To address the limited interpretability of Network Intrusion Detection Systems (NIDS), this paper proposes an LLM-based explainable NIDS framework. The core innovation is the Prompt Augmenter module, which dynamically integrates network flow context with multi-source threat intelligence to generate structured, semantically rich detection explanations. Evaluated on Llama-3 and GPT-4, the method improves explanation correctness and consistency by over 20% compared to baseline prompting. Leveraging natural language inference and custom evaluation metrics, it enables quantitative assessment of explanation quality. Experimental results demonstrate that the augmented prompting strategy significantly outperforms context-agnostic baselines across accuracy, consistency, and readability—achieving substantial gains in all three dimensions. This work establishes a novel paradigm for enhancing cybersecurity interpretability through LLMs.

This paper introduces eX-NIDS, a framework designed to enhance interpretability in flow-based Network Intrusion Detection Systems (NIDS) by leveraging Large Language Models (LLMs). In our proposed framework, flows labelled as malicious by NIDS are initially processed through a module called the Prompt Augmenter. This module extracts contextual information and Cyber Threat Intelligence (CTI)-related knowledge from these flows. This enriched, context-specific data is then integrated with an input prompt for an LLM, enabling it to generate detailed explanations and interpretations of why the flow was identified as malicious by NIDS. We compare the generated interpretations against a Basic-Prompt Explainer baseline, which does not incorporate any contextual information into the LLM's input prompt. Our framework is quantitatively evaluated using the Llama 3 and GPT-4 models, employing a novel evaluation method tailored for natural language explanations, focusing on their correctness and consistency. The results demonstrate that augmented LLMs can produce accurate and consistent explanations, serving as valuable complementary tools in NIDS to explain the classification of malicious flows. The use of augmented prompts enhances performance by over 20% compared to the Basic-Prompt Explainer.