Transformer-based knowledge distillation for explainable intrusion detection system

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-03-13 DOI:10.1016/j.cose.2025.104417

Nadiah AL-Nomasy , Abdulelah Alamri , Ahamed Aljuhani , Prabhat Kumar

{"title":"Transformer-based knowledge distillation for explainable intrusion detection system","authors":"Nadiah AL-Nomasy , Abdulelah Alamri , Ahamed Aljuhani , Prabhat Kumar","doi":"10.1016/j.cose.2025.104417","DOIUrl":null,"url":null,"abstract":"<div><div>The rapid expansion of IoT networks has increased the risk of cyber threats, making intrusion detection systems (IDS) critical for maintaining security. However, most of the existing IDS rely on computationally intensive deep learning architectures, rendering them unsuitable for IoT environments with limited resources. Additionally, existing IDS approaches, including those using Knowledge Distillation (KD), often fail to capture the complex temporal dependencies and contextual relationships inherent in IoT traffic, which limits their ability to detect complex multi-stage attacks. Furthermore, these models frequently lack transparency, hindering effective decision-making by security experts. To address these gaps, we propose DistillGuard, a novel IDS framework designed specifically for IoT networks. The proposed framework employs a Transformer-based teacher model, which utilizes a hybrid attention mechanism combining multi-head self-attention (MHSA) and cross-attention layers to effectively capture both temporal and contextual patterns in network traffic. The framework further incorporates a Selective Gradient-Based Knowledge Distillation (SG-KD) process to transfer critical knowledge from the teacher model to a lightweight student model, optimizing performance while reducing computational costs. In addition, ‘DistillGuard’ integrates gradient contribution heatmaps, layer-wise contribution, and gradient selection impact analysis to provide detailed explanability, enabling security experts to understand which layers contribute to the detection of attacks. Experimental results demonstrate that ‘DistillGuard’ achieves superior detection accuracy and efficiency compared to existing state-of-the-art IDS models.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104417"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001063","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The rapid expansion of IoT networks has increased the risk of cyber threats, making intrusion detection systems (IDS) critical for maintaining security. However, most of the existing IDS rely on computationally intensive deep learning architectures, rendering them unsuitable for IoT environments with limited resources. Additionally, existing IDS approaches, including those using Knowledge Distillation (KD), often fail to capture the complex temporal dependencies and contextual relationships inherent in IoT traffic, which limits their ability to detect complex multi-stage attacks. Furthermore, these models frequently lack transparency, hindering effective decision-making by security experts. To address these gaps, we propose DistillGuard, a novel IDS framework designed specifically for IoT networks. The proposed framework employs a Transformer-based teacher model, which utilizes a hybrid attention mechanism combining multi-head self-attention (MHSA) and cross-attention layers to effectively capture both temporal and contextual patterns in network traffic. The framework further incorporates a Selective Gradient-Based Knowledge Distillation (SG-KD) process to transfer critical knowledge from the teacher model to a lightweight student model, optimizing performance while reducing computational costs. In addition, ‘DistillGuard’ integrates gradient contribution heatmaps, layer-wise contribution, and gradient selection impact analysis to provide detailed explanability, enabling security experts to understand which layers contribute to the detection of attacks. Experimental results demonstrate that ‘DistillGuard’ achieves superior detection accuracy and efficiency compared to existing state-of-the-art IDS models.

查看原文本刊更多论文

基于变压器的可解释入侵检测系统知识升华

物联网网络的快速扩张增加了网络威胁的风险，使入侵检测系统（IDS）成为维护安全的关键。然而，现有的 IDS 大多依赖于计算密集型深度学习架构，不适合资源有限的物联网环境。此外，现有的 IDS 方法（包括使用知识蒸馏（KD）的方法）往往无法捕捉物联网流量中固有的复杂时间依赖性和上下文关系，这限制了它们检测复杂的多阶段攻击的能力。此外，这些模型往往缺乏透明度，阻碍了安全专家的有效决策。为了弥补这些不足，我们提出了 DistillGuard，一个专为物联网网络设计的新型 IDS 框架。所提出的框架采用了基于变换器的教师模型，该模型利用多头自我关注（MHSA）和交叉关注层相结合的混合关注机制，有效捕捉网络流量中的时间和上下文模式。该框架进一步采用了基于梯度选择的知识蒸馏（SG-KD）流程，将关键知识从教师模型转移到轻量级学生模型，从而在降低计算成本的同时优化性能。此外，"DistillGuard "还集成了梯度贡献热图、分层贡献和梯度选择影响分析，以提供详细的可解释性，使安全专家能够了解哪些层有助于检测攻击。实验结果表明，与现有的最先进 IDS 模型相比，"DistillGuard "实现了更高的检测精度和效率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.