eX-NIDS: Explainable NIDS Framework
- eX-NIDS is an explainable network intrusion detection framework that leverages LLMs to post-process malicious NetFlows with augmented cybersecurity context.
- It improves explanation accuracy by using a two-stage prompt setup that boosts correctness from 40% to 80% and ensures 100% feature consistency.
- The variant XeNIDS formalizes cross-network evaluation by standardizing NetFlow records, thereby enhancing ML-NIDS transferability across diverse datasets.
eX-NIDS most explicitly denotes a framework for explainable flow-based network intrusion detection in which a Network Intrusion Detection System (NIDS) performs the detection and a LLM performs the explanation after prompt augmentation with network-specific context and cyber threat intelligence (CTI) (Houssel et al., 22 Jul 2025). In the same literature space, the closely related name XeNIDS denotes the first framework and formal model for cross-evaluating machine-learning-based NIDS (ML-NIDS) using already labeled network datasets from different networks (Apruzzese et al., 2022). Taken together, these usages place eX-NIDS at the intersection of post-detection interpretability, cross-network evaluation, and broader efforts to extend NIDS beyond static signature matching.
1. Nomenclature and scope
The term has at least two distinct uses in the supplied literature. One is explicitly explanatory; the other is methodological and evaluative.
| Usage | Core meaning | Source |
|---|---|---|
| eX-NIDS | Explainable Network Intrusion Detection leveraging LLMs for malicious NetFlow explanations | (Houssel et al., 22 Jul 2025) |
| XeNIDS | Framework for reliable cross-evaluations based on Network Flows; also written eX-NIDS in the paper’s title/description of the idea | (Apruzzese et al., 2022) |
The explanatory usage is narrower and system-specific. It assumes an existing flow-based NIDS that labels a NetFlow record as malicious, then augments the prompt with contextual knowledge so that an LLM can explain why the flow was identified as malicious. The cross-evaluation usage is broader. It concerns how ML-NIDS should be trained and tested across multiple labeled datasets from distinct networks, with attention to generalization, detection-surface extension, and false-positive control.
A common misconception is to treat eX-NIDS as a detector. In the explainable formulation, it is not the detector itself; it is a post-detection explanation framework for flow-based NIDS (Houssel et al., 22 Jul 2025). A second misconception is to equate XeNIDS with ordinary transfer learning. The cross-evaluation model instead fixes the benign side to an origin network and varies the malicious side in controlled ways, precisely because the authors warn against naive model transfer for NIDS given the “immense variability” between networks (Apruzzese et al., 2022).
2. Explainable eX-NIDS as an LLM-based post-detection layer
The explainable framework begins from three observations: flow-based NIDS are effective but opaque; classic XAI methods such as SHAP assign feature importance in a vectorized feature space but do not incorporate external knowledge or CTI; and raw prompting of LLMs is unreliable because LLMs can hallucinate, misread feature meanings, and produce shallow “suspicion” arguments (Houssel et al., 22 Jul 2025).
Its architecture has two explainer setups. The Basic-Prompt Explainer sends an instruction prompt plus the malicious NetFlow record directly to the LLM. The full eX-NIDS (Augmented-Prompt Explainer) inserts a Prompt Augmenter between the detector and the LLM. The high-level workflow is fixed: a flow-based NIDS labels a NetFlow record as malicious; the malicious flow is passed to the explanation module; the Prompt Augmenter extracts structured contextual knowledge; the original prompt is augmented; and the LLM generates a natural-language explanation grounded in the richer context.
The Prompt Augmenter draws on three information sources. The first is NetFlow specification, namely a structured mapping of feature names to definitions, intended to prevent errors about meaning, direction, and units. The second is protocol-specific knowledge, extracted from identifiers such as L7_PROTO and PROTOCOL, for example mapping ID 17 to UDP. The third is IP-specific knowledge / CTI, obtained from source and destination IP addresses through historical related flows, IP threat intelligence, IP geolocation, and previous malicious connections. This CTI-related context is appended to the original baseline prompt.
The framework explicitly rejects full Retrieval-Augmented Generation (RAG) as necessary in this setting. The stated reason is that NetFlow attributes are already structured data rather than free text, so traditional database queries suffice for protocol mappings, IP intelligence, and historical flow context. The intended result is not reclassification but explanation: more accurate feature references, correct measurement units, and more contextually grounded reasoning than raw prompting provides.
3. Evaluation methodology, quantitative results, and operational profile
The explainable framework is evaluated on 50 malicious NetFlows sampled from NF-CSE-CIC-IDS2018-v2, and only malicious flows are evaluated because those are most relevant in practice (Houssel et al., 22 Jul 2025). Two domain experts manually inspected each explanation. The paper defines three independent metrics. Explanation Correctness asks whether the explanation is semantically valid and actually supports the malicious classification. Feature Consistency asks whether the explanation accurately uses the feature values present in the input, including correct feature definitions and units. Factual Consistency asks whether the explanation avoids hallucination and fabricated content.
