pith. sign in

arxiv: 2605.22621 · v1 · pith:DAZX4ZYUnew · submitted 2026-05-21 · 💻 cs.CR · cs.LG· cs.NI

UNAD+: An Explainable Hybrid Framework for Unknown Network Attack Detection

Saif Alzubi , Frederic Stahl This is my paper

Pith reviewed 2026-05-22 04:39 UTC · model grok-4.3

classification 💻 cs.CR cs.LGcs.NI
keywords unknown attack detectionnetwork intrusion detectionhybrid learningpseudo-labellingexplainable AIunsupervised ensembleCICIDS2017NSL-KDD
0
0 comments X

The pith

UNAD+ detects unknown network attacks above 98 percent F1-score by using unsupervised anomaly detection on benign traffic followed by supervised refinement on pseudo-labels plus built-in explanations.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents UNAD+ as an improved hybrid framework for identifying network intrusions that have never appeared in training data. It begins with an unsupervised ensemble that learns only from normal traffic to flag outliers, applies weighted majority voting to create pseudo-labels for those flags, trains a supervised model on the resulting data to sharpen the detections, and wraps the whole process with a post-hoc explainability module that supplies both local and global interpretations. This combination seeks to overcome the high false-positive problem common in pure unsupervised detectors while retaining their ability to handle zero-day threats and adding transparency that pure black-box supervised models often lack. Tests on the CICIDS2017 and NSL-KDD datasets show the framework reaching F1-scores above 98 percent with lower false positives than the original UNAD version.

Core claim

UNAD+ improves unknown attack detection by chaining a benign-only unsupervised ensemble with weighted majority voting to produce pseudo-labels, a supervised refinement stage trained on those labels, and an integrated explainability layer; on the CICIDS2017 and NSL-KDD benchmarks this yields F1-scores above 98 percent together with reduced false positives and greater transparency for deployment.

What carries the argument

The hybrid pipeline consisting of a benign-only unsupervised ensemble, weighted majority voting for pseudo-labelling, supervised refinement, and post-hoc explainability layer.

If this is right

  • Unknown attacks can be flagged without any prior examples of those specific attacks in the training set.
  • False positive rates drop compared with standalone unsupervised detectors, improving real-world usability.
  • Local and global explanations become available for both individual alerts and overall model behaviour.
  • The framework can be deployed more readily because the added transparency addresses operator trust and regulatory needs.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same pseudo-labelling loop could be tested on streaming network data to check whether performance holds when new traffic arrives continuously.
  • Similar hybrid structures might transfer to other security tasks such as malware variant detection where labelled attack examples are scarce.
  • The explainability outputs could be used to audit whether the unsupervised stage is correctly identifying novel attack signatures or merely flagging noise.

Load-bearing premise

The pseudo-labels created by the unsupervised ensemble are accurate enough to train the supervised stage without injecting excessive label noise.

What would settle it

Running the supervised refinement stage on the pseudo-labels produces no gain or a clear drop in F1-score or false-positive rate compared with the unsupervised ensemble alone.

Figures

Figures reproduced from arXiv: 2605.22621 by Frederic Stahl, Saif Alzubi.

Figure 1
Figure 1. Figure 1: Architecture of UNAD+: (1) unsupervised ensemble trained on benign data; (2) supervised refinement using [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Workflow of the unsupervised ensemble stage in [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Impact of supervised refinement on false positive [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Comparison of tie-case proportions under major [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Comparison of class-level detection rates on CICIDS2017 for the weighted ensemble (UNAD+ WMV), the [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Comparison of class-level detection rates on NSL-KDD for the weighted ensemble (UNAD+ WMV), the [PITH_FULL_IMAGE:figures/full_fig_p011_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Local LIME explanations for attack instances on CICIDS2017. [PITH_FULL_IMAGE:figures/full_fig_p013_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Local LIME explanations for attack instances on NSL-KDD. [PITH_FULL_IMAGE:figures/full_fig_p013_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Decision Tree surrogate models used for global explanation of the refinement classifier on CICIDS2017 and [PITH_FULL_IMAGE:figures/full_fig_p014_9.png] view at source ↗
read the original abstract

