pith. sign in

arxiv: 2604.18052 · v1 · submitted 2026-04-20 · 💻 cs.CR · cs.AI· cs.LG

ExAI5G: A Logic-Based Explainable AI Framework for Intrusion Detection in 5G Networks

Saeid Sheikhi , Panos Kostakos , Lauri Loven This is my paper

Pith reviewed 2026-05-10 04:31 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.LG
keywords explainable AIintrusion detection5G networkslogical rulessurrogate modelsTransformerLLM evaluation
0
0 comments X

The pith

A Transformer model for 5G intrusion detection can be paired with logical rule extraction and LLM-evaluated explanations to reach high accuracy while remaining interpretable.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows how a deep learning detector for network intrusions can be made transparent by attributing important features and replacing its decisions with a small set of logical rules. It further uses a second language model to judge whether the resulting explanations are useful and true to the original model. A sympathetic reader would care because 5G traffic volumes make manual review impossible and opaque alerts reduce operator trust. If the approach holds, security teams gain both reliable detection and concrete steps they can take when an alert fires. The work treats interpretability as a property that can be added without lowering the detection rate on the tested data.

Core claim

The central claim is that a Transformer-based intrusion detector combined with Integrated Gradients attributions and a surrogate decision tree produces sixteen logical rules that match the original model at 99.7 percent fidelity, while an evaluator language model can confirm that generated explanations are both faithful to the model and actionable for operators, all while the overall system reaches 99.9 percent accuracy on 5G IoT intrusion data.

What carries the argument

A surrogate decision tree fitted to the Transformer via Integrated Gradients feature attributions, which distills the model's behavior into a compact set of logical rules.

If this is right

  • Operators receive explicit logical conditions that trigger alerts rather than opaque scores.
  • The same attribution and rule-extraction steps can be repeated whenever the underlying model is retrained on new traffic.
  • LLM-generated explanations can be produced at scale and then filtered by an automated evaluator for actionability.
  • Detection performance stays high enough that the added interpretability layer does not force a choice between security and transparency.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The rule set could serve as a starting point for manual inspection when new attack signatures appear in live 5G networks.
  • The same surrogate-plus-LLM pipeline might be tested on intrusion data from non-5G environments to check whether the fidelity numbers generalize.
  • Human review of a sample of the LLM-evaluated explanations would provide an independent check on the automated faithfulness scores.
  • The extracted rules might be converted into monitoring queries that run directly on network logs without invoking the full deep learning model.

Load-bearing premise

The surrogate decision tree and Integrated Gradients attributions faithfully capture the Transformer's internal decisions across the full range of 5G traffic patterns, and judgments from the evaluator language model about faithfulness and actionability require no further human confirmation.

What would settle it

Applying the sixteen extracted logical rules to a fresh collection of 5G IoT traffic records never seen during training and measuring whether their agreement with the original model remains near 99.7 percent.

Figures

Figures reproduced from arXiv: 2604.18052 by Lauri Loven, Panos Kostakos, Saeid Sheikhi.

Figure 1
Figure 1. Figure 1: ExAI5G Framework: a TabTransformer is trained on 5G network data; Inte [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Structured prompt template used for generating explanations. [PITH_FULL_IMAGE:figures/full_fig_p009_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Scoring rubric prompt used for the automated evaluator. [PITH_FULL_IMAGE:figures/full_fig_p010_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: ROC curves (left) and Precision-Recall curves (right) for all attack types. [PITH_FULL_IMAGE:figures/full_fig_p013_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Mean absolute Integrated Gradients attribution for top network features. [PITH_FULL_IMAGE:figures/full_fig_p015_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Coverage and fidelity trade-off as rules are added in descending support order. [PITH_FULL_IMAGE:figures/full_fig_p016_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Inference latency distribution for the Transformer model (200 test samples). [PITH_FULL_IMAGE:figures/full_fig_p022_7.png] view at source ↗
read the original abstract

