Student Publications [Scholarly]

Explainable Deep Malware Detection in IoT Devices Using CNN-BiLSTM

Document Type

Conference Proceeding

Abstract

The increasing prevalence of Internet of Things (IoT) devices has expanded the attack surface for malware-based intrusions, necessitating robust and interpretable security solutions. This paper presents an explainable deep learning framework that combines a convolutional neural network (CNN) with a bidirectional long short-term memory (BiLSTM) network for effective malware detection in IoT network traffic. The proposed model captures both local traffic patterns and long-range temporal dependencies while maintaining transparency through post-hoc interpretability tools. We integrate SHapley Additive exPlanations (SHAP) to identify feature-level contributions. Extensive experiments on two public IoT malware datasets-N-BaloT and IOT-23-demonstrate that our model achieves up to 98.2% accuracy, outperforms traditional base-lines, and maintains low inference latency suitable for real-time deployment. The inclusion of explainability enhances trust and usability, offering security analysts insights into model behavior. SHAP-based interpretation highlights that statistical features such as host-to-host mean traffic, port-specific flow weights, and temporal variability are key indicators in distinguishing malicious behavior. This work bridges the gap between high-performance deep learning and transparent decision-making in IoT malware detection © 2025 IEEE.

Publication Title

2025 IEEE International Conference on Quantum Photonics, Artificial Intelligence, and Networking, QPAIN 2025

Publication Date

2025

ISBN

9798331596934

DOI

10.1109/QPAIN66474.2025.11171620

Keywords

Class Activation Mapping, CNN-BiLSTM, deep learning, Explainable AI, IoT security, malware detection, SHAP

Link to Full Text

Share

COinS