The detection of previously unseen network attacks remains a major challenge for intrusion detection systems. Although supervised learning methods often perform well on known attack classes, they are limited when new attack types are not represented in the training data. Unsupervised methods are more suitable for detecting zero-day attacks, as they do not require labelled attack samples, but they often suffer from high false positive rates, which limits their real-world usefulness. This paper presents UNAD+, an enhanced framework for unknown network attack detection derived from the previously proposed Unknown Network Attack Detector (UNAD). UNAD+ combines a benign-only unsupervised ensemble with Weighted Majority Voting (WMV), a supervised refinement stage trained on pseudo-labelled detections, and a post hoc explainability layer that provides both local and global explanations. The framework was evaluated on the CICIDS2017 and NSL-KDD benchmark datasets. The results show that UNAD+ improves on the original UNAD framework, achieving F1-scores above 98% across the benchmark datasets while significantly reducing false positives and enhancing transparency and deployment suitability through integrated explainability.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes UNAD+, an enhanced hybrid framework for unknown network attack detection. It extends the prior UNAD approach by combining a benign-only unsupervised ensemble with Weighted Majority Voting (WMV) to generate pseudo-labels, followed by a supervised refinement stage trained on those labels and a post-hoc explainability layer. The framework is evaluated on the CICIDS2017 and NSL-KDD benchmark datasets, claiming F1-scores above 98%, reduced false positives relative to unsupervised baselines, and improved transparency for deployment.

Significance. If the performance claims are substantiated by rigorous validation of pseudo-label quality and independent testing, the work could advance intrusion detection research by offering a practical hybrid solution that addresses high false-positive rates in unsupervised zero-day detection while incorporating explainability. The unsupervised-to-supervised pipeline with integrated interpretability is a reasonable direction for improving real-world applicability of attack detection systems.

major comments (2)
  1. [Abstract] Abstract: The central performance claim of F1-scores above 98% with reduced false positives depends on the benign-only unsupervised ensemble with WMV producing sufficiently accurate pseudo-labels for the supervised stage. The abstract provides no details on validation splits, pseudo-label generation/filtering, error bars, or statistical significance tests, preventing verification that the reported metrics reflect genuine improvements rather than propagation of label noise from the unsupervised detections.
  2. [Framework and evaluation sections] Framework and evaluation sections: The hybrid design creates a potential feedback loop in which the supervised refinement stage is trained on labels derived from the same unsupervised ensemble whose high false-positive limitations are acknowledged in the introduction. No independent assessment of pseudo-label accuracy (e.g., against held-out normal traffic or known attacks) or ablation on label noise impact is described, which directly bears on whether the claimed reduction in false positives is robust.
minor comments (2)
  1. The notation and weighting scheme in the WMV component could be presented more explicitly, perhaps with a small example calculation, to aid reproducibility.
  2. Consider including a flowchart of the overall pipeline (unsupervised ensemble → pseudo-labels → supervised refinement → explainability) for improved readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments on our manuscript. We address each major comment point by point below, providing clarifications on our methodology and indicating revisions made to improve transparency and rigor.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The central performance claim of F1-scores above 98% with reduced false positives depends on the benign-only unsupervised ensemble with WMV producing sufficiently accurate pseudo-labels for the supervised stage. The abstract provides no details on validation splits, pseudo-label generation/filtering, error bars, or statistical significance tests, preventing verification that the reported metrics reflect genuine improvements rather than propagation of label noise from the unsupervised detections.

    Authors: We agree that the abstract is brief and omits key methodological details that would help substantiate the performance claims. In the revised manuscript, we have expanded the abstract to include a concise description of the 70/30 validation split for the unsupervised ensemble, the confidence-based filtering applied during WMV pseudo-label generation, and the reporting of results as means with standard deviations across multiple runs. We also reference the statistical comparisons performed in the evaluation section. These additions directly address the concern about verifying improvements independent of label noise. revision: yes

  2. Referee: [Framework and evaluation sections] Framework and evaluation sections: The hybrid design creates a potential feedback loop in which the supervised refinement stage is trained on labels derived from the same unsupervised ensemble whose high false-positive limitations are acknowledged in the introduction. No independent assessment of pseudo-label accuracy (e.g., against held-out normal traffic or known attacks) or ablation on label noise impact is described, which directly bears on whether the claimed reduction in false positives is robust.

