IR-IDS: A network intrusion detection method based on causal feature selection and explainable model optimization

With the rapid advancement of computer network technologies, the complexity of cybersecurity issues has grown significantly. Intrusion Detection Systems (IDS), serving as the first line of defense against network attacks, are vital components in ensuring network security. However, traditional IDS often struggle to balance the robustness of detection capabilities with the interpretability of the model. To address these challenges, this paper proposes an interpretable and robust intrusion detection method (IR-IDS). The proposed approach begins by efficiently and accurately selecting the optimal feature subset for predicting the target variable, using a causal effect-based conditional testing method and a Markov blanket search algorithm. Subsequently, it enhances the decision tree algorithm using Shapley values, enabling fine-grained classification of attacks. Finally, by integrating Kolmogorov-Arnold Networks (KAN) and Conditional Variational Autoencoders (CVAE), the method further improves the detection of unknown attacks. Experimental results demonstrate that the proposed method outperforms existing techniques on five datasets, including CIC-IDS2017, CSE-CIC-IDS2018, CIC-DDoS2019, CIC-UNSW-NB15 and CIC-IoT-IDAD-2024, with multi-class accuracies of 98.83 %, 99.37 %, 99.57 %, 99.52 % and 97.11 %, respectively. From the results, it can be seen that this method not only ensures the interpretability of the model but also improves the accuracy and robustness of intrusion detection.