This study addresses the challenge in cybersecurity that low-level telemetry data (e.g., Suricata logs) lack explicit representation of attacker intent and cognitive strategies. To bridge this gap, we propose a large language model (LLM)-based approach for high-level semantic understanding of adversarial behavior. Methodologically, we introduce a novel cognitive-bias-informed behavioral phase segmentation mechanism and a strategy-driven prompt engineering framework that accurately maps raw network events to MITRE ATT&CK tactical categories. Our key contributions are: (1) the first interpretable linkage between specific attack techniques and underlying psychological drivers—such as tool-switching or protocol-hopping decisions—and (2) empirical validation demonstrating that LLMs effectively close the semantic gap between packet-level logs and strategic intent, achieving high-accuracy intent identification on real-world logs. This work advances both the theoretical foundations and practical implementation of cognition-aware, adaptive cyber defense.

Understanding adversarial behavior in cybersecurity has traditionally relied on high-level intelligence reports and manual interpretation of attack chains. However, real-time defense requires the ability to infer attacker intent and cognitive strategy directly from low-level system telemetry such as intrusion detection system (IDS) logs. In this paper, we propose a novel framework that leverages large language models (LLMs) to analyze Suricata IDS logs and infer attacker actions in terms of MITRE ATT&CK techniques. Our approach is grounded in the hypothesis that attacker behavior reflects underlying cognitive biases such as loss aversion, risk tolerance, or goal persistence that can be extracted and modeled through careful observation of log sequences. This lays the groundwork for future work on behaviorally adaptive cyber defense and cognitive trait inference. We develop a strategy-driven prompt system to segment large amounts of network logs data into distinct behavioral phases in a highly efficient manner, enabling the LLM to associate each phase with likely techniques and underlying cognitive motives. By mapping network-layer events to high-level attacker strategies, our method reveals how behavioral signals such as tool switching, protocol transitions, or pivot patterns correspond to psychologically meaningful decision points. The results demonstrate that LLMs can bridge the semantic gap between packet-level logs and strategic intent, offering a pathway toward cognitive-adaptive cyber defense. Keywords: Cognitive Cybersecurity, Large Language Models (LLMs), Cyberpsychology, Intrusion Detection Systems (IDS), MITRE ATT&CK, Cognitive Biases