XNFT: Explainable network flow transformer for transparent detection of DDoS attacks in real-world networks

Authors/Creators

• Amal Ajayan
• G. Kirubavathi
• Iqbal H. Sarker, Edith Cowan UniversityFollow

Author Identifier (ORCID)

Iqbal H. Sarker: https://orcid.org/0000-0003-1740-5517

Abstract

The growing complexity of network environments, coupled with the rise of sophisticated cyberattacks, underscores the pressing need for advanced, efficient, and lightweight Intrusion Detection Systems (IDS). Network Intrusion Detection Systems (NIDS) increasingly leverage Deep Learning (DL) techniques for detecting Distributed Denial of Service (DDoS) attacks; however, many existing methodologies fall short in terms of leakage-safe evaluation and transparent decision-making. This work introduces XNFT (Explainable Network Flow Transformer), a lightweight encoder-only Transformer framework designed for flow-level DDoS detection under stringent entity-disjoint evaluation protocols. The proposed pipeline incorporates graph-based node-level splitting to mitigate endpoint leakage, along with standardized feature processing that supports optional PCA-based dimensionality reduction. Additionally, it integrates automated hyperparameter search and provides post-hoc explainability through SHAP and LIME methodologies. XNFT undergoes evaluation using four large-scale NetFlow benchmarks. Notably, across leakage-safe test sets, the model demonstrates strong performance metrics, indicating robust generalization across diverse traffic distributions. The architecture remains compact and ensures low inference latency, thus facilitating near-real-time deployment. Global and local attribution analyses indicate that flow duration and traffic rate statistics are predominant contributors to decision-making, further confirming behavioral validity. By combining leakage-safe evaluation procedures with computational efficiency and interpretable decision support, XNFT establishes a practical, transparent framework for trustworthy flow-based intrusion detection.

Keywords

DDoS attack, flow transformer, network flow, network security, NIDS, XAI

Document Type

Journal Article

Date of Publication

5-1-2026

Volume

281

Publication Title

Computer Networks

Publisher

Elsevier

School

Centre for Securing Digital Futures

Comments

Ajayan, A., Kirubavathi, G., & Sarker, I. H. (2026). XNFT: Explainable network flow transformer for transparent detection of DDoS attacks in real-world networks. Computer Networks, 281, 112224. https://doi.org/10.1016/j.comnet.2026.112224

Copyright

subscription content