What question did this study set out to answer?

The aim is to develop an explainable cyberattack detection model that supports analysts in high-pressure environments.

May 12, 2026Open Access

An explainable and latency-aware unified framework for hybrid graph cyberattack detection

Key Points

The aim is to develop an explainable cyberattack detection model that supports analysts in high-pressure environments.
Introduced a hybrid detection framework based on heterogeneous graph transformers and ensemble methods.
Integrated multi-modal explanation techniques including SHAP and autoencoder for the attribution of network flows.
Evaluated the framework on the UNSW-NB15 dataset focusing on explainability fidelity and latency.
Achieved a latency of approximately 25 ms per flow with the proposed framework.
Improved analyst triage accuracy by 14% in controlled evaluation settings.
Confirmed the effectiveness of multi-modal explanations in enhancing analyst decision-making speed.

Abstract

Explainable artificial intelligence (XAI) has emerged as a vital necessity to deploy Artificial Intelligence based cyberattack detection systems in operational Security Operations Centers (SOCs) when an analyst needs to quickly triage large volumes of alerts with strict time limitations. Although the new intrusion detection systems have high levels of detection, they do not provide the actionable explanations, which help in building the trust of the analyst and making decisions. The paper introduces an explainability-oriented cyberattack detection model, which consists of various alternative explanation models over a fixed hybrid detection backbone based on heterogeneous graph transformers (HGT), temporal sequence modeling by LSTM, and ensemble classification by XGBoost. The proposed system integrates a feature-level attribution through SHAP, anomaly-level through autoencoder reconstruction errors and the relational background through graph-based attention analysis, which builds a single and analyst-friendly report on the explanations of each network flow. Instead of introducing a new detection algorithm, this paper concentrates on the systematic introduction and performance analysis of explainability within the context of real-time SOC. The framework is tested on the dataset of UNSW-NB15 where the key aspects are fidelity of explainability, computational cost, and the practical usability. The outcome indicates the proposed explainability pipeline carries a low latency overhead of about 25 ms per flow while improving analyst triage accuracy by 14%in controlled evaluation settings. An analyst based test also illustrates how multi-modal explanation is especially useful in promoting quicker and more confident alert triage. Overall, this article demonstrates the need to reconcile explainable cyberattack detection with the constraints of the operational world, which is a plausible step towards trustworthy and deployable AI-based security systems.

Bookmark

View Full Paper

Cite This Study

B.P. et al. (Sun,) studied this question.

synapsesocial.com/papers/6a02c364ce8c8c81e9640ba4 https://doi.org/https://doi.org/10.1007/s44163-026-01317-w

Also Consider

Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context:

Bookmark

View Full Paper