Network Intrusion Detection Systems (NIDS) play a crucial role in protecting computer networks from increasingly sophisticated cyberattacks. Although machine learning techniques have demonstrated high detection performance, many models operate as black-box systems, making it difficult for security analysts to understand the reasoning behind prediction outcomes. This study proposes an explainable machine learning framework for network intrusion detection using the Random Forest algorithm and SHAP (SHapley Additive exPlanations)-based feature interpretation. The CICIDS2017 Friday-WorkingHours-Afternoon-DDos dataset was utilized to evaluate the effectiveness of the proposed approach. Data preprocessing included data cleaning, handling missing values, label encoding, and dataset partitioning. The Random Forest classifier was trained and evaluated using Accuracy, Precision, Recall, and F1-Score metrics. Experimental results demonstrated excellent classification performance, achieving an accuracy of 99.9889%, precision of 99.9922%, recall of 99.9883%, and F1-score of 99.9902%. Furthermore, SHAP analysis was employed to improve model interpretability by identifying the contribution of individual features to intrusion detection decisions. The results revealed that Fwd Packet Length Max, Destination Port, Avg Fwd Segment Size, and Fwd Packet Length Mean were among the most influential features affecting classification outcomes. The integration of Random Forest and SHAP not only achieved highly accurate intrusion detection but also enhanced transparency and trustworthiness by providing meaningful explanations for model predictions. Therefore, the proposed framework offers an effective and interpretable solution for network intrusion detection in modern cybersecurity environments.
Copyrights © 2026