Explainable Artificial Intelligence Enabled Intrusion Detection Technique for Secure Cyber-Physical Systems

Abstract

A cyber-physical system (CPS) can be referred to as a network of cyber and physical components that communicate with each other in a feedback manner. A CPS is essential for daily activities and approves critical infrastructure as it provides the base for innovative smart devices. The recent advances in the field of explainable artificial intelligence have contributed to the development of robust intrusion detection modes for CPS environments. This study develops an Explainable Artificial Intelligence Enabled Intrusion Detection Technique for Secure Cyber-Physical Systems (XAIID-SCPS). The proposed XAIID-SCPS technique mainly concentrates on the detection and classification of intrusions in the CPS platform. In the XAIID-SCPS technique, a Hybrid Enhanced Glowworm Swarm Optimization (HEGSO) algorithm is applied for feature selection purposes. For intrusion detection, the Improved Elman Neural Network (IENN) model was utilized with an Enhanced Fruitfly Optimization (EFFO) algorithm for parameter optimization. Moreover, the XAIID-SCPS technique integrates the XAI approach LIME for better understanding and explainability of the black-box method for accurate classification of intrusions. The simulation values demonstrate the promising performance of the XAIID-SCPS technique over other approaches with maximum accuracy of 98.87%.

1. Introduction

A cyber-physical system (CPS) enables physical gadgets with sensing abilities to interact with the internet or controllers as required [1]. The communication channels used can be short-distance communication or wireless technology to continually upgrade the physical environment condition or physical device status to a remote server or controller [2]. The recent developments in wireless communications and sensor technologies have utilized the CPS in several application fields, such as aviation and chemical industries, electronics, material manufacturing with automatic supply chain, and smart industries, which includes transport, etc. [3]. The advent of CPS applications in different fields even paves the way for novel security challenges and issues to safeguard confidential data or infrastructure against cybersecurity. The attacks include cyberattacks via internet-connected devices, and physical assaults which can lead to supply chain disruption or system failures [4]. Therefore, CPS security is very challenging compared to the classical IT and network substructure [5]. Figure 1 represents the CPS and potential security threats.

Intrusion detection systems (IDS) are highly capable of detecting and preventing data breaches by stopping and detecting intrusions [6,7,8]. Anomaly detection (AD) and Misuse detection are two kinds of ID. Misuse detection depends on patterns or information, whereas AD relies on behavior. Present IDS have a higher detection rate, which leads to several false alarms. In an IDS, false positives must be reduced. Several IDS were applied with the help of various ML methods as they can find valuable data from the database. Such techniques have the potential to diminish false positives. ML techniques, involving IDS, an association of rules, and GA were enforced through artificial neural networks (ANNs). Ensemble learning merges different ML techniques. The authors found that an ensemble method involving ML techniques lessens false positives.

This study develops an Explainable Artificial Intelligence Enabled Intrusion Detection Technique for Secure Cyber-Physical Systems (XAIID-SCPS). In the XAIID-SCPS technique, a Hybrid Enhanced Glowworm Swarm Optimization (HEGSO) algorithm is applied for feature selection purposes. For intrusion detection, the Improved Elman Neural Network (IENN) method was exploited with an Enhanced Fruitfly Optimization (EFFO) algorithm for parameter optimization. Moreover, the XAIID-SCPS technique integrates the XAI approach LIME for better explainability and understanding of the black-box method for the accurate classification of intrusions. The simulation values of the XAIID-SCPS technique can be tested on benchmark intrusion datasets.

The rest of the study Is organized as follows. Section 2 elaborates on the existing IDS models in the CPS environment. Next, the proposed XAIID-SCPS technique is discussed in Section 3, and the experimental results are defined in Section 4. Finally, Section 5 concludes the work with key findings and possible future work.