    Authors: We acknowledge the validity of this concern regarding potential label noise in the hybrid pipeline. To clarify the design, the unsupervised ensemble is trained exclusively on benign traffic, with WMV applied to generate pseudo-labels on a disjoint test set containing attacks; the supervised stage then refines detections using these labels. In the revised manuscript, we have added an independent assessment of pseudo-label accuracy by comparing WMV outputs against ground-truth labels on a held-out validation subset of normal and known attack traffic. We have also included an ablation study examining the effect of varying simulated label noise levels on final F1 scores and false positive rates, which demonstrates the robustness of the refinement stage and supports the reported reductions in false positives. revision: yes

Circularity Check

0 steps flagged

No significant circularity; claims rest on external benchmark evaluation

full rationale

The paper presents UNAD+ as a hybrid framework that combines a benign-only unsupervised ensemble with WMV and a supervised refinement stage using pseudo-labelled detections, then evaluates the resulting F1-scores above 98% on the independent CICIDS2017 and NSL-KDD datasets. No equations, parameter fits, or self-citations are shown that reduce the reported performance metrics to the inputs by construction. The pseudo-labelling step is a methodological design choice whose quality is assessed empirically against held-out benchmark labels rather than assumed tautologically. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Only the abstract is available, so no concrete free parameters, axioms, or invented entities can be extracted; the framework appears to rely on standard machine-learning assumptions about data distribution and label quality.

pith-pipeline@v0.9.0 · 5716 in / 1182 out tokens · 65922 ms · 2026-05-22T04:39:19.032785+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

43 extracted references · 43 canonical work pages

  1. [1]

    Host based intrusion detection system with combined CNN/RNN model

    Ashima Chawla, Brian Lee, Sheila Fallon, and Paul Jacob. Host based intrusion detection system with combined CNN/RNN model. InECML PKDD 2018 Workshops - Nemesis 2018, UrbReas 2018, SoGood 2018, IWAISe 2018, and Green Data Mining 2018, Dublin, Ireland, September 10-14, 2018, Proceedings, volume 11329 ofLec- ture Notes in Computer Science, pages 149–158. Sp...

    work page 2018

  2. [2]

    A review on multi-step attack detection.IEEE Access, 13:161779–161805, 2025

    Syed Usman Shaukat, Saad Khan, and Simon Parkinson. A review on multi-step attack detection.IEEE Access, 13:161779–161805, 2025

    work page 2025

  3. [3]

    Detection of unknown attacks through encrypted traffic: A gaus- sian prototype-aided variational autoencoder framework

    Qianwei Meng, Jing Tao, Qingjun Yuan, Guangsong Li, Yongjuan Wang, Bing Gao, and Siqi Lu. Detection of unknown attacks through encrypted traffic: A gaus- sian prototype-aided variational autoencoder framework. IEEE Transactions on Information Forensics and Secu- rity, 20:10652–10667, 2025

    work page 2025

  4. [4]

    Survey on intrusion detection systems based on machine learning techniques for the protection of critical infrastructure.Sensors, 23(5):2415, 2023

    Andrea Pinto, Luis-Carlos Herrera, Yezid Donoso, and Jairo A Gutierrez. Survey on intrusion detection systems based on machine learning techniques for the protection of critical infrastructure.Sensors, 23(5):2415, 2023

    work page 2023

  5. [5]

    Ghorbani

    Alireza Zohourian, Sajjad Dadkhah, Heather Molyneaux, Euclides Carlos Pinto Neto, and Ali A. Ghorbani. Iot- prids: Leveraging packet representations for intrusion de- tection in iot networks.Computers & Security, 146:104034, 2024

    work page 2024

  6. [6]

    A deep learning ensemble approach to de- tecting unknown network attacks.Journal of Information Security and Applications, 67:103196, 2022

    Rasheed Ahmad, Izzat Alsmadi, Wasim Alhamdani, and Lo’ai Tawalbeh. A deep learning ensemble approach to de- tecting unknown network attacks.Journal of Information Security and Applications, 67:103196, 2022

    work page 2022

  7. [7]

    Which algorithm can detect unknown attacks? comparison of supervised, unsuper- vised and meta-learning algorithms for intrusion detection

    Tommaso Zoppi, Andrea Ceccarelli, Tommaso Puccetti, and Andrea Bondavalli. Which algorithm can detect unknown attacks? comparison of supervised, unsuper- vised and meta-learning algorithms for intrusion detection. Computers & Security, 127:103107, 2023

    work page 2023

  8. [8]

    A real-time label-free self- supervised deep learning intrusion detection for handling new type and few-shot attacks in iot networks.IEEE Internet of Things Journal, 2024

