Published June 2, 2026 | Version v1
Journal article Open

SHAP-Based Explainability in IoT Intrusion Detection: A Comparative Analysis of Machine Learning Models

Authors/Creators

  • 1. Advanced Research Institute, "New Uzbekistan" University

Description

The deployment of machine learning (ML)-based intrusion detection systems (IDS) in Internet of Things (IoT) and telematics environments has achieved strong detection performance yet suffers from a critical opacity problem: security analysts cannot understand why a model flags a given network flow as malicious. This paper presents a rigorous comparative evaluation of five widely-adopted ML classifiers — Random Forest (RF), Extreme Gradient Boosting (XGBoost), CatBoost, LightGBM, and Support Vector Machine (SVM) — for IoT intrusion detection, coupled with a systematic SHAP (SHapley Additive exPlanations)-based explainability analysis covering both global feature attribution and local instance-level interpretation. Experiments are conducted on two benchmark datasets: CICIDS2017 and UNSW-NB15, encompassing 15 attack categories. Results demonstrate that ensemble tree-based models — particularly XGBoost (F1: 99.41%, AUC: 0.9987 on CICIDS2017) and LightGBM (F1: 99.38%, AUC: 0.9985) — consistently outperform SVM across all metrics and datasets, while SHAP analysis reveals dataset-specific feature importance divergences that carry direct implications for model transferability. Global SHAP analysis identifies flow-duration, packet-length statistics, and inter-arrival timing as the most discriminative features across both datasets, whereas local SHAP waterfall plots expose model-specific reasoning pathways that differ significantly between tree-based and kernel-based classifiers. The vehicle-telematics applicability of these findings is examined through a dedicated analysis of SHAP explanations under simulated CAN-bus traffic features. This work bridges the explainability gap in IoT IDS research and provides actionable guidance for security practitioners deploying transparent ML-based detection systems.

Files

V4I35.pdf

Files (332.3 kB)

Name Size Download all
md5:72fa5e5b05e494c031d5f2321ed9a79c
332.3 kB Preview Download

