An Explainable AI-based Network Intrusion Detection System for Botnet Attacks

Dorieh Alomari; Maryam Ahmed Alabdullatif; Fakhri Alam Khan

doi:10.1145/3727967.3756837

An Explainable AI-based Network Intrusion Detection System for Botnet Attacks

Dorieh Alomari^*
, Maryam Ahmed Alabdullatif^*
, Fakhri Alam Khan

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In the field of network security, botnet attacks pose a significant challenge, exploiting networks of infected devices to launch sophisticated threats. As these attacks evolve, the need for effective detection methods becomes increasingly critical. This study proposes an explainable Machine Learning (ML) model that aims to identify and categorize botnet attacks, and it investigates the efficiency of different Explainable Artificial Intelligence (XAI) techniques for Intrusion Detection Systems (IDS). To train our models, we employed a subset of the NCC-2 dataset, which includes a mix of normal traffic and seven different types of botnet attacks across three sensors. The ML techniques selected for this research are Random Forest (RF), Extra Trees (ET), Decision Tree (DT), and K-Nearest Neighbors (KNN), with a GridSearch cross-validation approach for optimal hyperparameter tuning. We also explored the effects of class balance through Synthetic Minority Oversampling (SMOTE) and Random Undersampling. The models' performance was rigorously tested using the Matthews Correlation Coefficient (MCC) and Macro F1-score, with the ET model demonstrating superior results of 99% MCC and 97% F1-score, respectively. To enhance the interpretability of the ET model's decision-making process, we integrated three XAI techniques: SHapley Additive exPlanations (SHAP), Dalex, and Local Interpretable Model-agnostic Explanations (LIME), and evaluated their efficiency. The LIME and Dalex techniques showed efficient construction times for IDS.

Original language	English
Title of host publication	Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025
Editors	Muhammad Ali Babar, Ayse Tosun, Stefan Wagner, Viktoria Stray
Publisher	Association for Computing Machinery, Inc
Pages	169-175
Number of pages	7
ISBN (Electronic)	9798400718328
DOIs	https://doi.org/10.1145/3727967.3756837
State	Published - 23 Dec 2025
Event	29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025 - Istanbul, Turkey Duration: 17 Jun 2025 → 20 Jun 2025

Publication series

Name	Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025

Conference

Conference	29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025
Country/Territory	Turkey
City	Istanbul
Period	17/06/25 → 20/06/25

Bibliographical note

Publisher Copyright:
© 2025 Copyright held by the owner/author(s).

Keywords

Botnet Attack
Extra Trees
LIME
Machine Learning
SHAP

ASJC Scopus subject areas

Software

Access to Document

10.1145/3727967.3756837

Cite this

Alomari, D., Alabdullatif, M. A., & Khan, F. A. (2025). An Explainable AI-based Network Intrusion Detection System for Botnet Attacks. In M. A. Babar, A. Tosun, S. Wagner, & V. Stray (Eds.), Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025 (pp. 169-175). (Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025). Association for Computing Machinery, Inc. https://doi.org/10.1145/3727967.3756837

Alomari, Dorieh ; Alabdullatif, Maryam Ahmed ; Khan, Fakhri Alam. / An Explainable AI-based Network Intrusion Detection System for Botnet Attacks. Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025. editor / Muhammad Ali Babar ; Ayse Tosun ; Stefan Wagner ; Viktoria Stray. Association for Computing Machinery, Inc, 2025. pp. 169-175 (Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025).

@inproceedings{692c16340a264ed1a26cbd52d16cd6bf,

title = "An Explainable AI-based Network Intrusion Detection System for Botnet Attacks",

abstract = "In the field of network security, botnet attacks pose a significant challenge, exploiting networks of infected devices to launch sophisticated threats. As these attacks evolve, the need for effective detection methods becomes increasingly critical. This study proposes an explainable Machine Learning (ML) model that aims to identify and categorize botnet attacks, and it investigates the efficiency of different Explainable Artificial Intelligence (XAI) techniques for Intrusion Detection Systems (IDS). To train our models, we employed a subset of the NCC-2 dataset, which includes a mix of normal traffic and seven different types of botnet attacks across three sensors. The ML techniques selected for this research are Random Forest (RF), Extra Trees (ET), Decision Tree (DT), and K-Nearest Neighbors (KNN), with a GridSearch cross-validation approach for optimal hyperparameter tuning. We also explored the effects of class balance through Synthetic Minority Oversampling (SMOTE) and Random Undersampling. The models' performance was rigorously tested using the Matthews Correlation Coefficient (MCC) and Macro F1-score, with the ET model demonstrating superior results of 99\% MCC and 97\% F1-score, respectively. To enhance the interpretability of the ET model's decision-making process, we integrated three XAI techniques: SHapley Additive exPlanations (SHAP), Dalex, and Local Interpretable Model-agnostic Explanations (LIME), and evaluated their efficiency. The LIME and Dalex techniques showed efficient construction times for IDS.",

keywords = "Botnet Attack, Extra Trees, LIME, Machine Learning, SHAP",

author = "Dorieh Alomari and Alabdullatif, \{Maryam Ahmed\} and Khan, \{Fakhri Alam\}",

note = "Publisher Copyright: {\textcopyright} 2025 Copyright held by the owner/author(s).; 29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025 ; Conference date: 17-06-2025 Through 20-06-2025",

year = "2025",

month = dec,

day = "23",

doi = "10.1145/3727967.3756837",

language = "English",

series = "Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025",

publisher = "Association for Computing Machinery, Inc",

pages = "169--175",

editor = "Babar, \{Muhammad Ali\} and Ayse Tosun and Stefan Wagner and Viktoria Stray",

booktitle = "Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025",

}

Alomari, D, Alabdullatif, MA & Khan, FA 2025, An Explainable AI-based Network Intrusion Detection System for Botnet Attacks. in MA Babar, A Tosun, S Wagner & V Stray (eds), Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025. Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025, Association for Computing Machinery, Inc, pp. 169-175, 29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025, Istanbul, Turkey, 17/06/25. https://doi.org/10.1145/3727967.3756837

