pith. sign in

arxiv: 2605.19448 · v1 · pith:XOXP6MNLnew · submitted 2026-05-19 · 💻 cs.CR · cs.NI

XAI FL-IDS: A Federated Learning and SHAP-Based Explainable Framework for Distributed Intrusion Detection Systems

Mohammad Hossein Gholamrezazadeh , AhmadReza Montazerolghaem This is my paper

Pith reviewed 2026-05-20 04:46 UTC · model grok-4.3

classification 💻 cs.CR cs.NI
keywords federated learningintrusion detectionexplainable AISHAPIoT securityprivacy preservationXGBoostEdge-IIoTset
0
0 comments X

The pith

A federated learning system trains intrusion detectors locally on each node and uses SHAP to explain every detection decision while reaching over 99% accuracy.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces XAI FL-IDS to solve two problems in network security: centralized systems that force IoT devices to send raw data to a server, and models that flag attacks without showing which features matter. It combines federated learning, where each of ten clients trains an XGBoost model on its local slice of the Edge-IIoTset dataset, with SHAP explanations applied to both local and aggregated predictions. Only model updates travel to the central server, so raw traffic data never leaves its node. The reported results show accuracy above 99 percent, sometimes 100 percent, across balanced classes. This produces a working IDS that keeps data private and makes its reasoning inspectable at every level.

Core claim

The XAI FL-IDS framework integrates federated learning with SHAP-based explanations so that each client trains an XGBoost model on its local portion of the Edge-IIoTset dataset, sends only parameter updates to a central server, and applies SHAP to interpret detections at both client and server levels, achieving accuracy over 99 percent while guaranteeing data confidentiality.

What carries the argument

The XAI FL-IDS architecture that pairs federated averaging of local XGBoost models with per-prediction SHAP value computation for feature-level explanations.

If this is right

  • Each of the ten clients can run its own detection and explanation without ever transmitting raw network records.
  • SHAP values make the influence of individual traffic features visible for every alert, both at the edge node and after aggregation.
  • The approach removes the need to centralize sensitive IoT data while still producing a single usable global model.
  • Accuracy above 99 percent holds after class balancing on the chosen dataset splits.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same local-plus-explanation pattern could be applied to other privacy-sensitive monitoring tasks such as anomaly detection in industrial control systems.
  • If non-IID effects prove stronger in practice, adaptive client weighting or periodic full-model sharing might become necessary additions.
  • Replacing XGBoost with other base learners would test whether the privacy and explanation benefits survive changes in the underlying classifier.

Load-bearing premise

That splitting the Edge-IIoTset dataset across ten clients, balancing the classes, and training separate XGBoost models locally will let federated updates preserve high detection accuracy without large drops caused by non-identical data distributions or communication problems.

What would settle it

Deploy the same federated setup on real-world non-IID IoT traffic that includes packet loss and latency, then measure whether accuracy falls below 95 percent or local and global SHAP values diverge sharply.

read the original abstract

An Intrusion Detection System (IDS) is vital in cybersecurity, detecting unauthorized activity across networks. With attacks on network layers increasing, stronger IDSs are needed. Yet most IDSs rely on centralized detection, forcing IoT nodes to ship data to a server, adding overhead and offering no privacy guarantees. Moreover, conventional models focus solely on flagging attacks, without explaining how individual features influence those decisions. This research aims to address these dual limitations by first proposing a solution for privacy preservation and then adding explainability to the new system. We introduce an innovative framework called XAI FL-IDS, which integrates Federated Learning (FL) with Explainable AI (XAI). The XAI FL-IDS system eliminates concerns over data transfer because each node trains its data locally and only sends the necessary update parameters to the server. Additionally, all detections, both at the local node and central server levels, are scrutinized using SHapley Additive exPlanations (SHAP), providing detailed insight into the decision-making process. This system consists of a central server and 10 clients and utilizes the Edge-IIoTset dataset, which is distributed among all clients with careful attention paid to class balancing. On each client, the XGBoost model is executed on local data. The proposed method demonstrates robust efficiency and strong performance in intrusion detection, achieving an accuracy of over 99% and, at times, reaching 100%. By incorporating FL, the confidentiality of the network information on every local node is guaranteed.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper proposes XAI FL-IDS, a framework integrating Federated Learning with SHAP-based explainability for intrusion detection in IoT networks. It distributes the Edge-IIoTset dataset across 10 clients with class balancing, trains independent XGBoost models locally on each client, sends update parameters to a central server, and applies SHAP explanations to detections at both local and global levels, claiming accuracy over 99% (sometimes 100%) while preserving data privacy.

