From Detection to Triage: Explainable Suspicious Flow Prioritization for Multiclass Intrusion Detection Using CSE-CIC-IDS2018

Intrusion detection systems (IDSs) are commonly evaluated through aggregate classification metrics, although operational workflows require detected flows to be interpreted, prioritized, and transformed into actionable evidence. This study proposes a detection-to-triage framework for multiclass intrusion detection using a CSE-CIC-IDS2018-derived experimental subset containing 213,463 records across one benign class and fourteen attack classes. The framework combines supervised multiclass classification, SHAP-style post hoc explanation, class-specific false positive analysis, and a Suspicious Flow Priority Score (SFPS) for analyst-oriented suspicious flow ranking. The practical role of SFPS is to reorder suspicious flows by combining model confidence, explanation strength, predefined attack severity, and validation-based false positive control, thereby producing a transparent triage list rather than a probability-only alert queue. Three detection backbones were evaluated under a shared preprocessing protocol: Random Forest, XGBoost, and a lightweight multilayer perceptron baseline. To assess stability, experiments were repeated across five random seeds. XGBoost achieved the strongest mean performance across most aggregate indicators, with an accuracy of 0.9494 ± 0.0011, a macro F1-score of 0.8366 ± 0.0193, a weighted F1-score of 0.9494 ± 0.0011, and a Matthews Correlation Coefficient of 0.9429 ± 0.0012. Random Forest produced closely comparable results, while the lightweight MLP remained lower on aggregate and macro-level indicators. False positive analysis showed that the alert burden was concentrated in selected classes and differed across models, confirming that aggregate performance alone is insufficient for assessing IDS usefulness. SHAP-style analysis identified stable flow-level contributors to XGBoost discrimination, while SFPS substantially changed the post-detection ordering of suspicious flows compared with probability-only ranking. The study does not claim universal state-of-the-art superiority, causal explanation, or deployment validation; instead, it demonstrates how multiclass IDS outputs can be extended into explainable, false positive-aware, and triage-oriented rankings for analyst review.