Auditable Flood Attack Detection using Isolation Forest with Decision Predicate Graphs
Resumo
In computer networks, anomaly alerts are frequent, but there is an explainability gap between an anomaly alert and the observable network evidence needed for triage and incident reporting. We evaluate Isolation Forest on CICIoT2023 IoT traffic for DoS/DDoS flood attacks and interpret the learned trees with Decision Predicate Graphs (DPGs). Using fixed benign baselines, we test a Single, Dual, and Triple Attack Scenario while sweeping the attack fraction rate. We report precision, recall, F1 and error rates on fixed test sets, and use DPG predicates and co-occurrence relations to trace how network flows become outliers, turning model decisions into auditable network-level conditions that remain interpretable under mixed attacks and contaminated training.
Referências
Afnan Birahim, S., Paul, A., Rahman, F., Islam, Y., Roy, T., Asif Hasan, M., Haque, F., and Chowdhury, M. E. H. (2025). Intrusion detection for wireless sensor network using particle swarm optimization based explainable ensemble machine learning approach. IEEE Access, 13:13711–13730.
Arrighi, L., Pennella, L., Marques Tavares, G., and Barbon Junior, S. (2024). Decision predicate graphs: Enhancing interpretability in tree ensembles. In World Conference on Explainable Artificial Intelligence, pages 311–332. Springer.
Bacevicius, M., Paulauskaite-Taraseviciene, A., Zokaityte, G., Kersys, L., and Moleikaityte, A. (2025). Comparative analysis of perturbation techniques in lime for intrusion detection enhancement. Machine Learning and Knowledge Extraction, 7(1).
Bader, A., Salim, O., Khudhur, O., Al-Barzinji, S., and Jasem, F. (2026). Feature selection techniques in intrusion detection systems: A review. Journal of Cybersecurity and Information Management, 17:97–112.
Brandes, U. (2008). On variants of shortest-path betweenness centrality and their generic computation. Social Networks, 30(2):136–145.
Ceschin, M., Arrighi, L., Longo, L., and Barbon Junior, S. (2025). Extending decision predicate graphs for comprehensive explanation of isolation forest. In World Conference on Explainable Artificial Intelligence, pages 271–293. Springer.
Dasari, A., Bisawas, S., and Purkayastha, B. (2025). Enhanced network intrusion detection systems with explainable artificial intelligence for network security. International Journal of Communication Systems, 38(14):e70209. e70209 IJCS-25-1913.R1.
Gaitan-Cardenas, M. C., Abdelsalam, M., and Roy, K. (2023). Explainable ai-based intrusion detection systems for cloud and iot. In 2023 32nd International Conference on Computer Communications and Networks (ICCCN), pages 1–7.
Gunning, D., Vorm, E., Wang, J. Y., and Turek, M. (2021). Darpa’s explainable ai (xai) program: A retrospective. Applied AI Letters, 2(4):e61.
Héder, M. (2023). Explainable ai: A brief history of the concept. ERCIM NEWS, (134):9–10.
Johnstone, J. and Akinfaderin, A. (2025). Mapping cyber threats in iot-driven msps: An explainable machine learning approach for remote work security. In 2025 IEEE 4th International Conference on AI in Cybersecurity (ICAIC), pages 1–9.
Leeon123 (2020). Golang-httpflood. [link]. GitHub repository. Accessed: 2025-01-20.
Liu, F. T., Ting, K. M., and Zhou, Z.-H. (2008). Isolation forest. In 2008 Eighth IEEE International Conference on Data Mining, pages 413–422.
Lundberg, S. and Lee, S.-I. (2017). A unified approach to interpreting model predictions.
Mahmud, J. S. and Lendak, I. (2024). Enhancing one-class anomaly detection in unlabeled datasets through unsupervised data refinement. In 2024 IEEE 22nd Jubilee International Symposium on Intelligent Systems and Informatics (SISY), pages 000497–000502.
Mones, E., Vicsek, L., and Vicsek, T. (2012). Hierarchy measure for complex networks. PLOS ONE, 7(3):1–10.
Mutambik, I. et al. (2024). An efficient flow-based anomaly detection system for enhanced security in iot networks. Sensors, 24(22):7408.
Mykhaylova, O., Shtypka, A., and Fedynyshyn, T. (2024). An isolation forest-based approach for brute force attack detection. In BAIT’2024: The 1st International Workshop on Bioinformatics and applied information technologies, volume 3842, pages 43–54, Zboriv, Ukraine. CEUR Workshop Proceedings.
Neto, E. C. P., Dadkhah, S., Ferreira, R., Zohourian, A., Lu, R., and Ghorbani, A. A. (2023). Ciciot2023: A real-time dataset and benchmark for large-scale attacks in iot environment. Sensors, 23(13).
Nwakanma, C. I., Ahakonye, L. A. C., Jun, T., Lee, J. M., and Kim, D.-S. (2023). Explainable scada-edge network intrusion detection system: Tree-lime approach. In 2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pages 1–7.
Pereira, E. P., Moradbeikie, A., Zarpelão, B. B., and Barbon Junior, S. (2025). Learning to explain cyberattacks: Insights from random forest and decision predicate graphs. In Proceedings of the Thematic Workshops at Ital-IA 2025, volume 4121 of CEUR Workshop Proceedings.
Rachwał, A., Karczmarek, P., Rachwał, A., and Stegierski, R. (2024). Isolation forest with exclusion of attributes based on shapley index. IEEE Access, 12:101797–101813.
Ribeiro, M. T., Singh, S., and Guestrin, C. (2016). ”why should i trust you?”: Explaining the predictions of any classifier.
