eX-NIDS: A Framework for Explainable Network Intrusion Detection Leveraging Large Language Models

TL;DR

eX-NIDS introduces a framework that uses Large Language Models to provide detailed, context-aware explanations for network intrusion detection, improving interpretability and trust in NIDS.

Contribution

The paper presents a novel framework that leverages context-enriched prompts for LLMs to explain NIDS decisions, outperforming baseline explainers by over 20%.

Findings

Augmented prompts improve explanation accuracy and consistency.

LLMs can effectively interpret malicious network flows with contextual information.

The framework enhances interpretability in network intrusion detection systems.

Abstract

This paper introduces eX-NIDS, a framework designed to enhance interpretability in flow-based Network Intrusion Detection Systems (NIDS) by leveraging Large Language Models (LLMs). In our proposed framework, flows labelled as malicious by NIDS are initially processed through a module called the Prompt Augmenter. This module extracts contextual information and Cyber Threat Intelligence (CTI)-related knowledge from these flows. This enriched, context-specific data is then integrated with an input prompt for an LLM, enabling it to generate detailed explanations and interpretations of why the flow was identified as malicious by NIDS. We compare the generated interpretations against a Basic-Prompt Explainer baseline, which does not incorporate any contextual information into the LLM's input prompt. Our framework is quantitatively evaluated using the Llama 3 and GPT-4 models, employing a novel evaluation method tailored for natural language explanations, focusing on their correctness and consistency. The results demonstrate that augmented LLMs can produce accurate and consistent explanations, serving as valuable complementary tools in NIDS to explain the classification of malicious flows. The use of augmented prompts enhances performance by over 20% compared to the Basic-Prompt Explainer.