摘要: 当前网络异常入侵检测多依赖黑箱模型，缺乏可解释性，难以支持工程师快速理解告警原因并及时响应，从而严重制约了系统的安全防护效率。为此，本文提出一种融合大语言模型的可信网络异常入侵检测方法。该方法首先使用XGBoost对网络流量进行异常识别，并利用SHAP分析特征对判定结果的贡献，揭示模型决策依据；随后，借助大模型将检测结果与SHAP解释整合为自然语言报告，提供直观易读的告警说明与处置建议。实验结果表明，该方法在保持较高检测精度的同时显著提升了模型的可解释性与实际可操作性。

Abstract: Current network anomaly intrusion detection often relies on black-box models, which lack interpretability and hinder engineers’ ability to quickly understand alert causes and respond promptly, thereby severely limiting the efficiency of security protection systems. To address this issue, this paper proposes a trustworthy network anomaly intrusion detection method that integrates large language models. The approach first employs XGBoost to identify anomalies in network traffic and utilizes SHAP to analyze the contribution of features to the detection results, thereby revealing the decision-making basis of the model. Subsequently, a large language model is leveraged to integrate the detection results and SHAP explanations into a natural language report, providing intuitive and easily understandable alert descriptions along with actionable recommendations. Experimental results demonstrate that, while maintaining high detection accuracy, the proposed method significantly enhances model interpretability and practical usability.