Intrusion detection systems (IDS) are critical for protecting computer networks from malicious actors, unauthorized access, and abnormal traffic that can compromise data confidentiality and operational integrity in the workplace and personal systems. These intrusions generally target stealing confidential user data or industrial information that hackers can then exploit for their illegal gain. While there have been significant recent advances in machine learning (ML) and deep learning (DL), IDS still struggles with class imbalance, computational efficiency, and a lack of interpretable decisions, which remain limiting factors in trust, real-world analysis, and deployment. This study proposes LiRPE, a modified variation of the Linformer architecture that integrates trainable relational positional encoding (RPE) to explicitly model pairwise temporal relationships between traffic tokens. This improves the model’s ability to capture both temporal and contextual dependencies while maintaining the linear attention efficiency and reduced footprint of the original Linformer. We address feature selection, ranking, and model interpretability by utilizing light gradient boosting machine (LightGBM) for fast global feature ranking and Shapley additive explanations (SHAP) to obtain additive, per-sample, and global attributions. LightGBM and SHAP serve complementary roles in the pipeline: LightGBM provides efficient global importance rankings based on gain, while SHAP delivers model-agnostic local and global attributions that improve interpretability and robustness of the selected features. This explainability feature plays an essential role in IDS by providing security analysts with the ability to validate predictions, trace the reasoning behind them, and ensure transparency, given increasing regulatory requirements. The adaptive synthetic (ADASYN) sampling method is employed to address class imbalance and is applied strictly to the training portion of the data, ensuring that synthetic samples do not influence the original test set and thereby improving the generalization of the proposed model. The proposed framework is a sequential and unified pipeline that combines these individual components by taking high-dimensional network traffic, ranking features using a SHAP-based method, mitigating class imbalance using ADASYN, and then passing the processed data through the LiRPE classifier. Experiments conducted on the RT-IoT-2022, CICIoT-2023, and IoMT-2024 Wi-Fi-MQTT benchmarks show that LiRPE achieves an average accuracy of 99.51%, recall of 99.28%, F1-score of 98.70%, and Matthews correlation coefficient (MCC) of 0.9746, outperforming multiple state-of-the-art baselines. The LiRPE framework is demonstrated to provide improved detection performance and interpretability, offering an efficient and trustworthy IDS suitable for real-world intrusion detection scenarios.
Biswal et al. (Sun,) studied this question.