2. Related Works

Radanliev et al. [9] presented a new mathematical approach for integrating concepts for cognition engine design, edge computing and Artificial Intelligence and Machine Learning to automate anomaly detection. The authors in [10] identified a wide range of methods for cyber analytics and explore the risks of deliberately influencing or disrupting behaviors in socio-technical systems. It modeled the connections and interdependencies between a system’s edge components to both external and internal services and systems. Munir et al. [11] presented an AI-based exploratory cyber-physical safety analyzer structure. This structure modelled supervised learning-related AI techniques such as K-KNN, DT, LR, LSTM, and RF to detect and predict spoofing attacks and cyber jamming. Afterwards, the developed structure examines the conditional dependency depending on Pearson’s correlation coefficient between controlled messages to identify the reason for effective assaults related to the outcome of the AI system. Colelli et al. [12] intended to offer a tool for detecting cyberattacks in CPS. This technique depends on ML for enhancing the system’s security. It is possible to assess the classifier performance of the three methods through analysis of values assumed by ML. The method gained with the help of trained set permits categorizing a sample of anomalous behavior and a sample that can be relevant to usual behavior. In [13], a novel risk assessment technique was presented in this study for quantifying the effect of malicious assaults on the physical mechanism of ICPS. This technique helps to perform suitable attack mitigation measures. The technique leverages a Bayesian network to devise an attack propagation procedure and infer the probability of actuators and sensors being compromised.

Schneider and Böttinger [14] introduced a uniform framework and method to apply an AD to various Fieldbus protocols. The author used stacked denoising AE to derive a packet classification and feature learning technique in one step. In addition, the author created a potential structure which can even manage the increased amount of transmission in CPS. Sharma et al. [15] devised superior lightweight behavior rule specification-related misbehavior recognition for IoT-embedded CPS (BRIoT). The main aim of this technique was to devise a mechanism with which misbehavior of an IoT gadget was established so assaults exploiting the exposed susceptibility can be identified with the use of formal verification and automated model checking, irrespective of whether the assault was unknown or known.

In [16], a security decision-making technique related to the stochastic game model was modelled for characterizing the communication among defenders and attackers in ICPS, producing the best defense approaches for reducing system losses. The major difference in this technique was that it offers a practical means to frame a cross-layer security game method for ICPS with time-based unified payoff quantification and quantitative vulnerability analysis. Huang and Zhu [17] presented a dynamic game structure to devise long-term communication between a proactive defender and a stealthy attacker. The deceptive and stealthy behaviors were captured by a multi-stage game of unfinished data, where all players have their private data unknown to others.

Wang et al. [18] presented a Knowledge Distillation method dependent upon Triplet CNN for improving the model efficiency and significantly improve the speed of AD for industrial CPS (ICPS) and decrease the complexity of model. A novel NN trained approach termed as K-fold cross training was also presented for enhancing the accuracy of AD. Tang et al. [19] examine an ICPS with IDS dependent upon the Diffusion model. Primarily, data equivalent to the rare class can be created by the diffusion model that generates the trained database of various classes balanced.

Ramadevi et al. [20] introduced an Optimal DBN-based distributed IDS (ODBN-IDS) for securing CPS platform. The presented method was focused on pre-processing the cloud network traffic data and improve their quality to the next level. An equilibrium Optimizer Algorithm (EOA) was utilized for fine-tuning the hyperparameters in DBN technique. Alohali et al. [21] examined a novel AI-assisted multi-modal fusion-based IDS (AIMMF-IDS) for CCPS in industry 4.0 platform. Moreover, an improved fish swarm optimizer based FS (IFSO-FS) approach was utilized for suitable FSs. Dutta et al. [22] presented a robust AD method dependent upon semi-supervised ML approach permitting us near real-time localization of attacks. A DNN structure was utilized for AD dependent upon reconstruction error.

3. The Proposed Model

In this study, we have presented an automated intrusion detection technique, named the XAIID-SCPS technique, for the CPS environment. The presented XAIID-SCPS method mostly concentrates on the detection and classification of intrusions in the CPS platform. In the XAIID-SCPS technique, several subprocesses are involved, namely, data pre-processing, HEGSO-based feature selection, IENN-based classification, and EFFO-based parameter tuning. Figure 2 illustrates the overall flow of the XAIID-SCPS system.

