LSTM-AU: Dynamic Thresholding and Explainable Autoencoding for Cyber Defense

Abstract

Intrusion Detection Systems (IDS) are essential for securing networks today; nevertheless, many systems still exhibit issues such as redundancy of features, fixed thresholding, and a lack of interpretability. In this paper, we present a hybrid anomaly detection approach including Long Short-Term Memory Autoencoder (LSTM-AE), adaptive thresholding, and feature attribution. The LSTM-AE allows modelling of long-term temporal dependencies in network traffic while applying filtering to paradoxically include unnecessary traffic noise and redundancy for proper anomaly detection. The adaptive thresholding is capable of recalibrating to changes in traffic patterns that ultimately mitigate false alarms more accurately. Lastly, by incorporating the Shapley value-based attribution, the model's predictions can be explained by using the aspect of traffic that is most pertinent. he empirical exploration we present on the benchmark datasets demonstrates the effectiveness of the DeepShield model architecture: on CIC-IDS2017, the accuracy was 98.9%, with precision of 98.7%, recall of 98.5%, and F1-score of 98.6%, outperforming LSTM, CNN, and Random Forest baselines; on UNSW-NB15, the score was 95.6 accuracy, with precision of 95.3, recall of 95.0, and F1-score of 95.1, outperforming other competing measures. Based on these additional capabilities shown through the Shapley-based attribution, we can conclude that DeepShield achieves state-of-the-art detection effectiveness while translating the model into a space that is more interpretable, which makes it deployable in enterprise and industrial security that is highly reliant on the defendable integrity of networks.

Keywords

• Intrusion Detection
• LSTM Autoencoder
• Anomaly Detection
• Adaptive Thresholding
• Interpretability

LSTM-AU: Siber Savunma için Dinamik Eşikleme ve Açıklanabilir Otokodlama

Abstract

Günümüzde ağların güvenliği için Saldırı Tespit Sistemleri (IDS) kritik öneme sahiptir; ancak birçok sistem hâlen özelliklerin fazlalığı, sabit eşikleme ve yorumlanabilirlik eksikliği gibi sorunlar göstermektedir. Bu çalışmada, Uzun Kısa Vadeli Bellek Otokodlayıcı (LSTM-AE), uyarlanabilir eşikleme ve özellik katkı analizi (feature attribution) içeren hibrit bir anomali tespit yaklaşımı sunulmaktadır. LSTM-AE, ağ trafiğindeki uzun vadeli zamansal bağımlılıkları modellemeye olanak tanırken, doğru anomali tespiti için gerekli olan trafik gürültüsü ve fazlalıkların paradoksal olarak filtrelenmesini sağlar. Uyarlanabilir eşikleme, trafik desenlerindeki değişimlere yeniden kalibre olabilmekte ve böylece yanlış alarmları daha doğru bir şekilde azaltmaktadır. Son olarak, Shapley değeri tabanlı katkı analizi sayesinde modelin tahminleri, trafik içerisindeki en ilgili unsurlar kullanılarak açıklanabilir hale gelmektedir. Sunulan ampirik inceleme, önerilen DeepShield mimarisinin etkinliğini ortaya koymaktadır: CIC-IDS2017 veri kümesinde %98,9 doğruluk, %98,7 kesinlik, %98,5 duyarlılık ve %98,6 F1-skora ulaşılmış ve LSTM, CNN ve Rastgele Orman tabanlı modellerden daha iyi sonuçlar elde edilmiştir. UNSW-NB15 veri kümesinde ise %95,6 doğruluk, %95,3 kesinlik, %95,0 duyarlılık ve %95,1 F1-skor elde edilerek diğer yöntemlerden üstün performans sağlanmıştır. Shapley tabanlı katkı analizi ile elde edilen bu ek yetenekler dikkate alındığında, DeepShield’in yalnızca son teknoloji düzeyinde tespit başarımı sağlamakla kalmayıp, aynı zamanda modeli daha açıklanabilir bir alana taşıdığı; bu yönüyle de güvenliğe yüksek derecede bağımlı olan kurumsal ve endüstriyel ortamlarda uygulanabilir olduğu sonucuna varılmaktadır.

Keywords

• Saldırı Tespiti
• LSTM Otokodlayıcı
• Anomali Tespiti
• Uyarlanabilir Eşikleme
• Yorumlanabilirlik

References

1. [1] Bandarupalli, G. (2025, February). Efficient deep neural network for intrusion detection using CIC-IDS-2017 dataset. In 2025 First International Conference on Advances in Computer Science, Electrical, Electronics, and Communication Technologies (CE2CT) (pp. 476-480). IEEE.
2. [2] Huang, L., Chuah, C. W., & Zhen, R. (2025, May). Bidirectional Long Short-Term Memory Networks for Efficient Network Intrusion System Classification. In 2025 IEEE 34th Wireless and Optical Communications Conference (WOCC) (pp. 189-193). IEEE.
3. [3] Sheikh, Z. A., Verma, N., Singh, Y., Tanwar, S., & Alabdulatif, A. (2025). Generalizability Assessment of Learning‐Based Intrusion Detection Systems for IoT Security: Perspectives of Data Diversity. Security and Privacy, 8(2), e70014.
4. [4] Ali, D., Abid, M. K., Baqer, M., Aziz, Y., Aslam, N., & Umer, N. (2025). Improving The Explainability And Transparency Of Deep Learning Models In Intrusion Detection SYSTEMS. Kashf Journal of Multidisciplinary Research, 2(02), 149-164.
5. [5] Gwassi, O.A.H., Uçan, O.N. & Navarro, E.A. Cyber-XAI-Block: an end-to-end cyber threat detection & fl-based risk assessment framework for IoT-enabled smart organization using xai and blockchain technologies. Multimed Tools Appl 84, 26527–26568 (2025). https://doi.org/10.1007/s11042-024-20059-4
6. [6] Xue, Y., Kang, C., & Yu, H. (2025). HAE-HRL: A network intrusion detection system utilizing a novel autoencoder and a hybrid enhanced LSTM-CNN-based residual network. Computers & Security, 151, 104328.
7. [7] Bamber, S. S., Katkuri, A. V. R., Sharma, S., & Angurala, M. (2025). A hybrid CNN-LSTM approach for intelligent cyber intrusion detection system. Computers & Security, 148, 104146.
8. [8] Alashjaee, A. M. (2025). Deep learning for network security: an Attention-CNN-LSTM model for accurate intrusion detection. Scientific Reports, 15(1), 21856.

