Toward Human-Centered Explainability: Natural Language Explanations for Anomaly Detection
| UDC.coleccion | Investigación | |
| UDC.departamento | Ciencias da Computación e Tecnoloxías da Información | |
| UDC.grupoInv | Telemática | |
| UDC.institutoCentro | CITIC - Centro de Investigación de Tecnoloxías da Información e da Comunicación | |
| UDC.journalTitle | Information Systems Frontiers | |
| dc.contributor.author | Padín Torrente, Héctor | |
| dc.contributor.author | Carneiro, Víctor | |
| dc.contributor.author | Ortega-Fernández, Inés | |
| dc.date.accessioned | 2026-04-17T08:58:33Z | |
| dc.date.available | 2026-04-17T08:58:33Z | |
| dc.date.issued | 2026-04-10 | |
| dc.description | The benchmark dataset analyzed in this study is the CSE–CIC-IDS2018 maintained by the Canadian Institute for Cybersecurity, University of New Brunswick, openly accessible at https://www.unb.ca/cic/datasets/ids-2018.html. The evaluation data used to assess the models and the various data generation strategies consist of the predictions produced by the autoencoder in combination with SHAP outputs, applied to the attack instances within the dataset. This evaluation data, as well as prompt details, are available at GitHub (https://github.com/Gradiant/Natural-Language-Explanations-4-AD). | |
| dc.description.abstract | [Abstract]: This paper proposes a human-centered explainable artificial intelligence pipeline for anomaly detection, designed to generate meaningful, context-aware explanations using local large language models. The proposed pipeline translates model outputs and SHAP-based feature attributions into natural language explanations for cybersecurity alerts generated by an autoencoder within an enterprise network. It incorporates a human-in-the-loop component to ground the explanations in validated expert knowledge, enhancing their interpretability and alignment with human decision-making processes. Using a rubric-driven LLM-as-a-Judge evaluation, we benchmark several large language models and show that as smaller models receive more contextual grounding through human-in-the-loop, their explanatory performance improves significantly, narrowing the gap with larger models while maintaining substantially lower computational demands. Our approach provides targeted, context-aware explanations designed to meet the cognitive and operational needs of security analysts, contributing to more ethical, trustworthy, and resource-efficient AI integration in critical cybersecurity environments. | |
| dc.description.sponsorship | Open Access funding provided thanks to the CRUE-CSIC agreement with Springer Nature. This publication is part of the project SafeNet UEBA (CPP001/23-R006_SafeNet_UEBA), financed by “European Union NextGeneration-EU, https://next-generation-eu.europa.eu/, the Recovery Plan, Transformation and Resilience, https://planderecuperacion.gob.es/, through INCIBE, https://www.incibe.es/”. This work was carried out at CITIC, within the framework of the project PID2023-150794OB-I00, funded by the Ministry of Science, Innovation and Universities (MICIU) and the State Research Agency (AEI)/10.13039/501100011033, and co-funded by the European Regional Development Fund (ERDF), European Union. CITIC, accredited as a center of excellence within the Galician University System and a member of the CIGUS Network, also receives support from the Department of Education, Science, Universities, and Vocational Training of the Xunta de Galicia, co-financed by the EU through the ERDF Galicia 2021–2027 programme (Ref. ED431G 2023/01). | |
| dc.description.sponsorship | Xunta de Galicia; ED431G 2023/01 | |
| dc.description.sponsorship | Instituto Nacional de Ciberseguridad (INCIBE); CPP001/23-R006_SafeNet_UEBA | |
| dc.identifier.citation | Padín-Torrente, H., Carneiro-Diaz, V. & Ortega-Fernandez, I. Toward Human-Centered Explainability: Natural Language Explanations for Anomaly Detection. Inf Syst Front (2026). https://doi.org/10.1007/s10796-026-10717-3 | |
| dc.identifier.doi | 10.1007/s10796-026-10717-3 | |
| dc.identifier.issn | 1572-9419 | |
| dc.identifier.uri | https://hdl.handle.net/2183/48029 | |
| dc.language.iso | eng | |
| dc.publisher | Springer | |
| dc.relation.isbasedon | https://www.unb.ca/cic/datasets/ids-2018.html | |
| dc.relation.isbasedon | https://github.com/Gradiant/Natural-Language-Explanations-4-AD | |
| dc.relation.projectID | info:eu-repo/grantAgreement/AEI/Plan Estatal de Investigación Científica y Técnica y de Innovación 2021-2023/PID2023-150794OB-I00/ES/MEJORANDO LA DETECCION DE CIBER AMENAZAS USANDO MODELOS DE LENGUAJE DE GRAN TAMAÑO PARA PROTOCOLOS DE RED | |
| dc.relation.uri | https://doi.org/10.1007/s10796-026-10717-3 | |
| dc.rights | Attribution 4.0 International | en |
| dc.rights.accessRights | open access | |
| dc.rights.uri | http://creativecommons.org/licenses/by/4.0/ | |
| dc.subject | Human-centered explainable AI | |
| dc.subject | Natural language explanations | |
| dc.subject | Human-in-the-loop | |
| dc.subject | LLM-as-a-Judge | |
| dc.subject | Anomaly detection | |
| dc.title | Toward Human-Centered Explainability: Natural Language Explanations for Anomaly Detection | |
| dc.type | journal article | |
| dc.type.hasVersion | VoR | |
| dspace.entity.type | Publication | |
| relation.isAuthorOfPublication | 652c136c-eea5-4a78-947c-538b1c99f81b | |
| relation.isAuthorOfPublication.latestForDiscovery | 652c136c-eea5-4a78-947c-538b1c99f81b |
Files
Original bundle
1 - 1 of 1
Loading...
- Name:
- CarneiroDiaz_Victor_2026_Toward_Human_Centered_Explainability.pdf
- Size:
- 1.94 MB
- Format:
- Adobe Portable Document Format