CluSHAPify: Synergizing Clustering and SHAP Value Interpretations for Improved Reconnaissance Attack Detection in IIoT Networks

doi:10.23940/ijpe.25.01.p4.3647

Abstract

Abstract:

Reconnaissance attacks serve as the initial phase of Advanced Persistent Threats (APTs). The study proposes CluSHAPify, an approach that integrates SHAP-based traffic metadata selection with hierarchical clustering interpretations to determine the most relevant features for attack detection across different attack flow classes. Unlike most studies that select the top-k features, the proposed study uses hierarchical clustering to justify the selection of features identified with the highest SHAP values ensuring the most relevant features are chosen for effective attack detection across different attack flow classes. Additionally, CluSHAPify leverages multiple learners, making it a cross-model approach that also overcomes the limitations of SHAP-based feature selection, which is inherently model-dependent. The proposed approach uses multiple learners to improve feature selection robustness by capturing diverse perspectives, combining XAI for enhanced accuracy and explainability, a novel approach in existing research. This study uses performance metrics designed for unbalanced datasets, demonstrating its effectiveness with various learners, including XGBoost, Random Forest, Decision Tree, and Extra Trees. This makes CluSHAPify a reliable and adaptable solution for detecting reconnaissance attacks in IIoT environments.

Key words: feature selection, IIoT, APT, reconnaissance attacks, OS fingerprinting, port scanning, machine learning, SHAP values, XAI

Arpna Saxena and Sangeeta Mittal. CluSHAPify: Synergizing Clustering and SHAP Value Interpretations for Improved Reconnaissance Attack Detection in IIoT Networks [J]. Int J Performability Eng, 2025, 21(1): 36-47.

Add to citation manager EndNote|Reference Manager|ProCite|BibTeX|RefWorks

References 17

[1]	da Rocha B.C., de Melo L.P., and de Sousa Jr R.T., 2021. A study on APT in IoT networks. In ICE-B, pp. 160-164.
[2]	Saxena A., and Mittal S., 2023. Advanced persistent threat datasets for industrial IoT: A survey. In 2023 Second International Conference on Informatics (ICI), pp. 1-6.
[3]	Jiang X., Lora M., and Chattopadhyay S., 2020. An experimental analysis of security vulnerabilities in industrial IoT devices. ACM Transactions on Internet Technology (TOIT), 20(2), pp. 1-24.
[4]	Plėta T., Tvaronavičienė M., Della Casa S., and Agafonov K., 2020. Cyber-attacks to critical energy infrastructure and management issues: overview of selected cases. Insights Into Regional Development. Vilnius: Entrepreneurship and Sustainability Center, 2020, 2( 3).
[5]	Ferrag M.A., Friha O., Hamouda D., Maglaras L., and Janicke H., 2022. Edge-IIoTset: A new comprehensive realistic cyber security dataset of IoT and IIoT applications for centralized and federated learning. IEEE Access, 10, pp. 40281-40306.
[6]	Marcílio W.E., and Eler D.M., 2020. From explanations to feature selection: assessing SHAP values as feature selection mechanism. In 2020 33rd SIBGRAPI Conference on Graphics, Patterns and Images (SIBGRAPI), pp. 340-347.
[7]	Roshan K., and Zafar A., 2021. Utilizing XAI technique to improve autoencoder based model for computer network anomaly detection with shapley additive explanation (SHAP). Arxiv Preprint Arxiv:2112.08442.
[8]	Gebreyesus Y., Dalton D., Nixon S., De Chiara D., and Chinnici M., 2023. Machine learning for data center optimizations: feature selection using shapley additive explanation (SHAP). Future Internet, 15(3), 88.
[9]	Santos M.R., Guedes A., and Sanchez-Gendriz I., 2024. SHapley additive explanations (SHAP) for efficient feature selection in rolling bearing fault diagnosis. Machine Learning and Knowledge Extraction, 6(1), pp. 316-341.
[10]	Roshan K., and Zafar A., 2022. Using kernel shap xai method to optimize the network anomaly detection model. In 2022 9th International Conference on Computing for Sustainable Global Development (INDIACom), pp. 74-80.
[11]	Hassan F., Yu J., Syed Z.S., Magsi A.H., and Ahmed N., 2023. Developing transparent IDS for VANETs using LIME and SHAP: an empirical study. Computers, Materials & Continua, 77(3).
[12]	Keshk M., Koroniotis N., Pham N., Moustafa N., Turnbull B., and Zomaya A.Y., 2023. An explainable deep learning-enabled intrusion detection framework in IoT networks. Information Sciences, 639, 119000.
[13]	Gyamfi E.O., Qin Z., Adu-Gyamfi D., Danso J.M., Browne J.A., Adom D.K., Botchey F.E., and Opoku-Mensah N., 2023. A model-agnostic XAI approach for developing low-cost IoT intrusion detection dataset. Journal of Information Security and Cybercrimes Research, 6(2), pp. 74-88.
[14]	Nazat S., Li L., and Abdallah M., 2024. XAI-ADS: an explainable artificial intelligence framework for enhancing anomaly detection in autonomous driving systems. IEEE Access.
[15]	Nadiammai G.V., and Hemalatha M., 2013. Performance analysis of tree based classification algorithms for intrusion detection system. In Mining Intelligence and Knowledge Exploration:First International Conference, MIKE 2013. Proceedings, pp. 82-89.
[16]	Awotunde J.B., Folorunso S.O., Imoize A.L., Odunuga J.O., Lee C.C., Li C.T., and Do D.T., 2023. An ensemble tree-based model for intrusion detection in industrial internet of things networks. Applied Sciences, 13(4), 2479.
[17]	Scikit-Learn, Feature selection, , accessed on January 1, 2025.