LENS-XAI: Redefining Lightweight and Explainable Network Security through Knowledge Distillation and Variational Autoencoders for Scalable Intrusion Detection in Cybersecurity
Muhammet Anil Yagiz, Polat Goktas
TL;DR
LENS-XAI tackles the need for scalable, interpretable intrusion detection in IIoT/edge contexts by uniting a variational autoencoder (VAE)–based latent representation with knowledge distillation (KD) to craft a lightweight yet accurate student model guided by a high-capacity teacher. An attribution-based explainability component decomposes predictions into feature-level contributions, enabling transparent decision-making. The framework is validated across four diverse benchmarks (Edge-IIoTset, UKM-IDS20, CTU-13, NSL-KDD), achieving high detection accuracies (up to 99.92% on UKM-IDS20 and 98.66% on NSL-KDD for the teacher, 99.80% for the student) while substantially reducing model complexity and inference time. The results demonstrate robust performance, strong generalization to varied attack types, and enhanced trust via interpretable explanations, making LENS-XAI suitable for real-world deployment in resource-constrained environments. Future work suggests extending the framework to ensemble/distributed settings to further improve robustness and adaptability in evolving threat landscapes.
Abstract
The rapid proliferation of Industrial Internet of Things (IIoT) systems necessitates advanced, interpretable, and scalable intrusion detection systems (IDS) to combat emerging cyber threats. Traditional IDS face challenges such as high computational demands, limited explainability, and inflexibility against evolving attack patterns. To address these limitations, this study introduces the Lightweight Explainable Network Security framework (LENS-XAI), which combines robust intrusion detection with enhanced interpretability and scalability. LENS-XAI integrates knowledge distillation, variational autoencoder models, and attribution-based explainability techniques to achieve high detection accuracy and transparency in decision-making. By leveraging a training set comprising 10% of the available data, the framework optimizes computational efficiency without sacrificing performance. Experimental evaluation on four benchmark datasets: Edge-IIoTset, UKM-IDS20, CTU-13, and NSL-KDD, demonstrates the framework's superior performance, achieving detection accuracies of 95.34%, 99.92%, 98.42%, and 99.34%, respectively. Additionally, the framework excels in reducing false positives and adapting to complex attack scenarios, outperforming existing state-of-the-art methods. Key strengths of LENS-XAI include its lightweight design, suitable for resource-constrained environments, and its scalability across diverse IIoT and cybersecurity contexts. Moreover, the explainability module enhances trust and transparency, critical for practical deployment in dynamic and sensitive applications. This research contributes significantly to advancing IDS by addressing computational efficiency, feature interpretability, and real-world applicability. Future work could focus on extending the framework to ensemble AI systems for distributed environments, further enhancing its robustness and adaptability.