3.1. Preprocessing

In this phase, data conversion and data normalization are the two stages of preprocessing. The input dataset in .xls form is converted into .csv form during data conversion. In addition, data normalization can be performed by the min–max technique, where the minimum and maximum values are taken from the given dataset. It aims to the normalization of sample to a higher value of 1 and a lower value of 0 as follows:

$$Min-Max.Norm=\frac{x-x_{min}}{x_{max}-x_{min}}$$

(1)

3.2. Feature Selection Using HEGSO Algorithm

To select features accurately, the HEGSO algorithm is exploited in this study. The classical GSO technique is based on glowworm behaviors and was rooted in the natural activity of glowworms during the night [23]. The glowworm exhibits a kind of communication with other glowworms in a group depending on the luciferin. If the luciferin was high, then the light produced by the glowworm was high. As a result, the glowworm goes towards it. In this neighborhood, Luciferin update, movement, and update phases are the three different stages of the GSO technique.

The luciferin update stage refers to luciferin creation. The quantity of luciferin was directly proportional to the fitness of the current site on the main function. During the movement stage, the glowworm selects the use of probabilistic means to go towards the neighbor where the value is high. The succeeding stage involves the adaptive neighborhood range for perceiving the peak presence. The optimizing process can be performed by using the HEGSO technique. The presented study applies the hybrid model where the HEGSO technique is used. Moreover, the usage of two genetic algorithms includes mutation and crossover operators. The optimization algorithm is initiated when the path is found between the beginning and the end points of the vehicular nodes that are presented in the road segment. The HEGSO method can be given in the following,

Step 1: Initialize the ‘Eearch Agent’ (EA), namely, separate glowworm $X$ and the population size can be represented as $Q$. $z$ shows the step size, the maximum number of iterations is represented by $N_{it}$, $I_o$ indicates the initial value of luciferin, $r_o$ indicates the primary value of radial gamut of SA, and $n$ denotes the hour’s instance.

$$X=\left\{x_1, x_2, \dots . x_Q\right\}$$

(2)

Step 2: Calculate the fitness function using the following expression:

$$F={\displaystyle \sum }_{r=1}^n\frac{L}{E{V}_t\left(V_i\right)}$$

(3)

where $L$ denotes the overall length of the road segment, the average velocity of the vehicle on road was represented as $E{V}_t$ and $V_i$ specify the vehicle.

Step 3: In the luciferin stage, every new SA is calculated by the following equation:

$$l_j\left(n+1\right)=\left(1-\rho \right)l_j\left(n\right)+\beta J_j\left(n+1\right)$$

(4)

where $l\left(n\right)$ indicates the luciferin value of SA at $n$ time, $l_j\left(n+1\right)$ indicates the luciferin value of SA at $\left(n+1\right)$ time, $J_j$ denotes fitness function, and $\beta$ denotes luciferin decay constant with the value in gamut [0, 1].

Step 4: The main function of every novel SA is evaluated by a similar fitness function that was declared in step 2.

Step 5: Now, the SA headed for the neighboring glowworm was based on luminance. The SA movement can be determined by Euclidean distance among the glowworms. Here, SA heads for evaluated neighborhoods based on the probabilistic model, which can be expressed as follows.

$$x_j\left(n+1\right)=x_j\left(n\right)+Z\left(\frac{xk\left(n\right)-x_j\left(n\right)}{\Vert xk\left(n\right)-x_j\left(n\right)\Vert }\right)$$

(5)

In Equation (5), $Z$ denotes step size.

Step 6: Here, the decision range was upgraded, namely, the neighborhood range of SA is upgraded as follows:

$$r_d\left(n+1\right)= \min (r_s, \hspace{1em}\max \left(O, r_d\left(n\right)\right)+B\left(n_e-\left|N_j\left(n\right)\right|\right)$$

(6)

In Equation (6), $B$ indicates the constant, $r_s$ represent the largest sensing radius of the glowworm. $n_e$ shows the SA having a higher luciferin value in the decision range, $r_d\left(n+1\right)$ and $rd$ denote the upgraded and preceding values of the neighborhood range.

