What is it about?
Cyberattacks against Internet of Things (IoT) devices are becoming increasingly common as more connected devices are used in homes, businesses, healthcare systems, and critical infrastructure. Detecting these attacks quickly and accurately is essential, but many artificial intelligence systems act as “black boxes,” making it difficult for cybersecurity professionals to understand why a threat was detected. In this study, we developed an explainable artificial intelligence framework that combines multiple machine learning and deep learning models to identify different types of cyberattacks in IoT environments. Rather than relying on a single algorithm, the system uses a stacked ensemble approach that brings together the strengths of several models to improve detection accuracy and reliability. We evaluated the framework using a large real-world cybersecurity dataset containing more than 500,000 Linux process records representing both normal activities and multiple attack types. The proposed approach achieved very high detection performance while also producing reliable risk scores that can support operational decision-making in Security Operations Centers (SOCs). A key feature of this work is explainability. Using explainable AI techniques, the system can identify which factors most influenced each prediction, helping analysts understand suspicious behaviors such as unusual command execution patterns, abnormal process activity, and excessive resource usage. This transparency increases trust in AI-driven cybersecurity tools and supports faster investigation and response. The findings demonstrate how explainable AI can strengthen cyber defense by combining high detection accuracy with practical insights that security teams can use to protect connected devices and critical digital infrastructure.
Featured Image
Photo by Barbara Zandoval on Unsplash
Why is it important?
As organizations become increasingly dependent on connected devices and digital infrastructure, cyberattacks are growing in both volume and sophistication. Security teams need detection systems that are not only accurate, but also trustworthy, explainable, and capable of supporting real-world operational decisions. What makes this research unique is that it combines three important requirements that are often addressed separately: high detection accuracy, reliable risk scoring, and explainable artificial intelligence. Many existing intrusion detection systems focus primarily on classification performance, while providing limited insight into why a threat was detected or how confident the system is in its predictions. Our framework demonstrates that advanced AI models can deliver near-perfect attack detection while also producing transparent explanations that security analysts can understand and act upon. This helps bridge the gap between academic machine learning research and the practical needs of Security Operations Centers (SOCs), where analysts must quickly prioritize alerts, investigate incidents, and justify response decisions. The work is particularly timely because governments, enterprises, and critical infrastructure operators are increasingly seeking trustworthy AI solutions that support cybersecurity resilience. By showing how explainable AI can improve both performance and decision-making, this research contributes to the development of more reliable and operationally useful cyber defense systems.
Perspectives
One of the motivations behind this research was my interest in making artificial intelligence more useful and trustworthy in cybersecurity operations. In many real-world environments, security analysts are asked to make critical decisions based on alerts generated by complex machine learning systems, yet those systems often provide little explanation for their conclusions. Through this work, I wanted to explore whether it is possible to achieve both high detection performance and meaningful transparency at the same time. The results suggest that explainable AI can help bridge the gap between advanced machine learning research and practical cybersecurity operations by providing insights that analysts can understand, validate, and act upon. I believe the future of cybersecurity will increasingly depend on AI-driven systems, but their adoption will require more than accuracy alone. Trust, interpretability, and operational usability will become equally important. I hope this research contributes to that broader conversation and encourages the development of cybersecurity solutions that are not only powerful, but also understandable and accountable.
Faisal Albalwy
Taibah University
Read the Original
This page is a summary of: Bridging AI and Cyber Defense: A Stacked Ensemble Deep Learning Model with Explainable Insights, Computers Materials & Continua, January 2026, Tsinghua University Press,
DOI: 10.32604/cmc.2025.075098.
You can read the full text:
Contributors
The following have contributed to this page
