Title Comparative analysis of surrogate model architectures for LIME for intrusion detection enhancement
Authors Bacevičius, Mantas ; Paulauskaitė-Tarasevičienė, Agnė
Full Text Download
Is Part of CEUR Workshop proceedings: IVUS 2025: proceedings of the 30th international conference on information society and university studies (IVUS 2025), Kaunas, Lithuania, 15 May 2025 / edited by: I. Veitaitė, A. Lopata, T. Krilavičius, M. Woźniak.. Aachen : CEUR-WS. 2026, vol. 4213, p. 219-228.. ISSN 1613-0073
Keywords [eng] cosine similarity ; black box model ; local interpretable model agnostic explanations ; surrogate model ; cic ids ; local fidelity ; model s behavior ; decision tree surrogate ; machine learning
Abstract [eng] Machine learning has proven highly effective for network intrusion detection but remains opaque in its decision making, creating trust and interpretability concerns in cybersecurity. In this work, we refine Local Interpretable Model-Agnostic Explanations (LIME) by examining how different surrogate regressors (Decision Tree, Random Forest, Ridge) and perturbation distributions (Beta, Gamma, Gaussian, Pareto, Weibull) affect explanation quality for the CIC-IDS-2018 dataset. Our experiments on four classifiers (Decision Tree, kNN, Random Forest, XGBoost) reveal that tree-based surrogates, especially Decision Tree and Random Forest, can achieve near-perfect or even perfect fidelity (R2 ≈ 10) under distributions like Beta, Gamma, and Pareto, significantly outperforming the default linear Ridge regression surrogate. These distributions also improve the stability of the explanation, as measured by the Jaccard similarity and cosine similarity of the highest scoring traits, and the Pareto and Beta distributions often provide the highest consistency across repeated tests. In summary, our results highlight the importance of balancing the complexity of the surrogate model with the non-linearity of the target classifier and selecting appropriate perturbation distributions to increase both accuracy and stability. Hence, this work proposes a systematic framework to improve interpreted intrusion detection, allowing cybersecurity applications to provide more robust and adaptable local explanations.
Published Aachen : CEUR-WS
Type Conference paper
Language English
Publication date 2026
CC license CC license description