Step 7: Check whether the ending condition is met. When the ending condition is satisfied, then a better solution can be attained. When the ending conditions are not satisfied after two genetic operators, namely, crossover and mutation operators, are used. Furthermore, the 2-point crossover was used. This can be followed by a mutation process where there are specific genes. The value that can be chosen for the crossover operator were mutated and then integrated.

In the proposed HEGSO approach, the fitness function is intended to have a balance between the classification accuracy (maximum) and the number of selected features in all the solutions (minimum) attained Equation (10) characterizes the fitness function to estimate the solution.

$$Fitness=\alpha {\gamma }_R\left(D\right)+\beta \frac{\left|R\right|}{\left|C\right|}$$

(7)

where ${\gamma }_R\left(D\right)$ signifies the classifier error rate of the given classifier. $\left|R\right|$ indicates the cardinality of the selective subset and $\left|C\right|$ denotes the overall number of features in data, and $\alpha$ and $\beta$ denote the two parameters corresponding to the significance of classifier quality and subset length, respectively. ∈ [1, 0] and $\beta =1-\alpha$ as explained in Algorithm 1.

Algorithm 1. HEGSO Algorithm

Process HEGSO Start: Input: $X_i,$ $Q,$ $z,$ $N_{it},$ $I_o,$ $r_o.$ Define fitness function While $t<N_{iy}$ do     For every glowworm do $l_j\left(n+1\right)=\left(1-\rho \right)l_j\left(n\right)+\beta J_j\left(n+1\right)$ $x_j\left(n+1\right)=x_j\left(n\right)+Z\left(\frac{xk\left(n\right)-x_j\left(n\right)}{\Vert xk\left(n\right)-x_j\left(n\right)\Vert }\right)$ $r_d\left(n+1\right)= \min (r_s, \max (O, r_d\left(n\right)+B(n_e-N_j\left(n\right)$     End for End while Implement the crossover and mutation Return $X_{best}$ End Process

3.3. Intrusion Detection Using Optimal IENN Model

For detecting intrusions accurately, the IENN model is used. The ENN was a fully connected dynamic feedback NN that has a local feedback function and local memory unit. It realizes the mapping of a dynamic system and realizes the modeling of a static system and directly reflects the dynamic features of the model [24]. In comparison to FFNN, Elman was a one-step delay operator that attains the purpose of short-term storage, and add another receiving layer based on a three-layer structure of hidden, input and resultant layers. Thus, the Elman method can adapt to time-varying features. Simultaneously, it has strong network stability and computing power. While there is a non-linear relationship between the parameters of SOH and LIB, such features of the ENN enable -linear relation with better precision. Thus, the ENN is selected as an infrastructure.

The ENN architecture with one output unit, two input units and three hidden units. $k$ denotes the $k^{th}$ time; $X\left(k\right)$ signifies the input vector of an input layer; $w_{ij}^1,$ $w_{ij}^2,$ and $w_{ij}^3$ signify the weight connection from input to hidden layers (HLs) from receiving to HL and from HL to the output layer, correspondingly. $C\left(k\right),$ $C^{*}\left(k\right),$ and $Y\left(k\right)$ signify the output vector of the hidden, getting, and resultant layers, correspondingly. $b1$ to $b4$ denotes the threshold of getting and resultant layers, correspondingly, and it can be mathematically expressed as follows:

$$C^{*}\left(k\right)=C\left(k-1\right)$$

(8)

$$C\left(k\right)=f\left(w_{ij}^{1}X\left(k\right)+bi+w_{ij}^2{C}^{*}\left(k\right)\right)$$

(9)

$$Y\left(k\right)=g\left(w_{ij}^{3}C\left(k\right)+bi\right)f\left(\cdot \right)$$

(10)

Here, $bi$ indicates the corresponding threshold, $g\left(·\right)$ denotes the activation function of output neurons that is usually a linear integration, and $f$ signifies the activation function of HL.