The models are Llama 3 70B-Instruct, run locally with the transformers library, and gpt-4-1106-preview, accessed via the OpenAI API. Generation settings are temperature = 0.7 and max tokens = 2048. The reported results are as follows.
| Model | Method | Correctness | Feature Consistency | Factual Consistency | Avg. |
|---|---|---|---|---|---|
| Llama 3 70B-Instruct | Basic Prompt | 26% | 84% | 42% | 50.66% |
| Llama 3 70B-Instruct | eX-NIDS | 36% | 100% | 90% | 75.33% |
| GPT-4 | Basic Prompt | 40% | 96% | 78% | 71.33% |
| GPT-4 | eX-NIDS | 80% | 100% | 92% | 90.66% |
These figures ground the paper’s headline claim that prompt augmentation improves performance by over 20% overall. The largest reported gain is GPT-4 explanation correctness, from 40% to 80%. Feature consistency reaches 100% for both models with augmentation. The baseline failure modes identified by manual inspection are hallucinations, inconsistent reference to NetFlow features, and misinterpretation of feature values.
The framework also has an explicit operational cost profile. For Llama 3, averaged over 100 runs, the Basic Prompt Explainer takes 4 seconds and the Augmented Prompt Explainer takes 6 seconds. Basic prompts are about 1,244 characters / 461 tokens; augmented prompts are about 6,685 characters / 2,308 tokens. Using OpenAI pricing at the time, the paper estimates about $5.75 per 1,000 queries** for the basic prompt and about **$10.37 per 1,000 queries for the augmented prompt. The system is therefore presented as a complementary tool, not a replacement for the NIDS or for expert analysts.
4. XeNIDS and the formalization of cross-evaluation
XeNIDS addresses a different problem: how to use publicly available labeled datasets not merely as separate benchmarks, but as a basis for cross-evaluating ML-NIDS across networks (Apruzzese et al., 2022). The framework starts from a collection of datasets
where each comes from a distinct network environment. Each dataset is split into benign and malicious parts, and , with
The malicious side is further decomposed by attack class:
A central design rule is that benign samples used for both training and evaluation should come from the same origin network. Training and evaluation contexts are represented as
and a context is written
This formalization is used to define 10 distinct context types, of which conventional same-dataset evaluation covers only the first two. The paper experimentally emphasizes type 1 as the baseline, type 4 for generalization to other networks and attack classes, and type 7 for extension by adding malicious samples from other networks.
XeNIDS operationalizes this model in four stages: Standardize, Isolate, Contextualize, and Cross-evaluate. Standardization is particularly important because NetFlow is modeled as
which means a flow record reflects not only communication behavior but also intrinsic network properties and exporter configuration. To reduce artifact learning, the framework sanitizes missing values, filters irrelevant traffic types, aligns features across datasets, avoids raw IPs and raw ports, and standardizes duration units. It recommends replacing raw IPs with internal/external indicators and mapping ports to IANA categories.
The experimental setup uses a common 12-feature set derived from NetFlow v9: source and destination IP address internal flags, source and destination port type, flow duration, flow direction, incoming bytes, outgoing bytes, total bytes, incoming packets, outgoing packets, and total packets. The reported classifier choice is Random Forest, selected because it consistently performs best in the tradeoff among detection quality, false positives, and training time. The default split is 80:20 for benign data and 80:20 for malicious data, and each experiment is repeated 5 times.
The results define the practical significance of the framework. In type 1, XeNIDS matches the state of the art with very high F1-scores and extremely low FPR in almost all cases. In type 4, performance drops substantially for many attacks from other datasets, revealing that strong same-dataset performance does not guarantee transferability. Yet cross-evaluation also reveals hidden generalization potential: the paper reports that UF-ToNIoT baseline detectors detect botnet attacks from other networks surprisingly well, and DDOS19 detectors generalize well to DoS attacks from other networks. In type 7, when malicious samples from other networks are added during training, performance often rises back near 99% while FPR remains stable and low. The authors interpret this as evidence that cross-evaluation can extend the detection surface at no additional labelling cost.
5. Related extensions of NIDS capability
Several adjacent papers do not use the exact name eX-NIDS, but they define nearby extension directions for NIDS. This suggests that the term sits within a broader research program that expands what a NIDS can localize, measure, or represent.
Localization of infected nodes is the concern of AGNOSCO, a bio-inspired mechanism designed as a complement to conventional NIDS (0805.0785). AGNOSCO assigns each network connection a pheromone value, updates it through confirmation packets for malicious traffic, and has autonomous agents follow pheromone trails until no outgoing connection exceeds the threshold 0. In the reported simulations with 75 nodes and 3 AGNOSCO cells, it took about 30–50 processing steps to identify all infected nodes, and a new infection was identified in at most 20 processing time steps. The system is positioned as lightweight, protocol-compatible, and limited to about 10 kB per connection.
Active probing for QoS-degrading attacks is the central idea of ACTIDS (Menahem et al., 2013). Instead of relying on production traffic alone, ACTIDS sends periodic probe packets and models Avg. Delay, Var. Delay, Avg. Hop Count, Var. Hop Count, and % Lost Probes. It is trained only on normal data and is therefore intended for zero-day attacks that degrade network QoS. On the reported evaluation, probe overhead ranges from 0.004% to 0.007% of link bandwidth; for partially disconnecting attacks, the paper reports TPR around 0.98, FPR 0.000, and average TtD about 46.5–49 seconds.
