Abstract
The increasing complexity of network traffic has heightened the demand for intrusion detection systems (IDS) that deliver high accuracy, interpretability, and efficiency in diverse computing environments, including edge devices. Traditional deep learning-based IDS models perform well but often suffer from feature redundancy, poor generalization, and limited adaptability to resource-constrained platforms. To address these challenges, we propose HED-ID: an edge-deployable and explainable IDS framework. The system utilizes a Stacked Bidirectional Gated Recurrent Unit (S-BiGRU)—a recurrent neural network variant that captures bidirectional temporal dependencies—with an attention mechanism to focus on critical patterns in traffic flows. Grey Wolf Optimization (GWO), a metaheuristic algorithm inspired by wolf hunting behavior, is employed for joint feature selection and hyperparameter tuning to improve efficiency. Finally, SHapley Additive exPlanations (SHAP), a game-theoretic approach for model interpretability, quantifies feature contributions, linking predictions to observable network attributes. Evaluations on the CICIDS-2017, UNSW-NB15, and ToN-IoT datasets show consistent detection performance in both cloud-like and edge-like settings, with inference latency of 18–22 ms and memory usage of 92–115 MB. These results highlight HED-ID’s balanced trade-off between accuracy, interpretability, and resource efficiency, making it suitable for real-world network security applications. SUPPLEMENTARY INFORMATION: The online version contains supplementary material available at 10.1038/s41598-025-32183-8.