However, ENNs have their benefits and drawbacks. Focusing on the drawbacks of NN algorithms in real-time engineering applications, research workers have primarily investigated and amended from two factors of learning algorithms and network topology. The amendment of NN topology will dramatically increase the computation problem that was not advantageous to the development of NN performance. Thus, the additional momentum technique improves the learning method of the NN and the algorithm implies that during backpropagation, a part of the preceding weight change was included to present weight adjustment values by using momentum factors and utilized as an actual weight adjustment values:

$$\Delta w\left(t+1\right)=\alpha \Delta w\left(t\right)+\left(1-\alpha \right)\eta \frac{\partial E\left(t\right)}{\partial w\left(t\right)}$$

(11)

$$\Delta w\left(t+1\right)=w\left(t\right)+\Delta w\left(t+1\right)$$

(12)

Now, $t$ denotes the count of training times, $\alpha$ indicates the momentum factor, usually fixed to 0.95, and $\eta$ indicates the learning rate.

To alter the variables related to the IENN method, the EFFO approach was used. In general, the FFO algorithm is based on the behaviors of fruit flies during the food search process [25]. This method comprises three stages:

(1) Initializing stage: the fruit flies have dispersed arbitrarily as $X_{a}xis$ and $Y_{a}xis$, where r$v$ denotes the uniform distribution random number.

$$X_i=X_{a}xis+rv$$

(13)

$$Y_i=Y_{a}xis+rv$$

(14)

(2) Path Construction stage: the distance and odor intensity of each fruit fly is performed by using the following equation.

$$Distanc{e}_i=\sqrt{X_i^2+Y_i^2}$$

(15)

$$S{M}_i^c=\frac{l}{Distanc{e}_i}$$

(16)

where $Distanc{e}_i$ denotes the distance between the food location and the $i^{th}$ individual, $S{M}_i^c$ denotes the judgment value of odor intensity concentration, and this was the reciprocal of distance.

(3) Fitness evaluation stage: The fitness formula can be expressed in the following.

$$smel{l}_i=function \left(S{M}_i^c\right)$$

(17)

$$smel{l}^{best},inde{x}^{best}= \max \left(smel{l}_i\right)$$

(18)

where $smel{l}_i$ shows the value of odor intensity of the distinct fruit flies, $smel{l}^{ best}$ and $inde{x}^{ best}$ denote the maximum component and its corresponding indices have dissimilar dimensions of smell vector, and $\max \left(smel{l}_i\right)$ indicates the highest odor intensity concentration amongst fruit flies.

(4) Movement phase: The fruit fly provides a better value of odor intensity and flies towards that position correspondingly. The pseudocode of the FFO algorithm (Algorithm 2) is shown below.

$$BEST SMELL=smel{l}^{best}$$

(19)

$$X_{a}xis=X\left(inde{x}^{best}\right)$$

(20)

$$Y_{a}xis=Y\left(inde{x}^{best}\right)$$

(21)

Algorithm 2. FFOA algorithm

Step 1 Initializes the parameter Step 2 Repeat     Select the random position under distance and odor intensity     Assess the fitness function $S{M}_i^c$     Recognize the fruit fly with the highest odor intensity concentration between     The fruit fly swarm     Ranking of solutions, and upgrading the better solution Step 3 Return the better solution

The EFFO algorithm is defined by the incorporation of a chaotic concept. The chaotic signal made by the deterministic system has the quality of genus-randomness. The curve can be defined by the initial value and chaos mapping parameter.

Logistic mapping was leveraged widely. The Logistic chaotic mechanism has complicated dynamical behavior and it is defined as follows:

$${\lambda }_{i+1}=\mu \times {\lambda }_i\times \left(1-{\lambda }_i\right)$$

(22)

$\lambda \in \left[0, 1\right],i=0,1,2,\cdots ,\mu$ is in [1, 4]. The study recommended that $\mu$ was closer to 4, and $\lambda$ was closer to the average distribution between [0, 1]. Meanwhile, the system was completely chaotic if $\mu$ value is 4. The initial population was a significant part of the intelligent optimizer technique that affect the final solution quality and convergence rate. Logistic chaotic mapping was leveraged for initializing the population of FFO that exploits the solution space to enhance the efficiency of the model.

