Explainable Artificial Intelligence-Based Network Intrusion Detection System Using SHAP, LIME and Counterfactual Analysis

Abstract: The rapid evolution of cyber threats has exposed the limitations of traditional signature-based intrusion detection systems. While machine learning offers strong detection capability, its opacity undermines analyst trust. This research proposes an Explainable AI-based Network Intrusion Detection System combining XGBoost classification with a comprehensive SHAP explanation framework.The system processes traffic from three benchmark datasets — UNSW- NB15, CIC-IDS-2017, and NSL-KDD — through automated preprocessing covering encoding, normalisation, stratified partitioning, and class imbalance handling. The XGBoost classifier achieves F1-Scores of 0.9793, 0.9914, and 0.9853 respectively. SHAP TreeExplainer generates six visualisation types spanning global and local explanations, further complemented by LIME surrogate modelling and counterfactual generation — forming three mutually validating interpretability channels.Findings consistently identify volumetric flow statistics, behavioural connection-count features, and protocol-state indicators as dominant discriminating factors, aligning with established network security knowledge and reinforcing both the model's reliability and real-world applicability.

Keywords: Explainable AI, Network Intrusion Detection, SHAP, XGBoost, LIME, Cyber Security