[2603.22771] Explainable Threat Attribution for IoT Networks Using Conditional SHAP and Flow Behavior Modelling

Computer Science > Cryptography and Security arXiv:2603.22771 (cs) [Submitted on 24 Mar 2026] Title:Explainable Threat Attribution for IoT Networks Using Conditional SHAP and Flow Behavior Modelling Authors:Samuel Ozechi, Jennifer Okonkwoabutu View a PDF of the paper titled Explainable Threat Attribution for IoT Networks Using Conditional SHAP and Flow Behavior Modelling, by Samuel Ozechi and Jennifer Okonkwoabutu View PDF Abstract:As the Internet of Things (IoT) continues to expand across critical infrastructure, smart environments, and consumer devices, securing them against cyber threats has become increasingly vital. Traditional intrusion detection models often treat IoT threats as binary classification problems or rely on opaque models, thereby limiting trust. This work studies multiclass threat attribution in IoT environments using the CICIoT2023 dataset, grouping over 30 attack variants into 8 semantically meaningful classes. We utilize a combination of a gradient boosting model and SHAP (SHapley Additive exPlanations) to deliver both global and class-specific explanations, enabling detailed insight into the features driving each attack classification. The results show that the model distinguishes distinct behavioral signatures of the attacks using flow timing, packet size uniformity, TCP flag dynamics, and statistical variance. Additional analysis that exposes both feature attribution and the decision trajectory per class further validates these observed patterns. ...