Explainable Intrusion Detection for Cyber Defences in the Internet of Things: Opportunities and Solutions

The field of Explainable Artificial Intelligence (XAI) has garnered considerable research attention in recent years, aiming to provide interpretability and confidence to the inner workings of state-of-the-art deep learning models. However, XAI-enhanced cybersecurity measures in the Internet of Things (IoT) and its sub-domains, require further investigation to provide effective discovery of attack surfaces, their corresponding vectors, and interpretable justification of model outputs. Cyber defence involves operations conducted in the cybersecurity field supporting mission objectives to identify and prevent cyberattacks using various tools and techniques, including intrusion detection systems (IDS), threat intelligence and hunting, and intrusion prevention. In cyber defence, especially anomaly-based IDS, the emerging applications of deep learning models require the interpretation of the models' architecture and the explanation of models' prediction to examine how cyberattacks would occur. This paper presents a comprehensive review of XAI techniques for anomaly-based intrusion detection in IoT networks. Firstly, we review IDSs focusing on anomaly-based detection techniques in IoT and how XAI models can augment them to provide trust and confidence in their detections. Secondly, we review AI models, including machine learning (ML) and deep learning (DL), for anomaly detection applications and IoT ecosystems. Moreover, we discuss DL's ability to effectively learn from large-scale IoT datasets, accomplishing high performances in discovering and interpreting security events. Thirdly, we demonstrate recent research on the intersection of XAI, anomaly-based IDS and IoT. Finally, we discuss the current challenges and solutions of XAI for security applications in the cyber defence perspective of IoT networks, revealing future research directions. By analysing our findings, new cybersecurity applications that require XAI models emerge, assisting decision-makers in understanding and explaining security events in compromised IoT networks.