An Explainable AI-based Network Intrusion Detection System for Botnet Attacks. / Alomari, Dorieh; Alabdullatif, Maryam Ahmed; Khan, Fakhri Alam.
Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025. ed. / Muhammad Ali Babar; Ayse Tosun; Stefan Wagner; Viktoria Stray. Association for Computing Machinery, Inc, 2025. p. 169-175 (Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - An Explainable AI-based Network Intrusion Detection System for Botnet Attacks

AU - Alomari, Dorieh

AU - Alabdullatif, Maryam Ahmed

AU - Khan, Fakhri Alam

PY - 2025/12/23

Y1 - 2025/12/23

N2 - In the field of network security, botnet attacks pose a significant challenge, exploiting networks of infected devices to launch sophisticated threats. As these attacks evolve, the need for effective detection methods becomes increasingly critical. This study proposes an explainable Machine Learning (ML) model that aims to identify and categorize botnet attacks, and it investigates the efficiency of different Explainable Artificial Intelligence (XAI) techniques for Intrusion Detection Systems (IDS). To train our models, we employed a subset of the NCC-2 dataset, which includes a mix of normal traffic and seven different types of botnet attacks across three sensors. The ML techniques selected for this research are Random Forest (RF), Extra Trees (ET), Decision Tree (DT), and K-Nearest Neighbors (KNN), with a GridSearch cross-validation approach for optimal hyperparameter tuning. We also explored the effects of class balance through Synthetic Minority Oversampling (SMOTE) and Random Undersampling. The models' performance was rigorously tested using the Matthews Correlation Coefficient (MCC) and Macro F1-score, with the ET model demonstrating superior results of 99% MCC and 97% F1-score, respectively. To enhance the interpretability of the ET model's decision-making process, we integrated three XAI techniques: SHapley Additive exPlanations (SHAP), Dalex, and Local Interpretable Model-agnostic Explanations (LIME), and evaluated their efficiency. The LIME and Dalex techniques showed efficient construction times for IDS.

AB - In the field of network security, botnet attacks pose a significant challenge, exploiting networks of infected devices to launch sophisticated threats. As these attacks evolve, the need for effective detection methods becomes increasingly critical. This study proposes an explainable Machine Learning (ML) model that aims to identify and categorize botnet attacks, and it investigates the efficiency of different Explainable Artificial Intelligence (XAI) techniques for Intrusion Detection Systems (IDS). To train our models, we employed a subset of the NCC-2 dataset, which includes a mix of normal traffic and seven different types of botnet attacks across three sensors. The ML techniques selected for this research are Random Forest (RF), Extra Trees (ET), Decision Tree (DT), and K-Nearest Neighbors (KNN), with a GridSearch cross-validation approach for optimal hyperparameter tuning. We also explored the effects of class balance through Synthetic Minority Oversampling (SMOTE) and Random Undersampling. The models' performance was rigorously tested using the Matthews Correlation Coefficient (MCC) and Macro F1-score, with the ET model demonstrating superior results of 99% MCC and 97% F1-score, respectively. To enhance the interpretability of the ET model's decision-making process, we integrated three XAI techniques: SHapley Additive exPlanations (SHAP), Dalex, and Local Interpretable Model-agnostic Explanations (LIME), and evaluated their efficiency. The LIME and Dalex techniques showed efficient construction times for IDS.

KW - Botnet Attack

KW - Extra Trees

KW - LIME

KW - Machine Learning

KW - SHAP

UR - https://www.scopus.com/pages/publications/105026941839

U2 - 10.1145/3727967.3756837

DO - 10.1145/3727967.3756837

M3 - Conference contribution

AN - SCOPUS:105026941839

T3 - Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025

SP - 169

EP - 175

BT - Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025

A2 - Babar, Muhammad Ali

A2 - Tosun, Ayse

A2 - Wagner, Stefan

A2 - Stray, Viktoria

PB - Association for Computing Machinery, Inc

T2 - 29th International Conference on Evaluation and Assessment of Software Engineering, EASE 2025

Y2 - 17 June 2025 through 20 June 2025

ER -

Alomari D, Alabdullatif MA, Khan FA. An Explainable AI-based Network Intrusion Detection System for Botnet Attacks. In Babar MA, Tosun A, Wagner S, Stray V, editors, Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025. Association for Computing Machinery, Inc. 2025. p. 169-175. (Proceedings of the 29th International Conference on Evaluation and Assessment in Software Engineering , EASE, 2025 edition, EASE Companion 2025). doi: 10.1145/3727967.3756837

An Explainable AI-based Network Intrusion Detection System for Botnet Attacks

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this