetup{colorlinks=true,linkcolor=blue,urlcolor=blue} \begin{document} \begin{titlepage} \centering \vspace*{3cm} {\Huge\bfseries Explainable IDS\par} \vspace{0.6cm} {\Large Making IDS decisions interpretable and assessing explanation reliability.\par} \vfill {\large Deep Learning Project 5\par} {\large ICCN INE2\par} {\large Academic Year 2025--2026\par} \vfill \begin{tabular}{rl} Prepared by: & Mohamed Anaddam \\ & EL FARME AYMAN \\ Supervised by: & Pr. Tarik Fissaa \end{tabular} \vfill \end{titlepage} \section*{Abstract} Intrusion Detection Systems are important components of network security because they help detect malicious or suspicious network behavior. Deep learning can improve IDS detection performance, but neural models are often difficult to interpret. This report presents an Explainable Intrusion Detection System based on NSL-KDD, using MLP, LSTM, and 1D-CNN models with SHAP and LIME explanations. The LSTM model achieved the best performance with weighted F1-score 0.7800, ROC-AUC 0.9434, and PR-AUC 0.9222. Explanation stability, faithfulness, and security implications are evaluated. \section{Introduction} Modern networks generate large volumes of traffic, making manual security monitoring impossible. Intrusion Detection Systems help automate this task by identifying suspicious activity and possible attacks. Deep learning models can learn complex patterns automatically, but they often behave as black boxes. In cybersecurity, a prediction without explanation is difficult to trust. \section{Dataset and Preprocessing} The NSL-KDD dataset contains 41 connection-level features. The final task is binary classification: normal traffic versus anomalous traffic. Categorical features were encoded using LabelEncoder and all features were normalized to [0,1] using MinMaxScaler. \section{Model Architectures} Three models were compared: an MLP, an LSTM, and a 1D-CNN. They were trained with Adam, learning rate $10^{-3}$, batch size 256, weight decay $10^{-4}$, and 50 epochs. \section{Results} The LSTM achieved the best performance: weighted F1-score 0.7800, ROC-AUC 0.9434, and PR-AUC 0.9222. \begin{figure}[H]\centering\includegraphics[width=0.9\linewidth]{report_figures/fig_cell_12_0.png}\caption{Training curves.}\end{figure} \section{SHAP and LIME Explanation Analysis} SHAP identified logged\_in, dst\_host\_rerror\_rate, protocol\_type, rerror\_rate, and dst\_host\_serror\_rate as important anomaly features. \begin{figure}[H]\centering\includegraphics[width=0.9\linewidth]{report_figures/fig_cell_16_0.png}\caption{SHAP summary plot.}\end{figure} \begin{figure}[H]\centering\includegraphics[width=0.9\linewidth]{report_figures/fig_cell_21_0.png}\caption{SHAP and LIME ranking comparison.}\end{figure} \section{Stability and Faithfulness} SHAP was stable for epsilon 0.01 with PCC 0.6293, but unstable for larger perturbations. LIME stochastic stability was 0.6054. Masking the top ten SHAP features reduced confidence by 0.4938. \begin{figure}[H]\centering\includegraphics[width=0.9\linewidth]{report_figures/fig_cell_26_0.png}\caption{Stability and faithfulness summary.}\end{figure} \section{Security Implications} Explanations help analysts understand alerts, but they can leak model behavior to attackers. Explanation access should be restricted, rate-limited, and monitored. Explanations should support analysts, not replace defense-in-depth. \section{Conclusion} Explainable IDS is possible and useful, but trustworthy explainable IDS requires evaluating not only model performance, but also explanation stability, faithfulness, and adversarial risk. \section*{References} \begin{enumerate} \item Tavallaee et al. A Detailed Analysis of the KDD CUP 99 Data Set. 2009. \item Lundberg and Lee. A Unified Approach to Interpreting Model Predictions. NeurIPS 2017. \item Ribeiro, Singh, and Guestrin. Why Should I Trust You? KDD 2016. \item UNB Canadian Institute for Cybersecurity. NSL-KDD Dataset. \url{https://www.unb.ca/cic/datasets/nsl.html} \end{enumerate} \end{document}