Packet-level representation learning appears in FastPacket, which argues that fixed statistical features from PCAPs are often insufficient and proposes hexadecimal encoding plus FastText-style character-level embeddings for raw packets (Jallad, 2022). The paper uses CIC-IDS-2017 in limited experiments and proposes pretraining on MAWI. It does not report full quantitative benchmark results; the contribution is instead a proposal to treat packet-based IDS as a pretraining problem with reusable embeddings.
Correlation-guided novelty detection is developed in the immune-inspired system of “An Immune Inspired Network Intrusion Detection System Utilising Correlation Context” (0910.3124). It combines intrusion alert correlation with danger-theory-inspired dendritic cells and T-cell partial matching. Prediction vertices in an attack graph are mapped into immune signals: PAMP when upgraded to an exploit vertex, Danger when changed to a hypothesised vertex, and Safe when deleted. The stated aim is not arbitrary zero-day discovery but packets containing novel variations of attacks covered by an existing signature base.
6. Adversarial robustness, protocol consistency, and deployment constraints
The broader eX-NIDS landscape is shaped by a persistent fact: explanation and evaluation do not eliminate the underlying fragility of NIDS under protocol ambiguity, adversarial evasion, or poor deployment choices.
At the protocol level, “Overlapping data in network protocols: bridging OS and NIDS reassembly gap” shows that IPv4, IPv6, and TCP reassembly mismatches remain a direct source of evasion and insertion attacks (Aubard et al., 30 Apr 2025). The paper formalizes overlap types with Allen’s interval algebra, states that overlap coverage is exhaustive if and only if all nine overlapping Allen relations are tested, and reports that all the tested NIDSes are still vulnerable to overlap-based evasion and insertion attacks. Aggregate inconsistency results are substantial: for IPv6, the paper reports Suricata: 9 inconsistent test cases, about 25%; Snort: 6 inconsistent test cases, about 17%; and Zeek: 28 inconsistent test cases, about 78%. A plausible implication is that any explainable or evaluative layer built above a NIDS inherits this lower-level correctness problem unless host/NIDS reassembly policies are aligned.
At the ML adversarial level, “Vulnerability Disclosure through Adaptive Black-Box Adversarial Attacks on NIDS” studies a strict black-box setting in which the attacker uses metadata sniffing, random-walk perturbations, side-channel monitoring, change-point detection, and causality analysis to identify sensitive features (Ennaji et al., 25 Jun 2025). The reported sensitive features are Duration, BytesPerSec, PktsPerSec, and TotPkts. Against a Random Forest target on CSE-CIC-IDS2018, the paper reports that accuracy drops from 99.25% to 48%, with precision from 97% to 48%, recall from 97% to 44%, and F1-score from 97% to 46%. This suggests that post-hoc explanation quality should not be confused with detector robustness.
A more general theoretical challenge is articulated in “Fixed Points in Cyber Space: Rethinking Optimal Evasion Attacks in the Age of AI-NIDS” (Witt et al., 2021). That paper argues that AI-NIDS should be analyzed as a coevolving multi-agent system rather than a fixed classifier under minimal-distance attacks. It introduces FAST for single-step arbitrary perturbations and CyberMARL for temporally extended attacker–defender dynamics, and hypothesizes Whitelisting Hell as a possible fixed point in which only narrow feature-flow subspaces are permitted. This is not an implementation claim about eX-NIDS itself, but it reframes the environment in which any next-generation or extended NIDS must operate.
Deployment remains equally important. The comparative study of Snort and Suricata argues that NIDS effectiveness depends not only on the engine but also on strategic placement of multi-sensor IDS in a WAN environment (Iyengar, 2020). Sensors should be placed at WAN links to branch offices, external network boundary, and remote access and intranet paths. The paper’s strongest operational implication is that optimal sensor placement matters as much as the detection engine, especially in WAN-connected, segmented, or remote-access-enabled environments. From a different angle, the modified Apriori framework for evasion-oriented NIDS auditing defines evasion as “any technique that modifies a visible attack into any other form in order to stay away from being detect” and treats rule-mining as a way to probe signature brittleness (Lahoti et al., 2014). This reinforces a recurring theme: explanation, evaluation, and deployment all remain constrained by the detector’s susceptibility to disagreement, drift, and bypass.
In that sense, eX-NIDS is best understood not as a single settled category but as a developing family of extensions to network intrusion detection. One branch makes malicious flow decisions interpretable through prompt augmentation and LLM-based explanation. Another formalizes how ML-NIDS should be cross-evaluated across networks and attack classes. The surrounding literature shows why these extensions matter: infected-node localization, active probing, packet-level representation learning, context-aware novelty detection, reassembly correctness, adversarial resilience, and sensor placement all shape whether a NIDS can be trusted, generalized, or operationally understood.