The fitness selection is a critical factor in the EFFO algorithm. Solution encoding can be used to assess the aptitude (goodness) of the candidate solution. Here, the accuracy value is the main condition used to design a fitness function.

$$Fitness= \max \left(P\right)$$

(23)

$$P=\frac{TP}{TP+FP}$$

(24)

From the expression, TP represents the true positive and FP denotes the false positive value.

3.4. Modeling of XAI Using LIME

In this work, the XAIID-SCPS technique integrates the XAI approach LIME for superior explainability and understanding of the black-box method for the accurate classification of intrusions [26]. Local interpretable model-agnostic explanation (LIME) could describe several ML techniques for regression prediction, utilizing the featured value change in the data samples to convert the featured value into the contribution of the predictor. The explainer provides a local interpretation of the data samples. For instance, interpretable models in LIME frequently use decision trees (DTs) or linear regression (LR) that are trained by the small perturbation (hiding parts of an image, adding random noise, and removing specific words) in the model. The quality of this model seems to be increasing and was utilized to solve the best part of business victimization data. Moreover, there was a persistent tradeoff between interpretability and model accuracy. In general, the accuracy is enhanced to use sophisticated techniques such as random forest, material, boosting, SVM, and call trees, which are “blackbox” techniques. The local interpretable model agnostic explanation (LIME) gives a clear description of the problem with the blackbox classifier. The LIME is a way to understand an ML BlackBox technique by perturbing the input dataset and seeing how the prediction changes. The LIME is used for any ML black-box models. The main steps are given below:

In the class explain_instance, a technique named explain_instance accepts the reference to the instance where the explanation is required, together with the number of features to be added in the explanation and the trained model’s prediction technique.

A TabularExplainer can be initialized by the data used for training the data about the features, and various class names.

4. Performance Validation

In this section, the intrusion detection results of the XAIID-SCPS method can be investigated on two datasets namely NSLKDD2015 and CICIDS2017 dataset as shown in

Table 1. Details dataset.

Class	No. of Samples
	NSLKDD 2015	CICIDS 2017
Normal	67,343	50,000
Anomaly	58,630	50,000
Total Number of Samples	125,973	100,000

.

The confusion matrices of the XAIID-SCPS method on the NSLKDD 2015 dataset are illustrated in Figure 3. The results recognized the normal and abnormal samples proficiently. For instance, with 80% of TRS, the XAIID-SCPS technique identifies 53,611 normal and 46,054 abnormal samples. Along with that, with 20% of TSS, the XAIID-SCPS technique identifies 13,343 normal and 11,578 abnormal samples. Finally, with 30% of TSS, the XAIID-SCPS technique identifies 19,787 normal and 17,364 abnormal samples.

In

Table 2. Intrusion recognition outcome of XAIID-SCPS system on the NSLKDD2015 dataset.

NSLKDD 2015 Dataset
Class	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{b}\mathit{a}\mathit{l}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{R}\mathit{e}\mathit{c}{\mathit{a}}_{\mathit{l}}$	${\mathit{F}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$	$\mathit{A}\mathit{U}{\mathit{C}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$
Training Phase (80%)
Normal	99.40	98.55	99.40	98.97	98.86
Anomaly	98.31	99.30	98.31	98.81	98.86
Average	98.86	98.93	98.86	98.89	98.86
Testing Phase (20%)
Normal	99.51	98.47	99.51	98.98	98.87
Anomaly	98.24	99.43	98.24	98.83	98.87
Average	98.87	98.95	98.87	98.91	98.87
Training Phase (70%)
Normal	98.04	98.70	98.04	98.37	98.28
Anomaly	98.52	97.76	98.52	98.14	98.28
Average	98.28	98.23	98.28	98.25	98.28
Testing Phase (30%)
Normal	98.11	98.70	98.11	98.41	98.32
Anomaly	98.52	97.85	98.52	98.19	98.32
Average	98.32	98.28	98.32	98.30	98.32

