Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Automated and Explainable Denial of Service Analysis for AI-Driven Intrusion Detection Systems

Paul Badu Yakubu, Lesther Santana, Mohamed Rahouti, Yufeng Xin, Abdellah Chehri, Mohammed Aledhari

TL;DR

The paper addresses scalable and interpretable DDoS detection in AI-driven IDS. It proposes an automated framework that uses TPOT to optimize ML pipelines and SHAP to explain feature contributions to predictions. The approach identifies mean backward packet length and minimum forward packet header length as key indicators and demonstrates near-perfect accuracy on the Lycos-IDS2017 dataset, with a TPOT-derived pipeline (DecisionTreeClassifier, entropy; max_depth=10; min_samples_leaf=2; min_samples_split=7) achieving a test accuracy of $0.9991$ and cross-validated score of $0.9992$. The results highlight the value of automated pipeline search plus model-agnostic explanations for trustworthy, real-time intrusion detection and suggest directions for real-time SHAP, deeper models, and broader threat coverage.

Abstract

With the increasing frequency and sophistication of Distributed Denial of Service (DDoS) attacks, it has become critical to develop more efficient and interpretable detection methods. Traditional detection systems often struggle with scalability and transparency, hindering real-time response and understanding of attack vectors. This paper presents an automated framework for detecting and interpreting DDoS attacks using machine learning (ML). The proposed method leverages the Tree-based Pipeline Optimization Tool (TPOT) to automate the selection and optimization of ML models and features, reducing the need for manual experimentation. SHapley Additive exPlanations (SHAP) is incorporated to enhance model interpretability, providing detailed insights into the contribution of individual features to the detection process. By combining TPOT's automated pipeline selection with SHAP interpretability, this approach improves the accuracy and transparency of DDoS detection. Experimental results demonstrate that key features such as mean backward packet length and minimum forward packet header length are critical in detecting DDoS attacks, offering a scalable and explainable cybersecurity solution.

Automated and Explainable Denial of Service Analysis for AI-Driven Intrusion Detection Systems

TL;DR

The paper addresses scalable and interpretable DDoS detection in AI-driven IDS. It proposes an automated framework that uses TPOT to optimize ML pipelines and SHAP to explain feature contributions to predictions. The approach identifies mean backward packet length and minimum forward packet header length as key indicators and demonstrates near-perfect accuracy on the Lycos-IDS2017 dataset, with a TPOT-derived pipeline (DecisionTreeClassifier, entropy; max_depth=10; min_samples_leaf=2; min_samples_split=7) achieving a test accuracy of and cross-validated score of . The results highlight the value of automated pipeline search plus model-agnostic explanations for trustworthy, real-time intrusion detection and suggest directions for real-time SHAP, deeper models, and broader threat coverage.

Abstract

With the increasing frequency and sophistication of Distributed Denial of Service (DDoS) attacks, it has become critical to develop more efficient and interpretable detection methods. Traditional detection systems often struggle with scalability and transparency, hindering real-time response and understanding of attack vectors. This paper presents an automated framework for detecting and interpreting DDoS attacks using machine learning (ML). The proposed method leverages the Tree-based Pipeline Optimization Tool (TPOT) to automate the selection and optimization of ML models and features, reducing the need for manual experimentation. SHapley Additive exPlanations (SHAP) is incorporated to enhance model interpretability, providing detailed insights into the contribution of individual features to the detection process. By combining TPOT's automated pipeline selection with SHAP interpretability, this approach improves the accuracy and transparency of DDoS detection. Experimental results demonstrate that key features such as mean backward packet length and minimum forward packet header length are critical in detecting DDoS attacks, offering a scalable and explainable cybersecurity solution.

Paper Structure

This paper contains 25 sections, 2 equations, 2 figures, 11 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Traditional Methods for DoS and DDoS Detection
  4. ML Approaches
  5. Feature Selection and Dimensionality Reduction
  6. Feature Selection and Dimensionality Reduction
  7. Interpretability and Explainability in ML Models
  8. Uniqueness of This Paper
  9. Research Problem and Goals
  10. Methodology
  11. Dataset
  12. Automated Model Selection through TPOT
  13. Intelligent TPOT Pipeline-based Feature Importance Extraction
  14. Utilizing SHAP for Feature Importance Analysis Across Different Classes
  15. Performance Evaluation and Feature Impact Analysis
  16. ...and 10 more sections

Figures (2)

  • Figure 1: Automated DoS detection pipeline.
  • Figure 2: A summary plot showing important features for all classes