Toward Human-Centered Explainability: Natural Language Explanations for Anomaly Detection

This paper proposes a human-centered explainable artificial intelligence pipeline for anomaly detection, designed to generate meaningful, context-aware explanations using local large language models. The proposed pipeline translates model outputs and SHAP-based feature attributions into natural language explanations for cybersecurity alerts generated by an autoencoder within an enterprise network. It incorporates a human-in-the-loop component to ground the explanations in validated expert knowledge, enhancing their interpretability and alignment with human decision-making processes. Using a rubric-driven LLM-as-a-Judge evaluation, we benchmark several large language models and show that as smaller models receive more contextual grounding through human-in-the-loop, their explanatory performance improves significantly, narrowing the gap with larger models while maintaining substantially lower computational demands. Our approach provides targeted, context-aware explanations designed to meet the cognitive and operational needs of security analysts, contributing to more ethical, trustworthy, and resource-efficient AI integration in critical cybersecurity environments.