Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

eX-NIDS: A Framework for Explainable Network Intrusion Detection Leveraging Large Language Models

Paul R. B. Houssel, Siamak Layeghy, Priyanka Singh, Marius Portmann

TL;DR

The paper tackles the explainability gap in flow-based Network Intrusion Detection Systems by introducing eX-NIDS, a hybrid framework that augments LLM prompts with Cyber Threat Intelligence and flow-specific context. By comparing a Basic-Prompt Explainer to an Augmented-Prompt Explainer across LLama3 and GPT-4, the authors show that CTI-enriched prompts substantially improve explanation quality, reducing hallucinations and increasing factual and feature consistency. The proposed evaluation methodology jointly measures correctness, factual grounding, and feature alignment, revealing that GPT-4 with augmented prompts achieves the best results, while LLama3 benefits notably from contextual information despite remaining susceptible to minor errors. The work demonstrates the practical potential of augmented LLM explanations to assist network operators, while also highlighting the need for further user studies and improvements in network-domain reasoning for real-world deployment.

Abstract

This paper introduces eX-NIDS, a framework designed to enhance interpretability in flow-based Network Intrusion Detection Systems (NIDS) by leveraging Large Language Models (LLMs). In our proposed framework, flows labelled as malicious by NIDS are initially processed through a module called the Prompt Augmenter. This module extracts contextual information and Cyber Threat Intelligence (CTI)-related knowledge from these flows. This enriched, context-specific data is then integrated with an input prompt for an LLM, enabling it to generate detailed explanations and interpretations of why the flow was identified as malicious by NIDS. We compare the generated interpretations against a Basic-Prompt Explainer baseline, which does not incorporate any contextual information into the LLM's input prompt. Our framework is quantitatively evaluated using the Llama 3 and GPT-4 models, employing a novel evaluation method tailored for natural language explanations, focusing on their correctness and consistency. The results demonstrate that augmented LLMs can produce accurate and consistent explanations, serving as valuable complementary tools in NIDS to explain the classification of malicious flows. The use of augmented prompts enhances performance by over 20% compared to the Basic-Prompt Explainer.

eX-NIDS: A Framework for Explainable Network Intrusion Detection Leveraging Large Language Models

TL;DR

The paper tackles the explainability gap in flow-based Network Intrusion Detection Systems by introducing eX-NIDS, a hybrid framework that augments LLM prompts with Cyber Threat Intelligence and flow-specific context. By comparing a Basic-Prompt Explainer to an Augmented-Prompt Explainer across LLama3 and GPT-4, the authors show that CTI-enriched prompts substantially improve explanation quality, reducing hallucinations and increasing factual and feature consistency. The proposed evaluation methodology jointly measures correctness, factual grounding, and feature alignment, revealing that GPT-4 with augmented prompts achieves the best results, while LLama3 benefits notably from contextual information despite remaining susceptible to minor errors. The work demonstrates the practical potential of augmented LLM explanations to assist network operators, while also highlighting the need for further user studies and improvements in network-domain reasoning for real-world deployment.

Abstract

This paper introduces eX-NIDS, a framework designed to enhance interpretability in flow-based Network Intrusion Detection Systems (NIDS) by leveraging Large Language Models (LLMs). In our proposed framework, flows labelled as malicious by NIDS are initially processed through a module called the Prompt Augmenter. This module extracts contextual information and Cyber Threat Intelligence (CTI)-related knowledge from these flows. This enriched, context-specific data is then integrated with an input prompt for an LLM, enabling it to generate detailed explanations and interpretations of why the flow was identified as malicious by NIDS. We compare the generated interpretations against a Basic-Prompt Explainer baseline, which does not incorporate any contextual information into the LLM's input prompt. Our framework is quantitatively evaluated using the Llama 3 and GPT-4 models, employing a novel evaluation method tailored for natural language explanations, focusing on their correctness and consistency. The results demonstrate that augmented LLMs can produce accurate and consistent explanations, serving as valuable complementary tools in NIDS to explain the classification of malicious flows. The use of augmented prompts enhances performance by over 20% compared to the Basic-Prompt Explainer.

Paper Structure

This paper contains 12 sections, 7 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related Work
  3. eX-NIDS: A hybrid framework for explainable NIDS
  4. Basic-Prompt Explainer
  5. Explanations Generated by Basic-Prompt Explainer
  6. Augmented-Prompt Explainer (eX-NIDS)
  7. Explainability Evaluation Methodology
  8. Evaluation Metrics
  9. Evaluated Models
  10. Results
  11. Conclusion
  12. Acknowledgements

Figures (7)

  • Figure 1: Basic-Prompt Explainer.
  • Figure 2: Example input prompt provided to the LLM in the baseline framework. The first part (with a green background) contains the instructions, while the second part (with a blue background) presents the maliciously identified NetFlow sample.
  • Figure 3: Explanation provided by GPT4 for the prompt requested in Figure \ref{['fig:baseline-system-prompt']} via the baseline framework.
  • Figure 4: High-level overview of eX-NIDS (proposed frameworks).
  • Figure 5: Prompt Augmenter module. Connections to the external resources as well as the internal database are not shown here.
  • ...and 2 more figures