Adaptive Explainable Deep Learning Framework for Intelligent Intrusion Detection and Forensic Threat Logging in Enterprise Networks

Abstract

The increasing sophistication of cyberattacks has exposed significant limitations in conventional intrusion detection systems (IDSs), particularly their inability to adapt to evolving attack patterns while simultaneously providing interpretable and forensically valuable outputs. This study presents an adaptive explainable deep learning framework for intelligent intrusion detection and forensic threat logging in enterprise network environments. The proposed architecture integrates a hybrid Autoencoder–BiLSTM classifier with an attention mechanism and a structured forensic logging engine to support both real-time attack detection and post-incident analysis. Network traffic records derived from the NSL-KDD and CICIDS2017 datasets were pre-processed through feature normalization, categorical encoding, and class-balancing procedures using SMOTE. The hybrid model was trained to classify traffic into five attack categories: Normal, DoS, Probe, R2L, and U2R. Explainability was incorporated through SHAP-based feature attribution to improve model transparency and analyst trust. Experimental evaluation demonstrated an overall accuracy of 98.41%, precision of 98.02%, recall of 98.16%, F1-score of 98.09%, and a false positive rate of 0.92%, outperforming Random Forest, Support Vector Machine, XGBoost, and conventional MLP architectures. In addition, the proposed framework maintained structured forensic records containing attacker metadata, confidence scores, severity indices, and temporal attack correlations suitable for digital forensic investigations and threat intelligence workflows. The results indicate that combining adaptive deep learning, explainable analytics, and forensic-aware logging significantly improves the operational reliability of modern IDS platforms. The proposed framework provides a scalable and deployable foundation for intelligent cybersecurity monitoring in enterprise and cloud-based infrastructures.