Current intrusion detection systems generate low-level alerts with fragmented semantics, making manual correlation to high-level adversarial behaviors costly and error-prone. Rule-based approaches suffer from poor generalizability, while conventional machine learning models lack contextual reasoning capabilities; mainstream large language model (LLM) solutions—relying on single-step classification—are prone to hallucination. To address these limitations, we propose the first LLM-based framework that emulates human structured reasoning through three synergistic stages: behavioral abstraction, multi-role evidence assessment, and ATT&CK-defined validation. We formulate tactic–technique mapping as a context-aware reasoning task—not syntactic pattern matching—by deeply integrating LLMs with the MITRE ATT&CK knowledge base. Our method supports narrative generation of adversarial behavior and cross-validation. Evaluated on three benchmark datasets, it achieves 86.38%–88.45% accuracy, representing a relative improvement of 24.25%–76.50%. The framework significantly enhances interpretability, robustness, and scalability of threat mapping.

Modern Network Intrusion Detection Systems generate vast volumes of low-level alerts, yet these outputs remain semantically fragmented, requiring labor-intensive manual correlation with high-level adversarial behaviors. Existing solutions for automating this mapping-rule-based systems and machine learning classifiers-suffer from critical limitations: rule-based approaches fail to adapt to novel attack variations, while machine learning methods lack contextual awareness and treat tactic-technique mapping as a syntactic matching problem rather than a reasoning task. Although Large Language Models have shown promise in cybersecurity tasks, preliminary experiments reveal that existing LLM-based methods frequently hallucinate technique names or produce decontextualized mappings due to their single-step classification approach. To address these challenges, we introduce RHINO, a novel framework that decomposes LLM-based attack analysis into three interpretable phases mirroring human reasoning: (1) behavioral abstraction, where raw logs are translated into contextualized narratives; (2) multi-role collaborative inference, generating candidate techniques by evaluating behavioral evidence against MITRE ATT&CK knowledge; and (3) validation, cross-referencing predictions with official MITRE definitions to rectify hallucinations. RHINO bridges the semantic gap between low-level observations and adversarial intent while improving output reliability through structured reasoning. We evaluate RHINO on three benchmarks across four backbone models. RHINO achieved high accuracy, with model performance ranging from 86.38% to 88.45%, resulting in relative gains from 24.25% to 76.50% across different models. Our results demonstrate that RHINO significantly enhances the interpretability and scalability of threat analysis, offering a blueprint for deploying LLMs in operational security settings.