Abstract The expansion of network boundaries and the rise of hybrid work environments have significantly widened the modern attack surface. Traditional rule-based monitoring struggles to scale, leading to the adoption of automated Artificial Intelligence for IT Operations powered by Deep Learning. However, while these models handle higher data volumes, their black-box nature lacks accountability, which prevents network managers from confidently triaging alarms without risking legitimate traffic disruption. While eXplainable AI techniques like SHapley Additive exPlanations are increasingly employed for regulatory compliance, research often fails to go beyond explicability and to leverage XAI insights to mitigate bias or enhance performance. This paper proposes a transparent conceptual model for the cyclical explanation and optimization of black-box Intrusion Detection Systems, along with a novel, unsupervised, cluster-based undersampling strategy. By leveraging SHAP to create an explainable pipeline and final product, we optimized an existing GAN-based IDS across two benchmark datasets. For the CIC-DDoS2019 dataset, we achieved a 4.7% increase in the Matthews Correlation Coefficient and a 26% reduction in missed attacks. On the CSE-CIC-IDS2018 dataset, the system showed a 21.3% improvement in MCC, reducing missed attacks by 92.32% and false alarms by 3.82%.
Komarchesqui et al. (Mon,) studied this question.