An Optimized Decision Tree-Based Framework for Explainable IoT Anomaly Detection

TL;DR

This paper introduces an optimized, explainable decision tree framework for IoT anomaly detection that achieves high accuracy, transparency, and efficiency suitable for resource-constrained environments.

Contribution

It presents a novel XAI framework combining decision trees with SHAP and Morris methods, enabling real-time, explainable IoT intrusion detection on edge devices.

Findings

Achieved 99.91% accuracy and 99.51% F1-score.

Demonstrated high stability with 98.93% cross-validation accuracy.

Provided faster inference compared to ensemble models.

Abstract

The increase in the number of Internet of Things (IoT) devices has tremendously increased the attack surface of cyber threats thus making a strong intrusion detection system (IDS) with a clear explanation of the process essential towards resource-constrained environments. Nevertheless, current IoT IDS systems are usually traded off with detection quality, model elucidability, and computational effectiveness, thus the deployment on IoT devices. The present paper counteracts these difficulties by suggesting an explainable AI (XAI) framework based on an optimized Decision Tree classifier with both local and global importance methods: SHAP values that estimate feature attribution using local explanations, and Morris sensitivity analysis that identifies the feature importance in a global view. The proposed system attains the state of art on the test performance with 99.91% accuracy, F1-score of 99.51% and Cohen Kappa of 0.9960 and high stability is confirmed by a cross validation mean accuracy of 98.93%. Efficiency is also enhanced in terms of computations to provide faster inferences compared to those that are generalized in ensemble models. SrcMac has shown as the most significant predictor in feature analyses according to SHAP and Morris methods. Compared to the previous work, our solution eliminates its major drawback lack because it allows us to apply it to edge devices and, therefore, achieve real-time processing, adhere to the new regulation of transparency in AI, and achieve high detection rates on attacks of dissimilar classes. This combination performance of high accuracy, explainability, and low computation make the framework useful and reliable as a resource-constrained IoT security problem in real environments.