ADAPT-IDS: SELF LEARNING ANOMALY DETECTION WITH DYNAMIC THRESHOLDING AND SHAP INTERPRETABILITY

Abstract

The massive increase of Internet of Things (IoT) devices give arise to new and unknown security challenges (e.g: Detecting Zero-Day attacks), that traditional security systems fails to detect because they only recognize attacks that they have seen before. Our paper presents a novel explainable Intrusion Detection Framework that merges the deep restoration Anomaly detection with ADPT (adaptive) thresholding & SHAP (sHapley Additive exPlanations) Interpretability that can spot suspicious & unusual network behavior. The system is fine-tuned only on safe (normal) network traffic, so that whenever anything looks apart from normal behavior is treated as a potential attack. Experimental evaluation on the NSL-KDD dataset proves that our approach achieves 85.55% accuracy, 93.15% precision, 80.54% recall and an F1 score of 86.39% that outperformed and detect attacks more accurately than the traditional supervised methods. The integration of SHAP explanation shows which network feature caused an alert, that helps security analysts why something was flagged as an attack. Our contribution includes: (1) an unsupervised deep learning system that only learn from safe (normal) traffic data & can detect new unknown attacks. (2) a novel adaptive thresholding mechanism that achieved 1.74% improvement over traditional approaches, and (3) Clear explanation of detection results through SHAP analysis, making system appropriate for real-world IoT security deployments.