Intrusion detection systems (IDSs) for 5G networks must handle complex, high-volume traffic. Although opaque "black-box" models can achieve high accuracy, their lack of transparency hinders trust and effective operational response. We propose ExAI5G, a framework that prioritizes interpretability by integrating a Transformer-based deep learning IDS with logic-based explainable AI (XAI) techniques. The framework uses Integrated Gradients to attribute feature importance and extracts a surrogate decision tree to derive logical rules. We introduce a novel evaluation methodology for LLM-generated explanations, using a powerful evaluator LLM to assess actionability and measuring their semantic similarity and faithfulness. On a 5G IoT intrusion dataset, our system achieves 99.9\% accuracy and a 0.854 macro F1-score, demonstrating strong performance. More importantly, we extract 16 logical rules with 99.7\% fidelity, making the model's reasoning transparent. The evaluation demonstrates that modern LLMs can generate explanations that are both faithful and actionable, indicating that it is possible to build a trustworthy and effective IDS without compromising performance for the sake of marginal gains from an opaque model.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The manuscript presents ExAI5G, a framework integrating a Transformer-based IDS with Integrated Gradients attributions, surrogate decision-tree rule extraction, and LLM-generated explanations evaluated by a separate evaluator LLM. On a 5G IoT intrusion dataset it reports 99.9% accuracy, 0.854 macro F1-score, extraction of 16 logical rules at 99.7% fidelity, and claims that the LLM explanations are both faithful and actionable, enabling trustworthy IDS without performance loss.

Significance. If the experimental claims and validation hold, the integration of logic-based XAI with high-accuracy deep models could support more deployable IDS in 5G environments by supplying human-readable rules. The work demonstrates a multi-technique pipeline (attributions + surrogate + LLM evaluation) but the absence of external human validation and experimental details limits its immediate significance and reproducibility.

major comments (3)
  1. Abstract: the reported 99.9% accuracy, 0.854 macro F1, and 99.7% fidelity are presented without any description of train/test splits, hyperparameter search procedure, statistical significance testing, or the criterion used to select the final 16 rules; these omissions are load-bearing for the central performance and transparency claims.
  2. Evaluation methodology (LLM evaluator): the novel assessment of faithfulness and actionability relies solely on an evaluator LLM scoring its own or peer outputs, with no human expert ratings, inter-annotator agreement, or correlation against established XAI faithfulness metrics (e.g., deletion/insertion curves on Integrated Gradients attributions or rule coverage on held-out intrusions); this directly weakens the claim that the explanations are trustworthy.
  3. Rule extraction and fidelity: the 99.7% fidelity is defined as agreement between the surrogate decision tree and the Transformer, yet no information is given on whether the tree was extracted and evaluated on the same data partition or tested under distribution shifts typical of 5G IoT traffic; without such checks the rules may only approximate the model on the training distribution.
minor comments (1)
  1. The manuscript would benefit from explicit baseline comparisons against other XAI methods (e.g., LIME, SHAP) and from releasing code or artifacts to support the complex Transformer-plus-LLM pipeline.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their thorough review and valuable suggestions. We have carefully considered each major comment and provide point-by-point responses below, along with our plans for revisions to enhance the manuscript's clarity and completeness.

read point-by-point responses

  1. Referee: Abstract: the reported 99.9% accuracy, 0.854 macro F1, and 99.7% fidelity are presented without any description of train/test splits, hyperparameter search procedure, statistical significance testing, or the criterion used to select the final 16 rules; these omissions are load-bearing for the central performance and transparency claims.

    Authors: We agree with the referee that these details are essential for substantiating the claims. In the revised manuscript, we will update the abstract to include brief descriptions of the train/test split used, the hyperparameter search procedure, the statistical significance testing performed, and the criterion for selecting the final set of 16 rules. This will address the concern directly in the abstract. revision: yes

  2. Referee: Evaluation methodology (LLM evaluator): the novel assessment of faithfulness and actionability relies solely on an evaluator LLM scoring its own or peer outputs, with no human expert ratings, inter-annotator agreement, or correlation against established XAI faithfulness metrics (e.g., deletion/insertion curves on Integrated Gradients attributions or rule coverage on held-out intrusions); this directly weakens the claim that the explanations are trustworthy.

