Modernnetworkenvironmentsareincreasinglyvul-nerable to cyber threats such as unauthorized access, brute force attacks, and abnormal traffic behavior. Traditional intrusion detectionsystemsoftenrelyoncomplexmachinelearningmodels that require large training datasets and lack transparency in decision-making.
To address these limitations, this paper presents an Explain-able AI-Based Intrusion Detection System (IDS) that combines real-time network monitoring with rule-based anomaly detection and a honeypot mechanism. The system captures live network packets using TShark and performs network scanning using Nmap to identify open ports and services. Instead of relying on machine learning models, the system uses predefined rules such as abnormal packet size, high request frequency, and repeated login attempts to detect suspicious activities.
Additionally, a honeypot module is implemented as a fakelogin interface to capture attacker behavior and record details such as IP address and login attempts. An Explainable AI component provides human-readable explanations for detected anomalies, improving transparency and trust in the system. The systemisdeployedthroughaweb-baseddashboardforreal-timemonitoring,alertgeneration,andloganalysis.Experimental evaluation shows that the system effectively detects common intrusion patterns with low computational overhead, making it suitable for real-time security applications.
Introduction
This paper presents an Explainable AI-Based Intrusion Detection System (IDS) designed to provide real-time, lightweight, and transparent network security. Traditional firewalls and signature-based IDS solutions struggle to detect sophisticated or unknown cyberattacks, while machine learning-based IDS models often require large datasets, high computational resources, and lack interpretability. To address these limitations, the proposed system uses rule-based anomaly detection, honeypot technology, and Explainable AI (XAI) to identify and explain suspicious network activities.
The system monitors network traffic using TShark for packet capture and Nmap for network scanning. Instead of relying on trained machine learning models, it uses predefined rules to detect anomalies such as abnormal packet sizes, excessive request frequencies, repeated login attempts, and unusual traffic patterns. A honeypot module, implemented as a fake login interface, attracts attackers and records their actions, including IP addresses and login attempts, enabling deeper analysis of intrusion behavior.
The architecture consists of several modules: packet capture, network scanning, traffic analysis, rule-based detection, honeypot monitoring, Explainable AI, alert generation, and an administrator dashboard. When suspicious behavior is detected, the system generates alerts, stores logs, and provides human-readable explanations describing why the activity was classified as malicious, such as brute-force attacks or abnormal traffic behavior.
The system was implemented using Python, FastAPI, TShark, and Nmap, with a web-based dashboard for real-time monitoring. Experimental evaluation showed an average processing time of 650 milliseconds per network event, making it suitable for real-time intrusion detection. Performance metrics achieved 84.6% accuracy, 81.3% precision, 78.9% recall, and an 80.0% F1-score, demonstrating effective detection capability with low computational overhead.
The honeypot successfully captured attacker interactions and provided valuable insights into attack patterns. The Explainable AI module improved transparency by clearly identifying the reasons behind alerts, helping administrators understand and respond to threats more effectively.
Conclusion
The proposed Explainable AI-Based Intrusion Detection System demonstrates an effective approach to enhancing network security using real-time monitoring and rule-based anomaly detection. By integrating tools such as TShark for packet capture and Nmap for network scanning, the system is capable of identifying suspicious activities such as abnormal traffic patterns, repeated login attempts, and unauthorized access attempts.
Unlike traditional machine learning-based systems, the pro-posedapproachdoesnotrelyonlargetrainingdatasetsorcom-plex models. Instead, it uses predefined rules for fast and ef-ficient detection, making it suitable for real-time applications. The integration of a honeypot module further strengthens the system by capturing attacker behavior, including IP addresses and login attempts, which provides valuable insights into intrusion patterns. Additionally, the Explainable AI module enhances transparency by providing clear and understandable explanations for detected anomalies, improving trust and us-ability for system administrators.
The system provides a lightweight and scalable framework that can be easily deployed in small to medium network environments.Theuseofaweb-baseddashboardenablesreal-time monitoring, alert generation, and log analysis, allowing administrators to respond quickly to potential threats.
Infuturework,thesystemcanbeenhancedbyincorporating adaptive rule mechanisms to automatically adjust detection thresholds based on changing network conditions. Additional improvements may include integrating automated response systemssuchasIPblockingandfirewallconfiguration,aswell as extending the honeypot module to simulate more complex attack scenarios. Further enhancements in the Explainable AI modulecanprovidemoredetailedinsightsintoattackpatterns, improving decision-making capabilities. The system can also be extended for deployment in large-scale enterprise networks and cloud environments.
References
[1] Yang,Z.,Liu,X.,Li,T.,Wu,D.,Wang,J.,&Zhao,Y.(2022).Asystematic literature review of methods and datasets for anomaly-basednetwork intrusion detection. Computers & Security, 116, 102675.
[2] Sowmya,T.,&Anita,E.M.(2023).Acomprehensivereviewofintrusiondetection systems. Measurement: Sensors, 28, 100827.
[3] Khraisat, A., Gondal, I., Vamplew, P., &Kamruzzaman, J. (2019). Surveyof intrusion detection systems: techniques, datasets and challenges.Cybersecurity, 2(1), 1-22.
[4] Ring, M., Wunderlich, S., Scheuring, D., Landes, D., &Hotho, A.(2019). A survey of network-based intrusion detection data sets. Com-puters& Security, 86, 147-167.
[5] Almseidin,M.,Alzubi,M.,Kovacs,S.,&Alkasassbeh,M.(2018). Evaluation of intrusion detection approaches. arXiv preprintarXiv:1801.02330.
[6] Yang, Z., et al. (2022). Anomaly-based intrusion detection techniquesfor network security. Computers & Security.
[7] Wali, S., & Khan, I. (2021). Explainable AI for intrusion detectionsystems. arXiv preprint arXiv:2112.09177.
[8] Lundberg,S.M.,&Lee,S.-I.(2017).Aunifiedapproachtointerpretingmodelpredictions.AdvancesinNeuralInformationProcessingSystems,30.
[9] Aldweesh, A., Derhab, A., & Emam, A. Z. (2020). Survey on anomaly-based intrusion detection systems. Knowledge-Based Systems, 189,105124.
[10] Sharafaldin, I., Lashkari, A. H., & Ghorbani, A. A. (2019). Developingrealistic DDoS attack dataset and taxonomy. ICCST.
[11] Al-Jarrah, O., et al. (2020). Comparative study of intrusion detectionapproaches. Journal of Intelligent & Fuzzy Systems.
[12] Joshi,M.,etal.(2024).Intrusiondetectionsystemsfornetworksecurity.Nanotechnology Perceptions.
[13] Nizam, A., et al. (2025). Comparative study on intrusion detectionsystems. IJERT.
[14] Sauka,K.,etal.(2022).Explainableintrusiondetectionsystems.Ap-plied Sciences.
[15] Jiang,H.,etal.(2023).Secureloggingandblockchain-basedsecuritysystems. IEEE Transactions.
[16] Madry,A.,etal.(2017).Securitychallengesinadversarialenviron-ments. arXiv.
[17] Goodfellow,I.J.,etal.(2014).Understandingadversarialattacks.arXiv.
[18] Lo,W.W.,etal.(2022).Networkbehavioranalysisforintrusiondetection. arXiv.
[19] Nak?p, M., &Gelenbe, E. (2023). Online anomaly detection in networksystems. arXiv.
[20] Caville,E.,etal.(2023).Anomalydetectionmethodsfornetworkintrusion detection. Knowledge-Based Systems.