An Explainable Hybrid Deep Learning Framework for Unsupervised Network Intrusion Detection Using Isolation Forest and Bidirectional Long Short-TermMemory Autoencoder

Main Article Content

Aerkera Kumawuese Daniel-Beston
Aamo Iorliam

Abstract

The increasing proliferation of Internet of Things (IoT) devices has introduced significant cybersecurity vulnerabilities due to huge data these devices generate, and the growing sophistication of cyberattacks. Traditional signature-based intrusion detection systems are often ineffective against zero-day and evolving threats, particularly in dynamic IoT environments where labeled datasets are scarce. This paper proposes an explainable hybrid unsupervised deep learning framework that integrates Isolation Forest and Bidirectional Long Short-Term Memory (BiLSTM) autoencoder models for intelligent network intrusion detection. The framework combines statistical anomaly isolation with deep temporal sequence learning to enhance the detection of abnormal network behaviors without relying on labeled data. Network traffic data obtained from the Kaggle network traffic dataset were preprocessed through data cleaning, feature engineering, normalization, and temporal sequence generation. A weighted ensemble mechanism was employed to combine anomaly scores from both models, while SHapley Additive exPlanations (SHAP) and LIME (Local Interpretable Model-Agnostic Explanations) techniques were integrated to improve interpretability and transparency of detection decisions. Experimental results demonstrated strong convergence of the BiLSTM Autoencoder with extremely low reconstruction losses and effective discrimination between normal and malicious traffic patterns. The hybrid framework successfully detected anomalous traffic bursts and suspicious communication behaviors, with “packets_per_time_unit” identified as the most influential anomaly indicator. The proposed framework provides an efficient, scalable, and explainable solution for adaptive IoT cybersecurity and intrusion detection in heterogeneous network environments.

Article Details

Section

Articles

How to Cite

An Explainable Hybrid Deep Learning Framework for Unsupervised Network Intrusion Detection Using Isolation Forest and Bidirectional Long Short-TermMemory Autoencoder (Aerkera Kumawuese Daniel-Beston & Aamo Iorliam , Trans.). (2026). Babylonian Journal of Internet of Things, 2026, 46-56. https://doi.org/10.58496/BJIoT/2026/005