9. [9] Shyaa, M. A., Zainol, Z., Abdullah, R., Anbar, M., Alzubaidi, L., & Santamaría, J. (2023). Enhanced Intrusion Detection with Data Stream Classification and Concept Drift Guided by the Incremental Learning Genetic Programming Combiner. Sensors, 23(7), 3736. https://doi.org/10.3390/s23073736
10. [10] Camarda, Francesco, Alessandra De Paola, Salvatore Drago, Pierluca Ferraro, and Giuseppe Lo Re. "Managing Concept Drift in Online Intrusion Detection Systems with Active Learning." In CEUR WORKSHOP PROCEEDINGS, vol. 3962. CEUR-WS, 2025.
11. [11] Isaac, E. R., & Sharma, A. (2024, January). Adaptive thresholding heuristic for KPI anomaly detection. In 2024 16th International Conference on COMmunication Systems & NETworkS (COMSNETS) (pp. 737-741). IEEE.
12. [12] Hermosilla, P., Berríos, S., & Allende-Cid, H. (2025). Explainable AI for Forensic Analysis: A Comparative Study of SHAP and LIME in Intrusion Detection Models. Applied Sciences, 15(13), 7329.
13. [13] Cantone, M., Marrocco, C., & Bria, A. (2024). Machine learning in network intrusion detection: A cross-dataset generalization study. IEEE Access.
14. [14] Al-Khayyat, A. T. K., & Ucan, O. N. (2024). A multi-branched hybrid perceptron network for DDoS attack detection using dynamic feature adaptation and multi-instance learning. IEEE Access.
15. [15] Al-Dulaimi, R. T., Türkben, A. K., Hussein, M. K., Al-Khayyat, A. T. K., & Ucan, O. N. (2025, May). Advanced Anomaly Detection Framework Using CNN-Grid Autoencoder Integration and Recursive Fuzzy Feature Selection Approach. In 2025 7th International Congress on Human-Computer Interaction, Optimization and Robotic Applications (ICHORA) (pp. 1-9). IEEE.
16. [16] Shoukat, S., Gao, T., Javeed, D., Saeed, M. S., & Adil, M. (2025). Trust my IDS: An explainable AI integrated deep learning-based transparent.
17. [17] Wang, N., Chen, Y., Xiao, Y., Hu, Y., Lou, W., & Hou, Y. T. (2022). Manda: On adversarial example detection for network intrusion detection system. IEEE Transactions on Dependable and Secure Computing, 20(2), 1139-1153.‏
18. [18] D’hooge, L., Verkerken, M., Wauters, T., De Turck, F., & Volckaert, B. (2023). Investigating generalized performance of data-constrained supervised machine learning models on novel, related samples in intrusion detection. Sensors, 23(4), 1846.
19. [19] N. Moustafa and J. Slay, ‘‘UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set),’’ in Proc. Mil. Commun. Inf. Syst. Conf. (MilCIS), Nov. 2015, pp. 1–6.
20. [20] I. Sharafaldin, A. Habibi Lashkari, and A. A. Ghorbani, ‘‘Toward generating a new intrusion detection dataset and intrusion traffic characterization,’’in Proc. 4th Int. Conf. Inf. Syst. Secur. Privacy, 2018, pp. 108–116.
21. [21] Karrar, A. E. (2022). The effect of using data pre-processing by imputations in handling missing values. Indonesian Journal of Electrical Engineering and Informatics (IJEEI), 10(2), 375-384.
22. [22] Gharatkar, S., Ingle, A., Naik, T., & Save, A. (2017, March). Review preprocessing using data cleaning and stemming technique. In 2017 international conference on innovations in information, embedded and communication systems (iciiecs) (pp. 1-4). IEEE.
23. [23] Patro, S. G. O. P. A. L., & Sahu, K. K. (2015). Normalization: A preprocessing stage. arXiv preprint arXiv:1503.06462.
24. [24] Dahouda, M. K., & Joe, I. (2021). A deep-learned embedding technique for categorical features encoding. IEEE access, 9, 114381-114391.
25. [25] Aronoff, S. (1982). Classification accuracy: a user approach. Photogrammetric Engineering and Remote Sensing, 48(8), 1299-1307.
26. [26] Tharwat, A. (2021). Classification assessment methods. Applied computing and informatics, 17(1), 168-192.
27. [27] Han, J., & Pak, W. (2023). Hierarchical LSTM-based network intrusion detection system using hybrid classification. Applied Sciences, 13(5), 3089.
28. [28] Selvam, R., & Velliangiri, S. (2024, March). An improving intrusion detection model based on novel CNN technique using recent CIC-IDS datasets. In 2024 International Conference on Distributed Computing and Optimization Techniques (ICDCOT) (pp. 1-6). IEEE.
29. [29] Markovic, T., Leon, M., Buffoni, D., & Punnekkat, S. (2022, June). Random forest based on federated learning for intrusion detection. In IFIP international conference on artificial intelligence applications and Innovations (pp. 132-144). Cham: Springer International Publishing.