In　recent　years,　machine　learning-based　intrusion　detection　systems　(IDSs)　have　proven　to　be　effective;　especially,　deep　neural　networks　improve　the　detection　rates　of　intrusion　detection　models.　However,　as　models　become　more　and　more　complex,　people　can　hardly　get　the　explanations　behind　their　decisions.　At　the　same　time,　most　of　the　works　about　model　interpretation　focuses　on　other　fields　like　computer　vision,　natural　language　processing,　and　biology.　This　leads　to　the　fact　that　in　practical　use,　cybersecurity　experts　can　hardly　optimize　their　decisions　according　to　the　judgments　of　the　model.　To　solve　these　issues,　a　framework　is　proposed　in　this　paper　to　give　an　explanation　for　IDSs.　This　framework　uses　SHapley　Additive　exPlanations　(SHAP),　and　combines　local　and　global　explanations　to　improve　the　interpretation　of　IDSs.　The　local　explanations　give　the　reasons　why　the　model　makes　certain　decisions　on　the　specific　input.　The　global　explanations　give　the　important　features　extracted　from　IDSs,　present　the　relationships　between　the　feature　values　and　different　types　of　attacks.　At　the　same　time,　the　interpretations　between　two　different　classifiers,　one-vs-all　classifier　and　multiclass　classifier,　are　compared.　NSL-KDD　dataset　is　used　to　test　the　feasibility　of　the　framework.　The　framework　proposed　in　this　paper　leads　to　improve　the　transparency　of　any　IDS,　and　helps　the　cybersecurity　staff　have　a　better　understanding　of　IDSs　&　x2019;　judgments.　Furthermore,　the　different　interpretations　between　different　kinds　of　classifiers　can　also　help　security　experts　better　design　the　structures　of　the　IDSs.　More　importantly,　this　work　is　unique　in　the　intrusion　detection　field,　presenting　the　first　use　of　the　SHAP　method　to　give　explanations　for　IDSs.