, detailed intrusion recognition outcomes of the XAIID-SCPS method on the NSLKDD2015 dataset are provided under 80:20 of TRS/TSS. The experimental results demonstrated that the proposed model properly recognizes normal and anomaly samples under 80:20 of TRS/TSS. With 80% of TRS, the XAIID-SCPS technique obtains an average $acc{u}_{bal}$ of 98.86%, $pre{c}_n$ of 98.93%, $rec{a}_l$ of 98.86%, $F_{score}$ of 98.89%, and $AU{C}_{score}$ of 98.86%. Meanwhile, with 20% of TSS, the XAIID-SCPS methodology acquires an average $acc{u}_{bal}$ of 98.87%, $pre{c}_n$ of 98.95%, $rec{a}_l$ of 98.87%, $F_{score}$ of 98.91%, and $AU{C}_{score}$ of 98.87%. Additionally, for 30% of TSS, the XAIID-SCPS method obtains an average $acc{u}_{bal}$ of 98.32%, $pre{c}_n$ of 98.28%, $rec{a}_l$ of 98.32%, $F_{score}$ of 98.30%, and $AU{C}_{score}$ of 98.32%.

The TACY and VACY of the XAIID-SCPS model on the NSLKDD2015 dataset are represented in Figure 4. The figure designated the XAIID-SCPS model has shown enhanced performance with maximal values of TACY and VACY. It is visible that the XAIID-SCPS model has maximum TACY results.

The TLOS and VLOS of the XAIID-SCPS model on the NSLKDD2015 dataset are represented in Figure 5. The figure inferred that the XAIID-SCPS model has superior performance with least values of TLOS and VLOS. It is visible that the XAIID-SCPS model has resulted in reduced VLOS outcomes.

The confusion matrices of the XAIID-SCPS methodology in the CICIDS 2017 dataset are shown in Figure 6. The results recognized the normal and abnormal samples proficiently. For instance, with 80% of TRS, the XAIID-SCPS technique identifies 39,508 normal and 39,422 abnormal samples. Along with that, with 20% of TSS, the XAIID-SCPS technique identifies 9774 normal and 9950 abnormal samples. Finally, with 30% of TSS, the XAIID-SCPS technique identifies 14,582 normal and 14,505 abnormal samples.

In

Table 3. Intrusion recognition outcome of XAIID-SCPS system on the CICIDS 2017 dataset.

CICIDS 2017 Dataset
Class	$\mathit{A}\mathit{c}\mathit{c}{\mathit{u}}_{\mathit{b}\mathit{a}\mathit{l}}$	$\mathit{P}\mathit{r}\mathit{e}{\mathit{c}}_{\mathit{n}}$	$\mathit{R}\mathit{e}\mathit{c}{\mathit{a}}_{\mathit{l}}$	${\mathit{F}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$	$\mathit{A}\mathit{U}{\mathit{C}}_{\mathit{s}\mathit{c}\mathit{o}\mathit{r}\mathit{e}}$
Training Phase (80%)
Normal	98.57	98.76	98.57	98.66	98.66
Anomaly	98.75	98.57	98.75	98.66	98.66
Average	98.66	98.66	98.66	98.66	98.66
Testing Phase (20%)
Normal	98.53	98.69	98.53	98.61	98.62
Anomaly	98.71	98.55	98.71	98.63	98.62
Average	98.62	98.62	98.62	98.62	98.62
Training Phase (70%)
Normal	97.03	96.91	97.03	96.97	96.97
Anomaly	96.90	97.03	96.90	96.97	96.97
Average	96.97	96.97	96.97	96.97	96.97
Testing Phase (30%)
Normal	97.14	96.79	97.14	96.96	96.96
Anomaly	96.77	97.13	96.77	96.95	96.96
Average	96.96	96.96	96.96	96.96	96.96