Tools, K. (2019). hping3 package description. [link]. Accessed: 2026-01-23.
Zouhri, H., Idri, A., and Hakkoum, H. (2024). Assessing the effectiveness of dimensionality reduction on the interpretability of opaque machine learning-based attack detection systems. Computers and Electrical Engineering, 120:109627.
Arrighi, L., Pennella, L., Marques Tavares, G., and Barbon Junior, S. (2024). Decision predicate graphs: Enhancing interpretability in tree ensembles. In World Conference on Explainable Artificial Intelligence, pages 311–332. Springer.
Bacevicius, M., Paulauskaite-Taraseviciene, A., Zokaityte, G., Kersys, L., and Moleikaityte, A. (2025). Comparative analysis of perturbation techniques in lime for intrusion detection enhancement. Machine Learning and Knowledge Extraction, 7(1).
Bader, A., Salim, O., Khudhur, O., Al-Barzinji, S., and Jasem, F. (2026). Feature selection techniques in intrusion detection systems: A review. Journal of Cybersecurity and Information Management, 17:97–112.
Brandes, U. (2008). On variants of shortest-path betweenness centrality and their generic computation. Social Networks, 30(2):136–145.
Ceschin, M., Arrighi, L., Longo, L., and Barbon Junior, S. (2025). Extending decision predicate graphs for comprehensive explanation of isolation forest. In World Conference on Explainable Artificial Intelligence, pages 271–293. Springer.
Dasari, A., Bisawas, S., and Purkayastha, B. (2025). Enhanced network intrusion detection systems with explainable artificial intelligence for network security. International Journal of Communication Systems, 38(14):e70209. e70209 IJCS-25-1913.R1.
Gaitan-Cardenas, M. C., Abdelsalam, M., and Roy, K. (2023). Explainable ai-based intrusion detection systems for cloud and iot. In 2023 32nd International Conference on Computer Communications and Networks (ICCCN), pages 1–7.
Gunning, D., Vorm, E., Wang, J. Y., and Turek, M. (2021). Darpa’s explainable ai (xai) program: A retrospective. Applied AI Letters, 2(4):e61.
Héder, M. (2023). Explainable ai: A brief history of the concept. ERCIM NEWS, (134):9–10.
Johnstone, J. and Akinfaderin, A. (2025). Mapping cyber threats in iot-driven msps: An explainable machine learning approach for remote work security. In 2025 IEEE 4th International Conference on AI in Cybersecurity (ICAIC), pages 1–9.
Leeon123 (2020). Golang-httpflood. [link]. GitHub repository. Accessed: 2025-01-20.
Liu, F. T., Ting, K. M., and Zhou, Z.-H. (2008). Isolation forest. In 2008 Eighth IEEE International Conference on Data Mining, pages 413–422.
Lundberg, S. and Lee, S.-I. (2017). A unified approach to interpreting model predictions.
Mahmud, J. S. and Lendak, I. (2024). Enhancing one-class anomaly detection in unlabeled datasets through unsupervised data refinement. In 2024 IEEE 22nd Jubilee International Symposium on Intelligent Systems and Informatics (SISY), pages 000497–000502.
Mones, E., Vicsek, L., and Vicsek, T. (2012). Hierarchy measure for complex networks. PLOS ONE, 7(3):1–10.
Mutambik, I. et al. (2024). An efficient flow-based anomaly detection system for enhanced security in iot networks. Sensors, 24(22):7408.
Mykhaylova, O., Shtypka, A., and Fedynyshyn, T. (2024). An isolation forest-based approach for brute force attack detection. In BAIT’2024: The 1st International Workshop on Bioinformatics and applied information technologies, volume 3842, pages 43–54, Zboriv, Ukraine. CEUR Workshop Proceedings.
Neto, E. C. P., Dadkhah, S., Ferreira, R., Zohourian, A., Lu, R., and Ghorbani, A. A. (2023). Ciciot2023: A real-time dataset and benchmark for large-scale attacks in iot environment. Sensors, 23(13).
Nwakanma, C. I., Ahakonye, L. A. C., Jun, T., Lee, J. M., and Kim, D.-S. (2023). Explainable scada-edge network intrusion detection system: Tree-lime approach. In 2023 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pages 1–7.
Pereira, E. P., Moradbeikie, A., Zarpelão, B. B., and Barbon Junior, S. (2025). Learning to explain cyberattacks: Insights from random forest and decision predicate graphs. In Proceedings of the Thematic Workshops at Ital-IA 2025, volume 4121 of CEUR Workshop Proceedings.
Rachwał, A., Karczmarek, P., Rachwał, A., and Stegierski, R. (2024). Isolation forest with exclusion of attributes based on shapley index. IEEE Access, 12:101797–101813.
Ribeiro, M. T., Singh, S., and Guestrin, C. (2016). ”why should i trust you?”: Explaining the predictions of any classifier.
Tools, K. (2019). hping3 package description. [link]. Accessed: 2026-01-23.
Zouhri, H., Idri, A., and Hakkoum, H. (2024). Assessing the effectiveness of dimensionality reduction on the interpretability of opaque machine learning-based attack detection systems. Computers and Electrical Engineering, 120:109627.
Publicado
25/05/2026
Como Citar
PEREIRA, Eron Ponce; ZARPELÃO, Bruno Bogaz; BARBON JUNIOR, Sylvio.
Auditable Flood Attack Detection using Isolation Forest with Decision Predicate Graphs. In: SIMPÓSIO BRASILEIRO DE REDES DE COMPUTADORES E SISTEMAS DISTRIBUÍDOS (SBRC), 44. , 2026, Praia do Forte/BA.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2026
.
p. 323-336.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2026.19851.
