An Explainable Anomaly Detection Benchmark of Gradient Boosting Algorithms for Network Intrusion Detection Systems

Nowadays, protecting computer systems by preventing malicious network attacks is a vital topic. In recent years, ma-chine learning-based network intrusion detection systems (NIDS) started showing effective results. While the task of classifying cyber attacks in NIDS has been studied extensively in the literature, there is no comprehensive benchmark study with gradient boosting algorithms on recent open-source datasets. This paper aims to evaluate different gradient boosting-based algorithm performances including XGBoost, CatBoost, and LightGBM on different open-source NIDS datasets such as CIC-IDS2017, CSE-CIC-IDS2018, and INSDN. Furthermore, the SHapley Additive exPlanations (SHAP) is applied to increase the interpretability of the models and investigate the relationship between cyber attacks and the network features. Our experimental results demonstrate that the XGBoost model consistently outperforms other comparative models in F1 score for all datasets. At the same time, we compare the training/inference time of different gradient boosting algorithms which is an important constraint for real-time intrusion detection systems. Moreover, the different important features between different datasets can help data sci-entists for designing better artificial intelligence-based intrusion detection algorithms.