IR-IDS: A network intrusion detection method based on causal feature selection and explainable model optimization

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-04-11 DOI:10.1016/j.cose.2025.104496

Yazhuo Gao , Lin Yang , Ran Zhu , Yixuan Wu , Feng Yang , Yining Cao

{"title":"IR-IDS: A network intrusion detection method based on causal feature selection and explainable model optimization","authors":"Yazhuo Gao , Lin Yang , Ran Zhu , Yixuan Wu , Feng Yang , Yining Cao","doi":"10.1016/j.cose.2025.104496","DOIUrl":null,"url":null,"abstract":"<div><div>With the rapid advancement of computer network technologies, the complexity of cybersecurity issues has grown significantly. Intrusion Detection Systems (IDS), serving as the first line of defense against network attacks, are vital components in ensuring network security. However, traditional IDS often struggle to balance the robustness of detection capabilities with the interpretability of the model. To address these challenges, this paper proposes an interpretable and robust intrusion detection method (IR-IDS). The proposed approach begins by efficiently and accurately selecting the optimal feature subset for predicting the target variable, using a causal effect-based conditional testing method and a Markov blanket search algorithm. Subsequently, it enhances the decision tree algorithm using Shapley values, enabling fine-grained classification of attacks. Finally, by integrating Kolmogorov–Arnold Networks (KAN) and Conditional Variational Autoencoders (CVAE), the method further improves the detection of unknown attacks. Experimental results demonstrate that the proposed method outperforms existing techniques on five datasets, including CIC-IDS2017, CSE-CIC-IDS2018, CIC-DDoS2019, CIC-UNSW-NB15 and CIC-IoT-IDAD-2024, with multi-class accuracies of 98.83 %, 99.37 %, 99.57 %, 99.52 % and 97.11 %, respectively. From the results, it can be seen that this method not only ensures the interpretability of the model but also improves the accuracy and robustness of intrusion detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104496"},"PeriodicalIF":4.8000,"publicationDate":"2025-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001841","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

With the rapid advancement of computer network technologies, the complexity of cybersecurity issues has grown significantly. Intrusion Detection Systems (IDS), serving as the first line of defense against network attacks, are vital components in ensuring network security. However, traditional IDS often struggle to balance the robustness of detection capabilities with the interpretability of the model. To address these challenges, this paper proposes an interpretable and robust intrusion detection method (IR-IDS). The proposed approach begins by efficiently and accurately selecting the optimal feature subset for predicting the target variable, using a causal effect-based conditional testing method and a Markov blanket search algorithm. Subsequently, it enhances the decision tree algorithm using Shapley values, enabling fine-grained classification of attacks. Finally, by integrating Kolmogorov–Arnold Networks (KAN) and Conditional Variational Autoencoders (CVAE), the method further improves the detection of unknown attacks. Experimental results demonstrate that the proposed method outperforms existing techniques on five datasets, including CIC-IDS2017, CSE-CIC-IDS2018, CIC-DDoS2019, CIC-UNSW-NB15 and CIC-IoT-IDAD-2024, with multi-class accuracies of 98.83 %, 99.37 %, 99.57 %, 99.52 % and 97.11 %, respectively. From the results, it can be seen that this method not only ensures the interpretability of the model but also improves the accuracy and robustness of intrusion detection.

查看原文本刊更多论文

IR-IDS：基于因果特征选择和可解释模型优化的网络入侵检测方法

随着计算机网络技术的飞速发展，网络安全问题的复杂性显著增加。入侵检测系统是抵御网络攻击的第一道防线，是保障网络安全的重要组成部分。然而，传统的IDS常常难以平衡检测功能的健壮性和模型的可解释性。为了解决这些问题，本文提出了一种可解释且鲁棒的入侵检测方法（IR-IDS）。该方法首先使用基于因果效应的条件测试方法和马尔可夫毯子搜索算法，高效、准确地选择预测目标变量的最优特征子集。随后，利用Shapley值对决策树算法进行增强，实现了对攻击的细粒度分类。最后，通过将Kolmogorov-Arnold网络（KAN）和条件变分自编码器（CVAE）相结合，进一步提高了未知攻击的检测能力。实验结果表明，该方法在CIC-IDS2017、CSE-CIC-IDS2018、CIC-DDoS2019、CIC-UNSW-NB15和CIC-IoT-IDAD-2024 5个数据集上的分类准确率分别达到98.83%、99.37%、99.57%、99.52%和97.11%，优于现有方法。结果表明，该方法不仅保证了模型的可解释性，而且提高了入侵检测的准确性和鲁棒性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.