International Journal of Performance Analysis in Sport, 2025, 21(1): 36-47 doi: 10.23940/ijpe.25.01.p4.3647

Original article

CluSHAPify: Synergizing Clustering and SHAP Value Interpretations for Improved Reconnaissance Attack Detection in IIoT Networks

Saxena Arpna,a,*, Mittal Sangeetab

Ajay Kumar Garg Engineering College, Ghaziabad, India

Jaypee Institute of Information and Technology, Ghaziabad, India

*Corresponding Author(s): Corresponding author. E-mail address: saxenaarpna@akgec.ac.in Corresponding author. E-mail address: saxenaarpna@akgec.ac.in

Revised:  Submitted on  Accepted: 

Abstract

Reconnaissance attacks serve as the initial phase of Advanced Persistent Threats (APTs). The study proposes CluSHAPify, an approach that integrates SHAP-based traffic metadata selection with hierarchical clustering interpretations to determine the most relevant features for attack detection across different attack flow classes. Unlike most studies that select the top-k features, the proposed study uses hierarchical clustering to justify the selection of features identified with the highest SHAP values ensuring the most relevant features are chosen for effective attack detection across different attack flow classes. Additionally, CluSHAPify leverages multiple learners, making it a cross-model approach that also overcomes the limitations of SHAP-based feature selection, which is inherently model-dependent. The proposed approach uses multiple learners to improve feature selection robustness by capturing diverse perspectives, combining XAI for enhanced accuracy and explainability, a novel approach in existing research. This study uses performance metrics designed for unbalanced datasets, demonstrating its effectiveness with various learners, including XGBoost, Random Forest, Decision Tree, and Extra Trees. This makes CluSHAPify a reliable and adaptable solution for detecting reconnaissance attacks in IIoT environments.

Keywords: feature selection ; IIoT ; APT ; reconnaissance attacks ; OS fingerprinting ; port scanning ; machine learning ; SHAP values ; XAI

PDF (1507KB) Metadata Related articles Export EndNote| Ris| Bibtex

Cite this article

Saxena Arpna, Mittal Sangeeta. CluSHAPify: Synergizing Clustering and SHAP Value Interpretations for Improved Reconnaissance Attack Detection in IIoT Networks. International Journal of Performance Analysis in Sport, 2025, 21(1): 36-47 doi:10.23940/ijpe.25.01.p4.3647

Reference

da Rocha B.C., de Melo L.P., and de Sousa Jr R.T., 2021.

A study on APT in IoT networks

In ICE-B, pp. 160-164.

Saxena A., and Mittal S., 2023. Advanced persistent threat datasets for industrial IoT: A survey. In 2023 Second International Conference on Informatics (ICI), pp. 1-6.

Jiang X., Lora M., and Chattopadhyay S., 2020.

An experimental analysis of security vulnerabilities in industrial IoT devices

ACM Transactions on Internet Technology (TOIT), 20(2), pp. 1-24.

Plėta T., Tvaronavičienė M., Della Casa S., and Agafonov K., 2020.

Cyber-attacks to critical energy infrastructure and management issues: overview of selected cases

Insights Into Regional Development. Vilnius: Entrepreneurship and Sustainability Center, 2020, 2( 3).

Ferrag M.A., Friha O., Hamouda D., Maglaras L., and Janicke H., 2022.

Edge-IIoTset: A new comprehensive realistic cyber security dataset of IoT and IIoT applications for centralized and federated learning

IEEE Access, 10, pp. 40281-40306.

Marcílio W.E., and Eler D.M., 2020. From explanations to feature selection: assessing SHAP values as feature selection mechanism. In 2020 33rd SIBGRAPI Conference on Graphics, Patterns and Images (SIBGRAPI), pp. 340-347.

Roshan K., and Zafar A., 2021. Utilizing XAI technique to improve autoencoder based model for computer network anomaly detection with shapley additive explanation (SHAP). Arxiv Preprint Arxiv:2112.08442.

Gebreyesus Y., Dalton D., Nixon S., De Chiara D., and Chinnici M., 2023.

Machine learning for data center optimizations: feature selection using shapley additive explanation (SHAP)

Future Internet, 15(3), 88.

Santos M.R., Guedes A., and Sanchez-Gendriz I., 2024.

SHapley additive explanations (SHAP) for efficient feature selection in rolling bearing fault diagnosis

Machine Learning and Knowledge Extraction, 6(1), pp. 316-341.

Roshan K., and Zafar A., 2022. Using kernel shap xai method to optimize the network anomaly detection model. In 2022 9th International Conference on Computing for Sustainable Global Development (INDIACom), pp. 74-80.

Hassan F., Yu J., Syed Z.S., Magsi A.H., and Ahmed N., 2023.

Developing transparent IDS for VANETs using LIME and SHAP: an empirical study

Computers, Materials & Continua, 77(3).

Keshk M., Koroniotis N., Pham N., Moustafa N., Turnbull B., and Zomaya A.Y., 2023.

An explainable deep learning-enabled intrusion detection framework in IoT networks

Information Sciences, 639, 119000.

Gyamfi E.O., Qin Z., Adu-Gyamfi D., Danso J.M., Browne J.A., Adom D.K., Botchey F.E., and Opoku-Mensah N., 2023.

A model-agnostic XAI approach for developing low-cost IoT intrusion detection dataset

Journal of Information Security and Cybercrimes Research, 6(2), pp. 74-88.

Nazat S., Li L., and Abdallah M., 2024.

XAI-ADS: an explainable artificial intelligence framework for enhancing anomaly detection in autonomous driving systems

IEEE Access.

Nadiammai G.V., and Hemalatha M., 2013. Performance analysis of tree based classification algorithms for intrusion detection system. In Mining Intelligence and Knowledge Exploration:First International Conference, MIKE 2013. Proceedings, pp. 82-89.

Awotunde J.B., Folorunso S.O., Imoize A.L., Odunuga J.O., Lee C.C., Li C.T., and Do D.T., 2023.

An ensemble tree-based model for intrusion detection in industrial internet of things networks

Applied Sciences, 13(4), 2479.

Scikit-Learn, Feature selection, , accessed on January 1, 2025.

URL    

/

Copyright © 2016-2020 International Journal of Performability Engineering, All Rights Reserved.
Maintained by Beijing Magtech Co. Ltd