    Authors: We appreciate this observation on our evaluation methodology. Our framework introduces the use of an evaluator LLM as a scalable means to assess the faithfulness and actionability of explanations generated by another LLM. While we recognize the value of human expert ratings and correlations with metrics such as deletion/insertion curves, the current work focuses on the LLM-based approach and reports high scores in semantic similarity and faithfulness. We will revise the relevant sections to more clearly articulate the methodology, include additional details on how faithfulness was measured (e.g., via rule coverage), and add a discussion of limitations including the absence of human validation, proposing it as future work. revision: partial

  3. Referee: Rule extraction and fidelity: the 99.7% fidelity is defined as agreement between the surrogate decision tree and the Transformer, yet no information is given on whether the tree was extracted and evaluated on the same data partition or tested under distribution shifts typical of 5G IoT traffic; without such checks the rules may only approximate the model on the training distribution.

    Authors: We will update the manuscript to include information on the data partition used for surrogate tree extraction and fidelity evaluation. Additionally, we will discuss the implications of distribution shifts typical in 5G IoT traffic and note any limitations in the current evaluation, along with plans for future work on this aspect. revision: partial

Circularity Check

0 steps flagged

No significant circularity detected; metrics and claims are empirically grounded.

full rationale

The paper's core claims rest on reported accuracy/F1 on an external 5G IoT dataset, standard surrogate fidelity (agreement between decision tree and Transformer), and LLM scoring of explanations via semantic similarity. These do not reduce by construction to self-defined inputs, fitted parameters renamed as predictions, or load-bearing self-citations. Rule extraction via Integrated Gradients follows conventional XAI pipelines without uniqueness theorems or ansatzes smuggled from prior author work. The derivation chain is self-contained against the dataset benchmarks and does not exhibit any of the enumerated circular patterns.

Axiom & Free-Parameter Ledger

2 free parameters · 2 axioms · 0 invented entities

The central claims rest on standard machine-learning assumptions plus two unstated modeling choices: (1) that Integrated Gradients attributions remain stable across the 5G traffic distribution, and (2) that a single surrogate decision tree can approximate a Transformer without significant loss of fidelity outside the reported test set. No new physical entities or ad-hoc constants are introduced.

free parameters (2)
  • Transformer hyperparameters (layers, heads, learning rate, etc.)
    Standard deep-learning training choices that must be tuned to reach the reported 99.9% accuracy; not enumerated in the abstract.
  • Decision-tree depth or complexity limit
    Controls the extraction of the 16 logical rules; value chosen to achieve 99.7% fidelity is not stated.
axioms (2)
  • domain assumption Integrated Gradients attributions correctly identify the features the Transformer actually uses for classification.
    Invoked when moving from model predictions to logical rules; standard in XAI but not proven for this architecture and dataset.
  • domain assumption The evaluator LLM's judgments of actionability and faithfulness correlate with human operator utility.
    Central to the novel evaluation methodology; no human validation reported in the abstract.

pith-pipeline@v0.9.0 · 5514 in / 1810 out tokens · 36542 ms · 2026-05-10T04:31:24.000886+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

18 extracted references · 18 canonical work pages

  1. [1]

    Radoglou-Grammatikis, G

    P. Radoglou-Grammatikis, G. Nakas, G. Amponis, S. Giannakidou, T. Lagkas, V. Argyriou, S. Goudos, P. Sarigiannidis, 5gcids: An in- trusion detection system for 5g core with ai and explainability mecha- 25 nisms, in: 2023 IEEE Globecom Workshops (GC Wkshps), IEEE, 2023, pp. 353–358

    work page 2023

  2. [2]

    Y. Fan, Y. Li, M. Zhan, H. Cui, Y. Zhang, Iotdefender: A federated transfer learning intrusion detection framework for 5g iot, in: 2020 IEEE 14th international conference on big data science and engineering (Big- DataSE), IEEE, 2020, pp. 88–95

    work page 2020

  3. [3]

    Sheikhi, P

    S. Sheikhi, P. Kostakos, Ddos attack detection using unsupervised feder- ated learning for 5g networks and beyond, in: 2023 Joint European Con- ference on Networks and Communications & 6G Summit (EuCNC/6G Summit), IEEE, 2023, pp. 442–447

    work page 2023

  4. [4]

    Linkov, S

    I. Linkov, S. Galaitsi, B. D. Trump, J. M. Keisler, A. Kott, Cybertrust: From explainable to actionable and interpretable artificial intelligence, Computer 53 (9) (2020) 91–96

    work page 2020

  5. [5]

