Int J Performability Eng ›› 2025, Vol. 21 ›› Issue (1): 36-47.doi: 10.23940/ijpe.25.01.p4.3647

• Original article • Previous Articles     Next Articles

CluSHAPify: Synergizing Clustering and SHAP Value Interpretations for Improved Reconnaissance Attack Detection in IIoT Networks

Arpna Saxenaa,*() and Sangeeta Mittalb   

  1. a Ajay Kumar Garg Engineering College, Ghaziabad, India
    b Jaypee Institute of Information and Technology, Ghaziabad, India
  • Submitted on ; Revised on ; Accepted on
  • Contact: Arpna Saxena E-mail:saxenaarpna@akgec.ac.in

Abstract:

Reconnaissance attacks serve as the initial phase of Advanced Persistent Threats (APTs). The study proposes CluSHAPify, an approach that integrates SHAP-based traffic metadata selection with hierarchical clustering interpretations to determine the most relevant features for attack detection across different attack flow classes. Unlike most studies that select the top-k features, the proposed study uses hierarchical clustering to justify the selection of features identified with the highest SHAP values ensuring the most relevant features are chosen for effective attack detection across different attack flow classes. Additionally, CluSHAPify leverages multiple learners, making it a cross-model approach that also overcomes the limitations of SHAP-based feature selection, which is inherently model-dependent. The proposed approach uses multiple learners to improve feature selection robustness by capturing diverse perspectives, combining XAI for enhanced accuracy and explainability, a novel approach in existing research. This study uses performance metrics designed for unbalanced datasets, demonstrating its effectiveness with various learners, including XGBoost, Random Forest, Decision Tree, and Extra Trees. This makes CluSHAPify a reliable and adaptable solution for detecting reconnaissance attacks in IIoT environments.

Key words: feature selection, IIoT, APT, reconnaissance attacks, OS fingerprinting, port scanning, machine learning, SHAP values, XAI