Existing multi-label network intrusion detection systems (ML-NIDS) suffer from poor generalization, overreliance on homogeneous datasets and manual expertise, leading to inflated evaluation metrics and detection failure against unseen attacks. Method: This paper proposes a knowledge-guided generalization enhancement framework. Its core innovation is the first use of large language models to automatically parse attack implementations and construct a unified attack strategy knowledge graph; symbolic reasoning is then employed to generate knowledge-augmented inputs, deeply integrating domain knowledge into model design. This approach transcends traditional data-driven paradigms by enabling systematic semantic modeling of attacks. Results: Evaluated on 28 real-world attack variants—including 10 previously unseen samples—the framework achieves a maximum F1-score of 99% (up from 0% for baselines) and a false positive rate below 0.1%, demonstrating substantial improvements in robust detection of unknown attack variants.

Despite extensive research on Machine Learning-based Network Intrusion Detection Systems (ML-NIDS), their capability to detect diverse attack variants remains uncertain. Prior studies have largely relied on homogeneous datasets, which artificially inflate performance scores and offer a false sense of security. Designing systems that can effectively detect a wide range of attack variants remains a significant challenge. The progress of ML-NIDS continues to depend heavily on human expertise, which can embed subjective judgments of system designers into the model, potentially hindering its ability to generalize across diverse attack types. To address this gap, we propose KnowML, a framework for knowledge-guided machine learning that integrates attack knowledge into ML-NIDS. KnowML systematically explores the threat landscape by leveraging Large Language Models (LLMs) to perform automated analysis of attack implementations. It constructs a unified Knowledge Graph (KG) of attack strategies, on which it applies symbolic reasoning to generate KG-Augmented Input, embedding domain knowledge directly into the design process of ML-NIDS. We evaluate KnowML on 28 realistic attack variants, of which 10 are newly collected for this study. Our findings reveal that baseline ML-NIDS models fail to detect several variants entirely, achieving F1 scores as low as 0 %. In contrast, our knowledge-guided approach achieves up to 99 % F1 score while maintaining a False Positive Rate below 0.1 %.