# HED-ID: an edge-deployable and explainable intrusion detection system optimized via metaheuristic learning

**Authors:** Kushboo Nasir, Sahar K. Badri, Daniyal M. Alghazzawi, Mohammed Yahya Alghamdi, Mona Alkhozae, Abeer Almakky, Rania M. Alhazmi, Muhammad Zubair Asghar

PMC · DOI: 10.1038/s41598-025-32183-8 · Scientific Reports · 2026-01-19

## TL;DR

HED-ID is an intrusion detection system optimized for edge devices using a novel neural network and metaheuristic learning to balance accuracy, interpretability, and efficiency.

## Contribution

HED-ID introduces a novel edge-deployable IDS framework combining S-BiGRU, GWO, and SHAP for improved performance and interpretability.

## Key findings

- HED-ID achieves consistent detection performance on CICIDS-2017, UNSW-NB15, and ToN-IoT datasets.
- The system maintains low inference latency (18–22 ms) and memory usage (92–115 MB) in edge-like settings.
- SHAP provides interpretable insights by linking predictions to network attributes.

## Abstract

The increasing complexity of network traffic has heightened the demand for intrusion detection systems (IDS) that deliver high accuracy, interpretability, and efficiency in diverse computing environments, including edge devices. Traditional deep learning-based IDS models perform well but often suffer from feature redundancy, poor generalization, and limited adaptability to resource-constrained platforms. To address these challenges, we propose HED-ID: an edge-deployable and explainable IDS framework. The system utilizes a Stacked Bidirectional Gated Recurrent Unit (S-BiGRU)—a recurrent neural network variant that captures bidirectional temporal dependencies—with an attention mechanism to focus on critical patterns in traffic flows. Grey Wolf Optimization (GWO), a metaheuristic algorithm inspired by wolf hunting behavior, is employed for joint feature selection and hyperparameter tuning to improve efficiency. Finally, SHapley Additive exPlanations (SHAP), a game-theoretic approach for model interpretability, quantifies feature contributions, linking predictions to observable network attributes. Evaluations on the CICIDS-2017, UNSW-NB15, and ToN-IoT datasets show consistent detection performance in both cloud-like and edge-like settings, with inference latency of 18–22 ms and memory usage of 92–115 MB. These results highlight HED-ID’s balanced trade-off between accuracy, interpretability, and resource efficiency, making it suitable for real-world network security applications.

The online version contains supplementary material available at 10.1038/s41598-025-32183-8.

## Full-text entities

- **Diseases:** HED-ID (MESH:C536181)

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12816630/full.md

## Figures

11 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12816630/full.md

## References

8 references — full list in the complete paper: https://tomesphere.com/paper/PMC12816630/full.md

---
Source: https://tomesphere.com/paper/PMC12816630