Advanced explainable ensemble models for multi-class intrusion detection in heterogeneous drone and industrial networks

The popularity of drones, unmanned aerial vehicles (UAVs), and industrial-level cyber-physical systems has deepened external threats caused by network-based cyber-attacks. Such environments have a problem of dynamic traffic behavior, temporal dependencies, class imbalance and the existence of various type of attacks, such as denial of service, injection, replay attacks, scanning, and man in the middle attacks. This paper presents an effective and justifiable multi-class attack detection model in a heterogeneous environment that can be used as an intrusion detector. Three benchmark datasets, Drone IDS, UAVIDS-2025, and ICSCASDMPLC were evaluated comprehensively with ensemble-based machine learning models (Random Forest, Extra trees, AdaBoost, XGBoost, and CatBoost) and those with deep learning architecture (ANN, CNN, RNN, LSTM, and ResNet). Within the framework of many preprocessing steps, the accuracy, macro-averaged precision, recall, F1-score, Matthews Correlation Coefficient, Cohen’s Kappa, log loss, and ROC-AUC were used to evaluate the models. According to experimental findings, Random Forest is more effective than other ensemble models, with macro F1-scores of 0. 99964, 0. 99844, and 0. 99994 on Drone IDS, UAVIDS-2025, and ICSCASDMPLC datasets, respectively, with nearly perfect ROC-AUC indicators. Compared to other deep learning methods, LSTM is best at learning patterns of attack over time, ANN is well-performing with minimal computing costs, and RNN is well-performing in generalizing on industrial traffic. The validity of statistical significance of results is tested with Friedman and Wilcoxon signed-rank tests with Holm correction, bootstrap confidence intervals, and McNemar test. Also, explainable tools of AI, including SHAP and LIME, provide both local and global explanations, which are both intuitive, as well as ablation testing demonstrates that a small set of flow-based and temporal features are capable of sustaining close-optimal performance. In general, the framework proposed provides real-time and safety–critical deployments with intrusion detection algorithms that are accurate, interpretable, and validated statistically.