Automated and Explainable Denial of Service Analysis for AI-Driven Intrusion Detection Systems

TL;DR

This paper introduces an automated, machine learning-based framework that enhances the detection and interpretability of DDoS attacks, addressing scalability and transparency issues in traditional intrusion detection systems.

Contribution

It combines TPOT for automated model optimization with SHAP for interpretability, providing a scalable and explainable approach to DDoS detection.

Findings

Key features like packet length are critical for detection

The method improves detection accuracy and transparency

Experimental results validate the approach's effectiveness

Abstract

With the increasing frequency and sophistication of Distributed Denial of Service (DDoS) attacks, it has become critical to develop more efficient and interpretable detection methods. Traditional detection systems often struggle with scalability and transparency, hindering real-time response and understanding of attack vectors. This paper presents an automated framework for detecting and interpreting DDoS attacks using machine learning (ML). The proposed method leverages the Tree-based Pipeline Optimization Tool (TPOT) to automate the selection and optimization of ML models and features, reducing the need for manual experimentation. SHapley Additive exPlanations (SHAP) is incorporated to enhance model interpretability, providing detailed insights into the contribution of individual features to the detection process. By combining TPOT's automated pipeline selection with SHAP interpretability, this approach improves the accuracy and transparency of DDoS detection. Experimental results demonstrate that key features such as mean backward packet length and minimum forward packet header length are critical in detecting DDoS attacks, offering a scalable and explainable cybersecurity solution.