CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◬ AI & Machine Learning May 20, 2026

XAI FL-IDS: A Federated Learning and SHAP-Based Explainable Framework for Distributed Intrusion Detection Systems

arXiv Security Archived May 20, 2026 ✓ Full text saved

arXiv:2605.19448v1 Announce Type: new Abstract: An Intrusion Detection System (IDS) is vital in cybersecurity, detecting unauthorized activity across networks. With attacks on network layers increasing, stronger IDSs are needed. Yet most IDSs rely on centralized detection, forcing IoT nodes to ship data to a server, adding overhead and offering no privacy guarantees. Moreover, conventional models focus solely on flagging attacks, without explaining how individual features influence those decisio

Full text archived locally
✦ AI Summary · Claude Sonnet


    Computer Science > Cryptography and Security [Submitted on 19 May 2026] XAI FL-IDS: A Federated Learning and SHAP-Based Explainable Framework for Distributed Intrusion Detection Systems Mohammad Hossein Gholamrezazadeh, AhmadReza Montazerolghaem An Intrusion Detection System (IDS) is vital in cybersecurity, detecting unauthorized activity across networks. With attacks on network layers increasing, stronger IDSs are needed. Yet most IDSs rely on centralized detection, forcing IoT nodes to ship data to a server, adding overhead and offering no privacy guarantees. Moreover, conventional models focus solely on flagging attacks, without explaining how individual features influence those decisions. This research aims to address these dual limitations by first proposing a solution for privacy preservation and then adding explainability to the new system. We introduce an innovative framework called XAI FL-IDS, which integrates Federated Learning (FL) with Explainable AI (XAI). The XAI FL-IDS system eliminates concerns over data transfer because each node trains its data locally and only sends the necessary update parameters to the server. Additionally, all detections, both at the local node and central server levels, are scrutinized using SHapley Additive exPlanations (SHAP), providing detailed insight into the decision-making process. This system consists of a central server and 10 clients and utilizes the Edge-IIoTset dataset, which is distributed among all clients with careful attention paid to class balancing. On each client, the XGBoost model is executed on local data. The proposed method demonstrates robust efficiency and strong performance in intrusion detection, achieving an accuracy of over 99% and, at times, reaching 100%. By incorporating FL, the confidentiality of the network information on every local node is guaranteed. Subjects: Cryptography and Security (cs.CR); Networking and Internet Architecture (cs.NI) Cite as: arXiv:2605.19448 [cs.CR]   (or arXiv:2605.19448v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2605.19448 Focus to learn more Submission history From: Ahmadreza Montazerolghaem [view email] [v1] Tue, 19 May 2026 07:03:10 UTC (802 KB) Access Paper: view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-05 Change to browse by: cs cs.NI References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)
    💬 Team Notes
    Article Info
    Source
    arXiv Security
    Category
    ◬ AI & Machine Learning
    Published
    May 20, 2026
    Archived
    May 20, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