Towards Explainable Federated Graph-based Intrusion Detection for Zero Trust Critical Infrastructures

In this paper, we propose FGNN-IDS, an explainable federated graph-based intrusion detection framework designed for Zero Trust critical infrastructures. The system integrates three technologies: federated learning (FL) to preserve privacy across distributed nodes, graph neural networks (GNNs) to model complex relational structures between system entities, and explainable AI (XAI) techniques to ensure transparency and trust in detection outcomes. Unlike prior work, FGNN-IDS embeds attention mechanisms into the GNN architecture and applies SHAP-based attribution to provide interpretable, instance-level justifications for alerts. We evaluate FGNN-IDS on three benchmark datasets- TON IOT, UNSW-NB۱۵, and DARPA-TC-GRAPH- under various threat scenarios, including insider attacks and lateral movement. Results demonstrate that FGNN- IDS outperforms state-of-the-art baselines in detection accuracy (۹۶.۳%), F۱ score (۹۵.۱%), and latency (۱۴۲ ms). Moreover, it offers strong privacy guarantees (<= ۱.۷) and achieves ۸۳.۵% attribution accuracy in top-۵ SHAP features, supporting human-in-the-loop security operations. These findings confirm FGNN-IDS as a practical solution for real-time, interpretable, and privacy-preserving intrusion detection in decentralized, Zero Trust environments.