, a brief intrusion recognition outcome of the XAIID-SCPS method on the CICIDS 2017 dataset is provided under 70:30 of TRS/TSS. The experimental results demonstrated that the proposed model properly recognizes normal and anomaly samples under 70:30 of TRS/TSS. With 80% of TRS, the XAIID-SCPS technique obtains an average $acc{u}_{bal}$ of 98.66%, $pre{c}_n$ of 98.66%, $rec{a}_l$ of 98.66%, $F_{score}$ of 98.66%, and $AU{C}_{score}$ of 98.66%. Meanwhile, with 20% of TSS, the XAIID-SCPS technique obtains an average $acc{u}_{bal}$ of 98.62%, $pre{c}_n$ of 98.62%, $rec{a}_l$ of 98.62%, $F_{score}$ of 98.62%, and $AU{C}_{score}$ of 98.62%. Moreover, for 30% of TSS, the XAIID-SCPS technique obtains an average $acc{u}_{bal}$ of 96.96%, $pre{c}_n$ of 96.96%, $rec{a}_l$ of 96.96%, $F_{score}$ of 96.96%, and $AU{C}_{score}$ of 96.96%.

The TACY and VACY of the XAIID-SCPS model on the CICIDS 2017 database are represented in Figure 7. The figure shows that the XAIID-SCPS method has shown enhanced performance with increased values of TACY and VACY. It is visible that the XAIID-SCPS model has higher TACY outcomes.

The TLOS and VLOS of the XAIID-SCPS model on the CICIDS 2017 dataset are represented in Figure 8. The figure indicated that the XAIID-SCPS model has better performance with the least values of TLOS and VLOS. It is visible that the XAIID-SCPS model has resulted in reduced VLOS outcomes.

In

Table 4. Comparative outcome of XAIID-SCPS system with other systems.

Methods	Accuracy	Precision	Recall	F1-Score
XAIID-SCPS	98.87	98.95	98.87	98.91
FURIA	98.14	97.57	96.93	98.26
AE-RF	97.62	97.35	97.79	97.30
Forest-PA	96.72	96.97	97.32	98.13
WISARD	96.64	97.58	97.29	98.65
GSAE	97.63	95.97	98.39	98.19
LIB-SVM	96.57	96.96	96.83	97.92

and Figure 9, comparative results of the XAIID-SCPS technique with existing models take place [27]. The results indicate that the XAIID-SCPS method shows maximum performance over other existing models. Based on $acc{u}_y$, the XAIID-SCPS technique results in an increasing $acc{u}_y$ of 98.87% while the FURIA, AE-RF, Forest-PA, WIZARD, GSAE, and LIB-SVM models reach a reducing $acc{u}_y$ of 98.14%, 97.62%, 96.72%, 96.64%, 97.63%, and 96.57%, respectively.

Meanwhile, based on $pre{c}_n$, the XAIID-SCPS method results in an increasing $pre{c}_n$ of 98.95% while the FURIA, AE-RF, Forest-PA, WISARD, GSAE, and LIB-SVM models reach a reducing $pre{c}_n$ of 97.57%, 97.35%, 96.97%, 97.58%, 95.97%, and 96.96%, respectively. Eventually, based on $F_{score}$, the XAIID-SCPS technique results in an increasing $F_{score}$ of 98.91% while the FURIA, AE-RF, Forest-PA, WISARD, GSAE, and LIB-SVM models reach a reducing $F_{score}$ of 98.14%, 98.26%, 97.30%, 98.13%, 98.65%, 98.19%, and 97.92%, correspondingly. These results highlighted the betterment of the XAIID-SCPS technique for intrusion detection purposes.

5. Conclusions

In this study, we have presented an automated intrusion detection technique named XAIID-SCPS technique for the CPS platform. The presented XAIID-SCPS approach primarily concentrates on the detection and classification of intrusions in the CPS platform. In the XAIID-SCPS technique, several subprocesses are involved, namely, data pre-processing, HEGSO-based feature selection, IENN-based classification, and EFFO-based parameter tuning. Moreover, the XAIID-SCPS technique integrates the XAI approach LIME for better understanding and explainability of the black-box method for accurate classification of intrusions. The simulation values of the XAIID-SCPS technique are tested on a benchmark intrusion dataset and the outcomes prove the promising performance of the XAIID-SCPS technique over other recent approaches. In the future, data clustering and outlier removal methodologies can be designed to enrich the detection performance of the XAIID-SCPS technique. Moreover, the proposed model can be extended to the design of ensemble voting classifiers to improve the detection rate of the XAIID-SCPS technique.