    Jianheng Tong and Ying Zhang. A real-time label-free self- supervised deep learning intrusion detection for handling new type and few-shot attacks in iot networks.IEEE Internet of Things Journal, 2024

    work page 2024

  9. [9]

    Unsupervised gan-based intrusion detection system us- ing temporal convolutional networks and self-attention

    Paulo Freitas de Araujo-Filho, Mohamed Naili, Georges Kaddoum, Emmanuel Thepie Fapi, and Zhongwen Zhu. Unsupervised gan-based intrusion detection system us- ing temporal convolutional networks and self-attention. IEEE Transactions on Network and Service Management, 20(4):4951–4963, 2023

    work page 2023

  10. [10]

    On explanations for hybrid artificial intelligence

    Lars Nolle, Frederic Stahl, and Tarek El-Mihoub. On explanations for hybrid artificial intelligence. InInter- national Conference on Innovative Techniques and Ap- plications of Artificial Intelligence, pages 3–15. Springer, 2023

    work page 2023

  11. [11]

    Interpreting black-box models: a review on ex- plainable artificial intelligence.Cognitive Computation, 16(1):45–74, 2024

    Vikas Hassija, Vinay Chamola, Atmesh Mahapatra, Ab- hinandan Singal, Divyansh Goel, Kaizhu Huang, Simone Scardapane, Indro Spinelli, Mufti Mahmud, and Amir Hussain. Interpreting black-box models: a review on ex- plainable artificial intelligence.Cognitive Computation, 16(1):45–74, 2024

    work page 2024

  12. [12]

    David Gunning and David W. Aha. Darpa’s explainable artificial intelligence (XAI) program.AI Mag., 40(2):44– 58, 2019

    work page 2019

  13. [13]

    Stahl, and Mohamed Medhat Gaber

    Saif Alzubi, Frederic T. Stahl, and Mohamed Medhat Gaber. Towards intrusion detection of previously un- known network attacks. In Khalid Al-Begain, Mauro Iacono, Lelio Campanile, and Andrzej Bargiela, editors, Proceedings of the 35th International ECMS International Conference on Modelling and Simulation, ECMS 2021, Virtual Event, UK, May 31 - June 2, 202...

    work page 2021

  14. [14]

    Ghorbani

    Iman Sharafaldin, Arash Habibi Lashkari, and Ali A. Ghorbani. Toward generating a new intrusion detection 16 Saif Alzubi, Frederic Stahl dataset and intrusion traffic characterization. In Paolo Mori, Steven Furnell, and Olivier Camp, editors,Proceed- ings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, Funchal...

    work page 2018

  15. [15]

    A detailed analysis of the kdd cup 99 data set

    Mahbod Tavallaee, Ebrahim Bagheri, Wei Lu, and Ali A Ghorbani. A detailed analysis of the kdd cup 99 data set. In2009 IEEE symposium on computational intelligence for security and defense applications, pages 1–6. Ieee, 2009

    work page 2009

  16. [16]

    Anomaly detection in intrusion de- tection systems

    Siamak Parhizkari. Anomaly detection in intrusion de- tection systems. InAnomaly Detection-Recent Advances, AI and ML Perspectives and Applications. IntechOpen, 2023

    work page 2023

  17. [17]

    Yubo Hou, Sin G Teo, Zhenghua Chen, Min Wu, Chee- Keong Kwoh, and Tram Truong-Huu. Handling labeled data insufficiency: Semi-supervised learning with self- training mixup decision tree for classification of network attacking traffic.IEEE Transactions on Dependable and Secure Computing, 2022

    work page 2022

  18. [18]

    From intrusion detection to attacker attribution: A comprehensive survey of unsupervised methods.IEEE Communications Surveys & Tutorials, 20(4):3369–3388, 2018

    Antonia Nisioti, Alexios Mylonas, Paul D Yoo, and Vasil- ios Katos. From intrusion detection to attacker attribution: A comprehensive survey of unsupervised methods.IEEE Communications Surveys & Tutorials, 20(4):3369–3388, 2018

    work page 2018

  19. [19]

    Un- raveling false positives in unsupervised defect detection models: A study on anomaly-free training datasets.Sen- sors, 23(23):9360, 2023

