Description
As machine learning models become increasingly integral to cybersecurity systems for advanced threat detection, intrusion monitoring, and malware analysis, their inherent “black-box” nature complicates trust, accountability, and post-incident forensic investigation. Although these models often achieve high predictive accuracy, their internal decision-making processes are difficult for human analysts to interpret when validating alerts or investigating potential security incidents. This lack of transparency introduces operational challenges, including difficulty verifying automated decisions and maintaining confidence in AI-driven cybersecurity systems.
Explainable Artificial Intelligence (XAI) has emerged as an important approach for addressing this transparency gap by making model behavior more interpretable. However, many XAI techniques are typically studied or implemented in isolation, limiting the ability of analysts to develop a comprehensive understanding of model behavior. Two major categories of interpretability tools are feature attribution methods and feature visualization techniques. Attribution methods such as Shapley Additive Explanations (SHAP) and Local Interpretable Model-Agnostic Explanations (LIME) identify which features contribute most strongly to model predictions, while visualization techniques such as Partial Dependence Plots (PDPs) and Individual Conditional Expectation (ICE) plots illustrate how feature values influence predictions across datasets or individual instances.
This research proposes a unified explainability framework that integrates these complementary approaches to improve interpretability in cybersecurity applications. Specifically, the study examines how combining attribution-based explanations with feature-effect visualizations can function as a layered interpretability pipeline for AI-driven security models. The guiding research question asks whether integrating SHAP and LIME with PDP and ICE plots can produce a more interpretable and operationally reliable explanation framework.
By synthesizing these methods, this work aims to provide both global and local insights into model behavior for applications such as intrusion detection and malware analysis. The proposed framework highlights the potential for integrated XAI approaches to improve transparency, support analyst decision-making, and strengthen trust in AI-enabled cybersecurity systems.