Explainable Threat Attribution for IoT Networks Using Conditional SHAP and Flow Behavior Modelling

TL;DR

This paper presents an explainable multiclass threat attribution approach for IoT networks using gradient boosting and SHAP, providing detailed insights into attack features and improving trust in intrusion detection systems.

Contribution

It introduces a novel combination of gradient boosting and SHAP for multiclass threat attribution in IoT, with detailed feature and decision analysis for enhanced explainability.

Findings

The model effectively distinguishes attack behaviors using flow features.

SHAP explanations reveal key features driving each attack class.

The approach enhances trust and interpretability in IoT cybersecurity detection.

Abstract

As the Internet of Things (IoT) continues to expand across critical infrastructure, smart environments, and consumer devices, securing them against cyber threats has become increasingly vital. Traditional intrusion detection models often treat IoT threats as binary classification problems or rely on opaque models, thereby limiting trust. This work studies multiclass threat attribution in IoT environments using the CICIoT2023 dataset, grouping over 30 attack variants into 8 semantically meaningful classes. We utilize a combination of a gradient boosting model and SHAP (SHapley Additive exPlanations) to deliver both global and class-specific explanations, enabling detailed insight into the features driving each attack classification. The results show that the model distinguishes distinct behavioral signatures of the attacks using flow timing, packet size uniformity, TCP flag dynamics, and statistical variance. Additional analysis that exposes both feature attribution and the decision trajectory per class further validates these observed patterns. Our findings contribute to the development of more accurate and explainable intrusion detection systems, bridging the gap between high-performance machine learning and the need for trust and accountability in AI-driven cybersecurity for IoT environments.