Additional details

References

  • F. Ebrahimi et al., "Intrusion detection in the internet of things using convolutional neural networks: an explainable AI approach," Cybersecurity, vol. 8, no. 1, p. 66, Sep. 2025, doi: 10.1186/s42400-025-00369-2.
  • S. Aziz et al., "Anomaly Detection in the Internet of Vehicular Networks Using Explainable Neural Networks (xNN)," Mathematics, vol. 10, no. 8, p. 1267, Apr. 2022, doi: 10.3390/math10081267.
  • M. Siganos et al., "Explainable AI-based Intrusion Detection in the Internet of Things," in Proc. 18th Int. Conf. Availability, Reliability and Security, ACM, Aug. 2023, pp. 1–10, doi: 10.1145/3600160.3605162.
  • IoT Analytics, "State of IoT — Spring 2025," IoT Analytics Research Report, 2025.
  • R. Arslan et al., "Cybersecurity in Intelligent Transportation Systems: A Comparative Study on AI-Based Anomaly Detection and Threat Analysis," Mechatronics & Intelligent Transportation Systems, vol. 5, no. 1, pp. 11–30, Mar. 2026, doi: 10.56578/mits050102.
  • H. Lundberg et al., "Experimental Analysis of Trustworthy In-Vehicle Intrusion Detection System Using eXplainable Artificial Intelligence (XAI)," IEEE Access, vol. 10, pp. 102831–102841, 2022, doi: 10.1109/ACCESS.2022.3208573.
  • Y. Wang et al., "Enhancing AI transparency in IoT intrusion detection using explainable AI techniques," Internet of Things, vol. 33, p. 101714, Sep. 2025, doi: 10.1016/j.iot.2025.101714.
  • M. A. Bilal et al., "Federated Learning With Explainable AI for Malicious Traffic Detection in IoT Networks," IEEE Access, vol. 13, pp. 173368–173383, 2025, doi: 10.1109/ACCESS.2025.3613459.
  • M. Pawlicki et al., "Explainability of machine learning-based intrusion detection systems: A review," Artificial Intelligence Review, vol. 57, 2024, doi: 10.1007/s10462-024-10709-2.
  • N. Khan et al., "Explainable AI-Based Intrusion Detection Systems for Industry 5.0 and Adversarial XAI: A Systematic Review," Information, vol. 16, no. 12, p. 1036, Nov. 2025, doi: 10.3390/info16121036.
  • C. I. Nwakanma et al., "Explainable Artificial Intelligence (XAI) for Intrusion Detection and Mitigation in Intelligent Connected Vehicles: A Review," Applied Sciences, vol. 13, no. 3, p. 1252, Jan. 2023, doi: 10.3390/app13031252.
  • S. K. G. K et al., "Explainable Federated Framework for Enhanced Security and Privacy in Connected Vehicles Against Advanced Persistent Threats," IEEE Open Journal of Vehicular Technology, vol. 6, pp. 1438–1463, 2025, doi: 10.1109/OJVT.2025.3576366.
  • S. M. Lundberg and S.-I. Lee, "A unified approach to interpreting model predictions," in Advances in Neural Information Processing Systems (NeurIPS), vol. 30, 2017.
  • T. B. Ogunseyi et al., "Performance Analysis of Explainable Deep Learning-Based Intrusion Detection Systems for IoT Networks: A Systematic Review," Sensors, vol. 26, no. 2, p. 363, Jan. 2026, doi: 10.3390/s26020363.
  • F. Hassan et al., "Developing Transparent IDS for VANETs Using LIME and SHAP: An Empirical Study," Computers, Materials & Continua, vol. 77, no. 3, pp. 3185–3208, 2023, doi: 10.32604/cmc.2023.044650.
  • U. Ahmed et al., "Explainable AI-based innovative hybrid ensemble model for intrusion detection," J. Cloud Computing, vol. 13, no. 1, p. 150, Oct. 2024, doi: 10.1186/s13677-024-00712-x.
  • A. Alabbadi and F. Bajaber, "An Intrusion Detection System over the IoT Data Streams Using eXplainable Artificial Intelligence (XAI)," Sensors, vol. 25, no. 3, p. 847, Jan. 2025, doi: 10.3390/s25030847.
  • V. Z. Mohale and I. C. Obagbuwa, "Evaluating machine learning-based intrusion detection systems with explainable AI: enhancing transparency and interpretability," Frontiers in Computer Science, vol. 7, p. 1520741, May 2025, doi: 10.3389/fcomp.2025.1520741.
  • B. Sharma et al., "Explainable artificial intelligence for intrusion detection in IoT networks: A deep learning based approach," Expert Systems with Applications, vol. 238, p. 121751, Mar. 2024, doi: 10.1016/j.eswa.2023.121751.
  • P. Jain et al., "Bridging Explainability and Security: An XAI-Enhanced Hybrid Deep Learning Framework for IoT Device Identification and Attack Detection," IEEE Access, vol. 13, pp. 127368–127390, 2025, doi: 10.1109/ACCESS.2025.3590159.
  • W. Khan et al., "A novel transformer-based explainable AI approach using SHAP for intrusion detection in vehicular ad hoc networks," Computer Networks, vol. 270, p. 111575, Oct. 2025, doi: 10.1016/j.comnet.2025.111575.
  • K. P. Sharma et al., "Interpretable intrusion detection for IoT environments using a self-attention-based explainable AI framework," Scientific Reports, vol. 15, p. 39937, Nov. 2025, doi: 10.1038/s41598-025-23750-0.
  • R. Taheri et al., "Explainable AI for Federated Learning-Based Intrusion Detection Systems in Connected Vehicles," Electronics, vol. 14, no. 22, p. 4508, Nov. 2025, doi: 10.3390/electronics14224508.
  • A. Alfahaid et al., "Machine Learning-Based Security Solutions for IoT Networks: A Comprehensive Survey," Sensors, vol. 25, no. 11, p. 3341, May 2025, doi: 10.3390/s25113341.
  • D. Neupane et al., "Explainable Intrusion Detection Systems (X-IDS): A Survey of Current Methods, Challenges, and Opportunities," IEEE Access, vol. 10, pp. 112392–112415, 2022, doi: 10.1109/ACCESS.2022.3216617.