Significance. If the federated aggregation produces a functional global model that sustains the reported detection performance without degradation from non-IID data or communication overhead, the work would offer a practical contribution to privacy-preserving and interpretable distributed IDS for edge computing environments.

major comments (1)
  1. [Framework / Methods (description of XAI FL-IDS system and client-server interaction)] The framework description states that clients train local XGBoost models and transmit 'update parameters' to the server for aggregation, yet no concrete server-side procedure is provided for merging tree ensembles (split thresholds, feature indices, leaf scores). Standard averaging does not apply to XGBoost, so the headline accuracy figures cannot be evaluated as evidence of a working federated system rather than isolated local training.
minor comments (1)
  1. [Abstract and Results] The abstract and results claims of >99% accuracy lack accompanying details on evaluation protocol, number of independent runs, baseline comparisons, or ablation studies on the aggregation step, which would strengthen the empirical support.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the detailed and constructive feedback on our manuscript. We address the major comment point by point below and outline the revisions we will make to strengthen the description of the proposed framework.

read point-by-point responses

  1. Referee: [Framework / Methods (description of XAI FL-IDS system and client-server interaction)] The framework description states that clients train local XGBoost models and transmit 'update parameters' to the server for aggregation, yet no concrete server-side procedure is provided for merging tree ensembles (split thresholds, feature indices, leaf scores). Standard averaging does not apply to XGBoost, so the headline accuracy figures cannot be evaluated as evidence of a working federated system rather than isolated local training.

    Authors: We acknowledge that the current manuscript provides only a high-level description of the client-server interaction and does not specify the exact server-side procedure for aggregating the XGBoost tree ensembles. In the revised manuscript, we will add a dedicated subsection detailing the aggregation mechanism, including how split thresholds, feature indices, and leaf scores from the local models are combined at the central server to form the global model. This will explicitly address why standard parameter averaging is inapplicable to tree-based models and describe the alternative merging strategy employed. With these additions, the reported accuracy figures can be properly interpreted in the context of the federated aggregation process rather than isolated local training. revision: yes

Circularity Check

0 steps flagged

No derivation chain present; empirical application of standard techniques

full rationale

The paper is an empirical study applying federated learning with local XGBoost training on partitioned Edge-IIoTset data, followed by SHAP explanations. No equations, first-principles derivations, predictions, or uniqueness theorems are claimed or present. Results are reported from direct experiments rather than any reduction to fitted parameters or self-referential definitions. The framework relies on external standard methods (FL, XGBoost, SHAP) without load-bearing self-citations that would create circularity. This is a normal non-circular empirical ML application.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract-only review limits visibility into modeling choices; no explicit free parameters, axioms, or invented entities are stated beyond standard assumptions of federated averaging and SHAP additivity.

axioms (1)
  • domain assumption Local XGBoost models trained on partitioned data can be aggregated via federated learning to produce a global model with high detection accuracy.
    Implicit in the description of the 10-client setup and reported performance.

pith-pipeline@v0.9.0 · 5814 in / 1191 out tokens · 40475 ms · 2026-05-20T04:46:51.454349+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

11 extracted references · 11 canonical work pages · 1 internal anchor

  1. [1]

    Personalized federated learning-based intrusion detection system: Poisoning attack and defense,

    T. T. Thein, Y. Shiraishi, and M. Morii, “Personalized federated learning-based intrusion detection system: Poisoning attack and defense,” Future Generation Computer Systems , vol. 153, pp. 182 – 192, Apr. 2024, doi: https://doi.org/10.1016/j.future.2023.10.005

    work page doi:10.1016/j.future.2023.10.005 2024

  2. [2]

    Advanced intrusion detection in the industrial Internet of Things using federated learning and LSTM models,

    R. W. Anwer, M. Abrar, M. Ullah, A. Salam, and F. Ullah, “Advanced intrusion detection in the industrial Internet of Things using federated learning and LSTM models,” Ad Hoc Networks, vol. 178, p. 103991, Nov. 2025, doi: https://doi.org/10.1016/j.adhoc.2025.103991

    work page doi:10.1016/j.adhoc.2025.103991 2025

  3. [3]

    A Heterogeneity - Aware Semi -Decentralized Model for a Lightweight Intrusion Detection System for IoT Networks Based on Federated Learning and BiLSTM,

