Neurosymbolic learning and domain knowledge-driven explainable AI for enhanced IoT network attack detection and response

Abstract

In the dynamic landscape of network security, where cyberattacks continuously evolve, robust and adaptive detection mechanisms are essential, particularly for safeguarding Internet of Things (IoT) networks. This paper introduces an advanced anomaly detection model that utilizes Artificial Intelligence (AI) to identify network anomalies based on traffic features, explaining the most influential factors behind each detected anomaly. The model integrates domain knowledge stored in a knowledge graph to verify whether the detected anomaly constitutes a legitimate attack. Upon validation, the model identifies which core cybersecurity principles—Confidentiality, Integrity, or Availability (CIA)—are violated by mapping influential feature values. This is followed by an alignment with the MITRE ATT&CK framework to provide insights into potential attack tactics, techniques, and intelligence-driven countermeasures.

By leveraging explainable AI (XAI) and incorporating expert domain knowledge, our approach bridges the gap between complex AI predictions and human-understandable decision-making, thereby enhancing both detection accuracy and result interpretability. This transparency facilitates faster responses and real-time decision-making while improving adaptability to new, unseen cyber threats. Our evaluation on network traffic datasets demonstrates that the model not only excels in detecting and explaining anomalies but also achieves an overall detection accuracy of 0.97 with the integration of domain knowledge for attack legitimacy. Furthermore, it provides 100% accuracy for threat intelligence based on the MITRE ATT&CK framework, ensuring that security measures are verifiable, actionable, and ultimately strengthen IoT environment defenses by delivering real-time threat intelligence and responses, thus minimizing human response time.