    Ji Qiu, Hongmei Shi, Yuhen Hu, and Zujun Yu. Un- raveling false positives in unsupervised defect detection models: A study on anomaly-free training datasets.Sen- sors, 23(23):9360, 2023

    work page 2023

  20. [20]

    Adversarial challenges in network intrusion detection systems: Research insights and future prospects.IEEE Access, 13:148613–148645, 2025

    Sabrine Ennaji, Fabio de Gaspari, Dorjan Hitaj, Alicia Kbidi, and Luigi Vincenzo Mancini. Adversarial challenges in network intrusion detection systems: Research insights and future prospects.IEEE Access, 13:148613–148645, 2025

    work page 2025

  21. [21]

    Isolation- based anomaly detection.ACM Trans

    Fei Tony Liu, Kai Ming Ting, and Zhi-Hua Zhou. Isolation- based anomaly detection.ACM Trans. Knowl. Discov. Data, 6(1):3:1–3:39, 2012

    work page 2012

  22. [22]

    Lof: identifying density-based local outliers

    Markus M Breunig, Hans-Peter Kriegel, Raymond T Ng, and J¨ org Sander. Lof: identifying density-based local outliers. InProceedings of the 2000 ACM SIGMOD international conference on Management of data, pages 93–104, 2000

    work page 2000

  23. [23]

    Ensemble learning: A sur- vey.Wiley interdisciplinary reviews: data mining and knowledge discovery, 8(4):e1249, 2018

    Omer Sagi and Lior Rokach. Ensemble learning: A sur- vey.Wiley interdisciplinary reviews: data mining and knowledge discovery, 8(4):e1249, 2018

    work page 2018

  24. [24]

    An optimized hybrid ensemble machine learn- ing model combining multiple classifiers for detecting advanced persistent threats in networks.Journal of Big Data, 12(1):212, 2025

    Nadim Ibrahim, NR Rajalakshmi, V Sivakumar, and L Sharmila. An optimized hybrid ensemble machine learn- ing model combining multiple classifiers for detecting advanced persistent threats in networks.Journal of Big Data, 12(1):212, 2025

    work page 2025

  25. [25]

    Arlhnids-iot: An accurate and robust lightweight hybrid-nids for iot net- work security.Computers & Security, 156:104515, 2025

    Arpita Srivastava and Ditipriya Sinha. Arlhnids-iot: An accurate and robust lightweight hybrid-nids for iot net- work security.Computers & Security, 156:104515, 2025

    work page 2025

  26. [26]

    Ensemble-based detection of distributed denial-of-service attacks in iot networks using majority decision mechanisms.Scientific Reports, 2026

    Suha Cheng and Xu Feng. Ensemble-based detection of distributed denial-of-service attacks in iot networks using majority decision mechanisms.Scientific Reports, 2026

    work page 2026

  27. [27]

    An enhanced ensemble defense framework for boosting adver- sarial robustness of intrusion detection systems.Scientific Reports, 15(1):14177, 2025

    Zeinab Awad, Magdy Zakaria, and Rasha Hassan. An enhanced ensemble defense framework for boosting adver- sarial robustness of intrusion detection systems.Scientific Reports, 15(1):14177, 2025

    work page 2025

  28. [28]

    Ensemble detection model for iot ids.Internet of Things, 16:100435, 2021

    Alaa Alhowaide, Izzat Alsmadi, and Jian Tang. Ensemble detection model for iot ids.Internet of Things, 16:100435, 2021

    work page 2021

  29. [29]

    Prepare for trou- ble and make it double! supervised–unsupervised stacking for anomaly-based intrusion detection.Journal of Net- work and Computer Applications, 189:103106, 2021

    Tommaso Zoppi and Andrea Ceccarelli. Prepare for trou- ble and make it double! supervised–unsupervised stacking for anomaly-based intrusion detection.Journal of Net- work and Computer Applications, 189:103106, 2021

    work page 2021

  30. [30]

    A hybrid deep learning anomaly detection framework for intrusion detection

    Rahul Kale, Zhi Lu, Kar Wai Fok, and Vrizlynn LL Thing. A hybrid deep learning anomaly detection framework for intrusion detection. In2022 IEEE 8th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Com- puting,(HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS), pages 137...

    work page 2022

  31. [31]

    ” why should i trust you?” explaining the predictions of any classifier

    Marco Tulio Ribeiro, Sameer Singh, and Carlos Guestrin. ” why should i trust you?” explaining the predictions of any classifier. InProceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining, pages 1135–1144, 2016

    work page 2016

  32. [32]

