SHAP happens: an explainable IDS for industrial IoT networks

Industrial Internet of Things (IIoT) technologies have been increasingly leveraged across various industry sectors, due to their benefits in terms of automation, monitoring, and operational efficiency. However, the increased connectivity and heterogeneity of IIoT devices have also broadened the attack surface, making these systems attractive targets for cyber threats. In this context, machine learning–based Intrusion Detection Systems (IDS) have emerged as promising solutions due to their ability to detect complex patterns in network traffic without relying on static rules or deep packet inspection. A key limitation of such systems, however, lies in their lack of interpretability, posing challenges for adoption in safety-critical industrial settings.In this work, we propose an explainable IDS that leverages a Random Forest classifier for accurate traffic classification and integrates SHAP (SHapley Additive Explanations) to provide transparent explanations of model decisions. We evaluate our system using the CIC IoT-DIAD 2024 dataset, which includes a broad spectrum of network attacks. Our approach demonstrates good detection performance while also delivering intuitive explanations for each prediction. By analyzing the specific network features, such as inter-arrival times and packet sizes, that most influence each alert, security analysts may better assess, validate, and act upon IDS outputs.