Attribution-Driven Explainable Intrusion Detection with Encoder-Based Large Language Models
This work addresses the need for interpretable intrusion detection in security-critical SDN environments, though it is incremental in applying existing attribution methods to LLMs.
The paper tackled the problem of improving transparency in intrusion detection using large language models (LLMs) for Software-Defined Networking, and the result showed that attribution analysis revealed model decisions driven by meaningful traffic patterns, aligning with established intrusion detection principles.
Software-Defined Networking (SDN) improves network flexibility but also increases the need for reliable and interpretable intrusion detection. Large Language Models (LLMs) have recently been explored for cybersecurity tasks due to their strong representation learning capabilities; however, their lack of transparency limits their practical adoption in security-critical environments. Understanding how LLMs make decisions is therefore essential. This paper presents an attribution-driven analysis of encoder-based LLMs for network intrusion detection using flow-level traffic features. Attribution analysis demonstrates that model decisions are driven by meaningful traffic behavior patterns, improving transparency and trust in transformer-based SDN intrusion detection. These patterns align with established intrusion detection principles, indicating that LLMs learn attack behavior from traffic dynamics. This work demonstrates the value of attribution methods for validating and trusting LLM-based security analysis.