This study addresses the limitations of traditional intrusion detection systems, which rely on centralized architectures that compromise data privacy and lack interpretability. To overcome these challenges, the authors propose a novel distributed intrusion detection framework that integrates federated learning with explainable artificial intelligence. In this approach, each client trains an XGBoost model locally and shares only parameter updates to preserve data privacy. Notably, SHAP (SHapley Additive exPlanations) is introduced for the first time in federated intrusion detection to enable feature-level interpretability of model decisions. Experimental evaluation on the Edge-IIoTset dataset under a 1-server–10-client architecture demonstrates that the proposed method achieves detection accuracy exceeding 99%, reaching 100% in certain scenarios, while rigorously safeguarding data privacy—thus offering both high precision and strong explainability.

An Intrusion Detection System (IDS) is vital in cybersecurity, detecting unauthorized activity across networks. With attacks on network layers increasing, stronger IDSs are needed. Yet most IDSs rely on centralized detection, forcing IoT nodes to ship data to a server, adding overhead and offering no privacy guarantees. Moreover, conventional models focus solely on flagging attacks, without explaining how individual features influence those decisions. This research aims to address these dual limitations by first proposing a solution for privacy preservation and then adding explainability to the new system. We introduce an innovative framework called XAI FL-IDS, which integrates Federated Learning (FL) with Explainable AI (XAI). The XAI FL-IDS system eliminates concerns over data transfer because each node trains its data locally and only sends the necessary update parameters to the server. Additionally, all detections, both at the local node and central server levels, are scrutinized using SHapley Additive exPlanations (SHAP), providing detailed insight into the decision-making process. This system consists of a central server and 10 clients and utilizes the Edge-IIoTset dataset, which is distributed among all clients with careful attention paid to class balancing. On each client, the XGBoost model is executed on local data. The proposed method demonstrates robust efficiency and strong performance in intrusion detection, achieving an accuracy of over 99% and, at times, reaching 100%. By incorporating FL, the confidentiality of the network information on every local node is guaranteed.