    Lundberg and Su-In Lee

    Scott M. Lundberg and Su-In Lee. A unified approach to interpreting model predictions. In Isabelle Guyon, Ul- rike von Luxburg, Samy Bengio, Hanna M. Wallach, Rob Fergus, S. V. N. Vishwanathan, and Roman Garnett, edi- tors,Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Process- ing Systems 2017, December 4-9,...

    work page 2017

  33. [33]

    Explain- able ai for intrusion detection systems: Lime and shap applicability on multi-layer perceptron.IEEE Access, 12:30164–30175, 2024

    Diogo Gaspar, Paulo Silva, and Catarina Silva. Explain- able ai for intrusion detection systems: Lime and shap applicability on multi-layer perceptron.IEEE Access, 12:30164–30175, 2024

    work page 2024

  34. [34]

    E-xai: Evaluating black-box explain- able ai frameworks for network intrusion detection.IEEE Access, 12:23954–23988, 2024

    Osvaldo Arreche, Tanish R Guntur, Jack W Roberts, and Mustafa Abdallah. E-xai: Evaluating black-box explain- able ai frameworks for network intrusion detection.IEEE Access, 12:23954–23988, 2024

    work page 2024

  35. [35]

    A novel two-stage deep learning model for network intrusion detection: Lstm-ae.Ieee Ac- cess, 11:37131–37148, 2023

    Vanlalruata Hnamte, Hong Nhung-Nguyen, Jamal Hus- sain, and Yong Hwa-Kim. A novel two-stage deep learning model for network intrusion detection: Lstm-ae.Ieee Ac- cess, 11:37131–37148, 2023

    work page 2023

  36. [36]

    Detect, decide, explain: An intelligent framework for zero- day network attack detection

    Saif Alzubi, Frederic Stahl, and Mohammed Al-Khafajiy. Detect, decide, explain: An intelligent framework for zero- day network attack detection. In Max Bramer and Fred- eric Stahl, editors,Artificial Intelligence XLII, pages 3–17, Cham, 2026. Springer Nature Switzerland

    work page 2026

  37. [37]

    Principal component analysis.Wiley interdisciplinary reviews: computational statistics, 2(4):433–459, 2010

    Herv´ e Abdi and Lynne J Williams. Principal component analysis.Wiley interdisciplinary reviews: computational statistics, 2(4):433–459, 2010

    work page 2010

  38. [38]

    Bagging predictors.Machine learning, 24(2):123–140, 1996

    Leo Breiman. Bagging predictors.Machine learning, 24(2):123–140, 1996

    work page 1996

  39. [39]

    Chawla, Kevin W

    Nitesh V. Chawla, Kevin W. Bowyer, Lawrence O. Hall, and W. Philip Kegelmeyer. SMOTE: synthetic minority over-sampling technique.J. Artif. Intell. Res., 16:321–357, 2002

    work page 2002

  40. [40]

    Overfitting in machine learning: A comparative analysis of decision trees and random forests.Intelligent Automation & Soft Computing, 39(6), 2024

    Erblin Halabaku and Eliot Byty¸ ci. Overfitting in machine learning: A comparative analysis of decision trees and random forests.Intelligent Automation & Soft Computing, 39(6), 2024

    work page 2024

  41. [41]

    A comparison among interpretative proposals for random forests.Machine Learning with Applications, 6:100094, 2021

    Massimo Aria, Corrado Cuccurullo, and Agostino Gnasso. A comparison among interpretative proposals for random forests.Machine Learning with Applications, 6:100094, 2021

    work page 2021

  42. [42]

    Explain- ing individual predictions when features are dependent: More accurate approximations to shapley values.Artif

    Kjersti Aas, Martin Jullum, and Anders Løland. Explain- ing individual predictions when features are dependent: More accurate approximations to shapley values.Artif. Intell., 298:103502, 2021

    work page 2021

  43. [43]

    Leveraging model-based trees as interpretable surrogate models for model distilla- tion

    Julia Herbinger, Susanne Dandl, Fiona K Ewald, Sofia Loibl, and Giuseppe Casalicchio. Leveraging model-based trees as interpretable surrogate models for model distilla- tion. InEuropean Conference on Artificial Intelligence, pages 232–249. Springer, 2023

    work page 2023