    Subasi, J

    O. Subasi, J. Cree, J. Manzano, E. Peterson, A critical assessment of interpretable and explainable machine learning for intrusion detection, arXiv preprint arXiv:2407.04009 (2024)

    work page arXiv 2024

  6. [6]

    Charmet, H

    F. Charmet, H. C. Tanuwidjaja, S. Ayoubi, P.-F. Gimenez, Y. Han, H. Jmila, G. Blanc, T. Takahashi, Z. Zhang, Explainable artificial intel- ligence for cybersecurity: a literature survey, Annals of Telecommunica- tions 77 (11) (2022) 789–812

    work page 2022

  7. [7]

    Sundararajan, A

    M. Sundararajan, A. Taly, Q. Yan, Axiomatic attribution for deep net- works, in: International conference on machine learning, PMLR, 2017, pp. 3319–3328

    work page 2017

  8. [8]

    K. Sood, M. R. Nosouhi, D. D. N. Nguyen, F. Jiang, M. Chowdhury, R. Doss, Intrusion detection scheme with dimensionality reduction in next generation networks, IEEE Transactions on Information Forensics and Security 18 (2023) 965–979

    work page 2023

  9. [9]

    Kim, Y.-S

    Y.-E. Kim, Y.-S. Kim, H. Kim, Effective feature selection methods to detect iot ddos attack in 5g core network, Sensors 22 (10) (2022) 3819

    work page 2022

  10. [10]

    Nyre-Yu, E

    M. Nyre-Yu, E. Morris, M. Smith, B. Moss, C. Smutz, Explainable ai in cybersecurity operations: Lessons learned from xai tool deployment., 26 Tech. rep., Sandia National Lab.(SNL-NM), Albuquerque, NM (United States) (2022)

    work page 2022

  11. [11]

    Gaspar, P

    D. Gaspar, P. Silva, C. Silva, Explainable ai for intrusion detection systems: Lime and shap applicability on multi-layer perceptron, IEEE Access (2024)

    work page 2024

  12. [12]

    Gyawali, J

    S. Gyawali, J. Huang, Y. Jiang, Leveraging explainable ai for action- able insights in iot intrusion detection, in: 2024 19th Annual System of Systems Engineering Conference (SoSE), IEEE, 2024, pp. 92–97

    work page 2024

  13. [13]

    Siganos, P

    M. Siganos, P. Radoglou-Grammatikis, I. Kotsiuba, E. Markakis, I. Moscholios, S. Goudos, P. Sarigiannidis, Explainable ai-based intru- sion detection in the internet of things, in: Proceedings of the 18th international conference on availability, reliability and security, 2023, pp. 1–10

    work page 2023

  14. [14]

    Craven, J

    M. Craven, J. Shavlik, Extracting tree-structured representations of trained networks, Advances in neural information processing systems 8 (1995)

    work page 1995

  15. [15]

    J. R. Zilke, E. Loza Mencía, F. Janssen, Deepred–rule extraction from deep neural networks, in: Discovery Science: 19th International Con- ference, DS 2016, Bari, Italy, October 19–21, 2016, Proceedings 19, Springer, 2016, pp. 457–473

    work page 2016

  16. [16]

    Contreras, M

    V. Contreras, M. Schumacher, D. Calvaresi, Explanation of deep learn- ing models via logic rules enhanced by embeddings analysis, and proba- bilistic models, in: International Workshop on Explainable, Transparent Autonomous Agents and Multi-Agent Systems, Springer, 2024, pp. 155– 183

    work page 2024

  17. [17]

    Llms for explainable ai: A comprehensive survey.arXiv preprint arXiv:2504.00125, 2025

    A. Bilal, D. Ebert, B. Lin, Llms for explainable ai: A comprehensive survey, arXiv preprint arXiv:2504.00125 (2025)

    work page arXiv 2025

  18. [18]

    Guidotti, A

    R. Guidotti, A. Monreale, S. Ruggieri, F. Turini, F. Giannotti, D. Pe- dreschi, A survey of methods for explaining black box models, ACM computing surveys (CSUR) 51 (5) (2018) 1–42. 27

    work page 2018