Tyshchenko Svitlana, PhD (Pedagogy), Head of the Department of Economic Cybernetics, Computer Science and Information Technologies, Mykolaiv National Agrarian University, Mykolaiv, Ukraine

ORCID: 0000-0001-7881-8740
e-mail: tyschenko@mnau.edu.ua

Parkhomenko Oleksandr, PhD (Physics and Mathematics), Associate Professor of the Department of Economic Cybernetics, Computer Science and Information Technologies, Mykolaiv National Agrarian University, Mykolaiv, Ukraine

ORCID: 0000-0002-7940-7414
e-mail: parkhomenko@mnau.edu.ua

Yemelianov Sviatoslav, PhD (Physics and Astronomy), Senior Lecturer of the Department of Economic Cybernetics, Computer Science and Information Technologies, Mykolaiv National Agrarian University, Mykolaiv, Ukraine

ORCID: 0009-0005-9106-5209
e-mail: sviatoslavem@mnau.edu.ua

Bohatienkova Oleksandra, Lecturer of the Department of Economic Cybernetics, Computer Science and Information Technology, Mykolaiv National Agrarian University, Mykolaiv, Ukraine

ORCID: 0009-0003-0214-0680
e-mail: oleksandra.bohatienkova@mnau.edu.ua

Spivak Vadym, Lecturer of the Department of Economic Cybernetics, Computer Science and Information Technology, Mykolaiv National Agrarian University, Mykolaiv, Ukraine

ORCID: 0009-0003-7371-1313
e-mail: spivak@mnau.edu.ua

Comparative analysis of SHAP, LIME and decision trees for the tasks of detection and interpretation of network intrusions in financial networks

Abstract. Introduction. The digital transformation of the financial sector has resulted in a surge of cyber threats. Financial institutions process massive amounts of network traffic daily and employ machine learning models to detect anomalies. Although deep learning methods are highly effective at detecting cyber threats, their adoption is hindered by the “black box” problem — the inability to understand why a model makes a particular decision. For financial institutions, where every blocking decision must be justified and audited, the lack of model transparency is a critical limitation. Security analysts need more than an “attack” signal; they need an understanding of which network features led to that conclusion. There is an urgent need to study explainable artificial intelligence (XAI) methods that can provide transparency for cyber threat detection models in financial networks.

Purpose. This study aims to conduct a comparative analysis of XAI methods — SHAP, LIME, and Decision Trees — for interpreting the decisions of deep neural networks trained to detect cyber threats. Research objectives include training neural network models on two heterogeneous datasets (NSL-KDD and CIC-IDS-2017), applying SHAP, LIME, and decision tree methods to obtain model explanations, comparing the most important features identified by the different methods, analyzing model errors from an interpretability perspective, and formulating XAI method selection recommendations based on the needs of financial institutions.

Results. Two deep neural networks were successfully trained on two datasets: the NSL-KDD dataset, which has 41 features and 125,973 training samples, and the CIC-IDS-2017 dataset, which has 68 features and 225,711 samples. The NSL-KDD model achieved an accuracy of 0.772, a precision of 0.973, a recall of 0.616, and an area under the curve (AUC) of 0.870. The lower recall value is due to previously unknown attack types in the test set. The CIC-IDS-2017 model demonstrated significantly higher performance: Accuracy: 0.9994; Precision: 0.9995; Recall: 0.9994; and AUC: 0.9997. SHAP analysis revealed that, for the NSL-KDD model, the most important features are logged_in (mean SHAP value = 0.0534), dst_host_same_srv_rate (mean SHAP value = 0.0452), and protocol_type (mean SHAP value = 0.0373). These results indicate the critical role of authentication status. For the CIC-IDS-2017 model, the top features were ACK Flag Count (0.0539), Destination Port (0.0432), and Fwd Packet Length Mean (0.0267). These results reflect the packet-level nature of DDoS attacks. LIME provided local explanations for individual predictions. Decision trees generated interpretable “if-then” rules. 