    S. Alsaleh, M. E. B. Menai, and S. Al -Ahmadi, “A Heterogeneity - Aware Semi -Decentralized Model for a Lightweight Intrusion Detection System for IoT Networks Based on Federated Learning and BiLSTM,” Sensors, vol. 25, no. 4, p. 1039, Feb. 2025, doi: https://doi.org/10.3390/s25041039

    work page doi:10.3390/s25041039 2025

  4. [4]

    Federated Learning for Distributed IoT Security: A Privacy-Preserving Approach to Intrusion Detection,

    C. Gutti, K. Thumula, and P. Balbudhe, “Federated Learning for Distributed IoT Security: A Privacy-Preserving Approach to Intrusion Detection,” IEEE Access , vol. 13, pp. 135863 –135875, 2025, doi: https://doi.org/10.1109/access.2025.3592481

    work page doi:10.1109/access.2025.3592481 2025

  5. [5]

    Federated XAI IDS: An Explainable and Safeguarding Privacy Approach to Detect Intrusion Combining Federated Learning and SHAP,

    Kazi Fatema et al. , “Federated XAI IDS: An Explainable and Safeguarding Privacy Approach to Detect Intrusion Combining Federated Learning and SHAP,” Future Internet, vol. 17, no. 6, pp. 234–234, May 2025, doi: https://doi.org/10.3390/fi17060234

    work page doi:10.3390/fi17060234 2025

  6. [6]

    FL-IDS: Federated Learning-Based Intrusion Detection System Using Edge Devices for Transportation IoT,

    M. H. Bhavsar, Y. B. Bekele, K. Roy, J. C. Kelly, and D. Limbrick, “FL-IDS: Federated Learning-Based Intrusion Detection System Using Edge Devices for Transportation IoT,” IEEE Access , vol. 12, pp. 52215–52226, 2024, doi: https://doi.org/10.1109/access.2024.3386631

    work page doi:10.1109/access.2024.3386631 2024

  7. [7]

    Federated Learning-Based Intrusion Detection in IoT Networks: Performance Evaluation and Data Scaling Study,

    N. Albanbay et al., “Federated Learning-Based Intrusion Detection in IoT Networks: Performance Evaluation and Data Scaling Study,” Journal of Sensor and Actuator Networks , vol. 14, no. 4, p. 78, Jul. 2025, doi: https://doi.org/10.3390/jsan14040078

    work page doi:10.3390/jsan14040078 2025

  8. [8]

    A Federated Learning -Based Approach for Improving Intrusion Detection in Industrial Internet of Things Networks,

    M. M. Rashid, S. U. Khan, F. Eusufzai, Md. A. Redwan, S. R. Sabuj, and M. Elsharief, “A Federated Learning -Based Approach for Improving Intrusion Detection in Industrial Internet of Things Networks,” Network, vol. 3, no. 1, pp. 158 –179, Jan. 2023, doi: https://doi.org/10.3390/network3010008

    work page doi:10.3390/network3010008 2023

  9. [9]

    An optimal federated learning -based intrusion detection for IoT environment,

    A. Karunamurthy, K. Vijayan, P. R. Kshirsagar, and K. T. Tan, “An optimal federated learning -based intrusion detection for IoT environment,” Scientific Reports , vol. 15, no. 1, Mar. 2025, doi: https://doi.org/10.1038/s41598-025-93501-8

    work page doi:10.1038/s41598-025-93501-8 2025

  10. [10]

    Systematic Analysis of Federated Learning Approaches for Intrusion Detection in the Internet of Things Environment,

    N. A. Hamad, K. A. A. Bakar, F. Qamar, A. M. Jubair, R. R. Mohamed, and M. A. Mohamed, “Systematic Analysis of Federated Learning Approaches for Intrusion Detection in the Internet of Things Environment,” IEEE Access , vol. 13, pp. 95410 –95444, 2025, doi: https://doi.org/10.1109/access.2025.3574672

    work page doi:10.1109/access.2025.3574672 2025

  11. [11]

    A Unified Approach to Interpreting Model Predictions

    S. Lundberg and S.-I. Lee, “A Unified Approach to Interpreting Model Predictions,” arXiv.org, Nov. 24, 2017. https://arxiv.org/abs/1705.07874v2 Fig. 6. Average Training Time Per Client of XAI FL-IDS Fig. 7. Average Training Time Per Client of Base Method PREDICTION_ID TRUE_LABEL PREB_LABEL PREB_PROBABILITY 0 1 1 0.5936770151 1 1 1 0.5979139805 2 0 0 0.404...

    work page internal anchor Pith review Pith/arXiv arXiv 2017