To address insufficient fusion of flow-level and packet-level information in real-time network intrusion detection, this paper proposes the first flow-packet bimodal heterogeneous graph modeling framework. It structures network traffic as a heterogeneous graph comprising flow and packet nodes, incorporates temporally enhanced flow features, and synergistically integrates Graph Neural Networks (GNNs) with Large Language Models (LLMs) to enable end-to-end detection, interpretable attribution, and automated response recommendations. Key contributions include: (1) the first principled paradigm for constructing flow-packet heterogeneous graphs; (2) a novel GNN-LLM co-architecture supporting a closed-loop pipeline of detection, explanation, and decision-making; and (3) the open-source lightweight graph construction toolkit GNN4ID. Evaluated on multi-class intrusion detection tasks, the framework achieves 97% F1-score—significantly surpassing state-of-the-art methods—while maintaining real-time inference capability and human-readable interpretability.

In the rapidly evolving field of cybersecurity, the integration of flow-level and packet-level information for real-time intrusion detection remains a largely untapped area of research. This paper introduces"XG-NID,"a novel framework that, to the best of our knowledge, is the first to fuse flow-level and packet-level data within a heterogeneous graph structure, offering a comprehensive analysis of network traffic. Leveraging a heterogeneous graph neural network (GNN) with graph-level classification, XG-NID uniquely enables real-time inference while effectively capturing the intricate relationships between flow and packet payload data. Unlike traditional GNN-based methodologies that predominantly analyze historical data, XG-NID is designed to accommodate the heterogeneous nature of network traffic, providing a robust and real-time defense mechanism. Our framework extends beyond mere classification; it integrates Large Language Models (LLMs) to generate detailed, human-readable explanations and suggest potential remedial actions, ensuring that the insights produced are both actionable and comprehensible. Additionally, we introduce a new set of flow features based on temporal information, further enhancing the contextual and explainable inferences provided by our model. To facilitate practical application and accessibility, we developed"GNN4ID,"an open-source tool that enables the extraction and transformation of raw network traffic into the proposed heterogeneous graph structure, seamlessly integrating flow and packet-level data. Our comprehensive quantitative comparative analysis demonstrates that XG-NID achieves an F1 score of 97% in multi-class classification, outperforming existing baseline and state-of-the-art methods. This sets a new standard in Network Intrusion Detection Systems by combining innovative data fusion with enhanced interpretability and real-time capabilities.