Conclusions. SHAP offers the most comprehensive interpretation of global models, enabling feature ranking across entire datasets. SHAP is recommended for financial institutions requiring an understanding of general risk factors. LIME is highly effective at providing local explanations of individual predictions, which is critical for auditing specific security incidents. However, it is unstable under minor input perturbations. Decision Trees generate the most human-understandable rules, though they sacrifice accuracy compared to SHAP and LIME. Practical recommendations: Use SHAP for global risk analysis, LIME for incident investigation, and Decision Trees for creating simple security rules. Future research includes applying XAI to recurrent neural networks for time series analysis and implementing XAI in real bank security information and event management (SIEM) systems.

Keywords. explainable artificial intelligence, XAI, SHAP, LIME, decision trees, network intrusion detection, deep learning, financial networks, NSL-KDD, CIC-IDS-2017, model interpretability.

References:

1. Tyshchenko, S., Parkhomenko, O., & Darmosyuk, V. (2024). Modelling and Analysis of Cyberattack Risks on Financial Institutions Using Mathematical Statistics and Python Methods. Modern Economics, 48(1), 130–136. https://doi.org/10.31521/modecon.v48(2024)-16
2. Tyshchenko, S., Parkhomenko, O., & Hilko, I. (2024). Modeling the Impact Of Digital Threats on Financial Markets Using Time Series Analysis and Anomaly Detection Using Python. Modern Economics, 205–212. https://doi.org/10.31521/modecon.v44(2024)-30
3. Tyshchenko, S., & Parkhomenko, O. (2024). Analysis of the Impact of Digital Threats on Financial Markets Using Methods of Probability Theory and Python. Modern Economics, 43(1), 118–124. https://doi.org/10.31521/modecon.v43(2024)-16
4. Tyshchenko, S., Parkhomenko, O., Yemelianov, S., Bohatienkova, O., & Hilko, I. (2025). Application of Deep Learning Methods for Detection and Classification of Cyber Threats in Financial Networks Based on the NSL-KDD Dataset. Modern Economics, 52(1), 203–209. https://doi.org/10.31521/modecon.v52(2025)-28
5. Lundberg S., Lee S.-I. (2017). A Unified Approach to Interpreting Model Predictions. Advances in Neural Information Processing Systems (NIPS). P. 4765-4774. arXiv: https://arxiv.org/abs/1705.07874
6. Ribeiro M. T., Singh S., Guestrin C. (2016) “Why Should I Trust You?”: Explaining the Predictions of Any Classifier. Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD). 1135-1144. DOI: https://doi.org/10.1145/2939672.2939778
7. Ribeiro M. T., Singh S., Guestrin C. (2018) Anchors: High-Precision Model-Agnostic Explanations. Proceedings of the AAAI Conference on Artificial Intelligence. 2018. Vol. 32, No. 1. P. 1527-1535. DOI: https://doi.org/10.1609/aaai.v32i1.11491
8. Mangalathu S., Jang H., Hwang S.-H., Jeon J.-S. (2022) SHAP-based interpretation of deep learning models for network intrusion detection. Computers & Security. Vol. 118. 102721. DOI: https://doi.org/10.1016/j.cose.2022.102721
9. Wang F., Zhang Z., Wang X. (2023) LIME-based explanations for network traffic classification. Journal of Information Security and Applications. Vol. 72. 103396. DOI: https://doi.org/10.1016/j.jisa.2022.103396
10. NSL-KDD | Datasets | Research | Canadian Institute for Cybersecurity | UNB. University of New Brunswick | UNB. https://www.unb.ca/cic/datasets/nsl.html
11. IDS 2017 | Datasets | Research | Canadian Institute for Cybersecurity | UNB. University of New Brunswick | UNB. https://www.unb.ca/cic/datasets/ids-2017.html