Complexity

Research Article

Explainable Artificial Intelligence (XAI) to Enhance Trust Management in Intrusion Detection Systems Using Decision Tree Model

Decision rule description from the training sets for malicious and normal nodes. The bold text is the clauses for the rules.


Leaf numbers	Rules	Interpretation

63	[V42 = normal. Cover = 681132 (47%)] V23 < 79.5 V37 < 0.495 V39 < 0.905 V5 ≥ 8.5	IF V23 < 79.5, V37 < 0.495, V39 < 0.905, V5 ≥ 8.5, THEN the class is normal, which covers 47% of terminal nodes, overall 681132 cases

125	[V42 = normal. Cover = 43147 (3%)] V23 < 79.5 V37 < 0.495 V39 < 0.905 V5 < 8.5 V3 = auth, finger, http, IRC, smtp, telnet, tftp_u, time, X11	IF V23 < 79.5, V37 < 0.495, V39 < 0.905, V5 < 8.5, V3 = auth or finger or http or IRC or smtp or telnet or tftp_u or time or X11, THEN the class is normal which covers 3% of terminal nodes, overall 43146 cases

14	[V42 = malicious. Cover = 3559 (0.01%)] V23 < 79.5 V37 < 0.495 V39 ≥ 0.905	IF V23 < 79.5, V37 < 0.495, V39 ≥ 0.905, THEN the class is malicious, which covers very small amount of terminal nodes, overall 3559 cases

60	[V42 = malicious. Cover = 1538 (0.005%)] V23 < 79.5 V37 < 0.495 V39 < 0.905 V5 ≥ 4.995e + 04 V3 = finger, http	IF V23 < 79.5, V37 < 0.495, V39 < 0.905, V5 ≥ 4.995e + 04, V3 = finger or http, THEN the class is malicious, which covers very small amount of terminal nodes, overall 1538 cases

4	[V42 = malicious. Cover = 709860 (49%)] V23 ≥ 79.5 V6 < 2	IF V23 ≥ 79.5, V6 < 2, THEN the class is malicious, which covers 49% of terminal nodes, overall 709860 cases