Abstract
Network intrusion detection systems analyze network traffic to monitor and identify potential cyber threats. Recent research has primarily focused on enhancing detection performance using advanced deep-learning techniques, yet there is a notable gap in exploring the interpretability and transparency of these systems. Building upon advancements in large language models (LLMs) that enable reasoning-aware predictions, we propose integrating LLMs with conventional decision trees to jointly enhance interpretability, reasoning, and detection performance. Decision trees discover numerical patterns from input traffic features, which can be formulated as reasoning paths through tree traversal. These paths are then serialized into natural language descriptions and fed into LLMs to make final predictions, accompanied by detailed explanations. Such fusion strategy enables the strengths of both the numerical analysis capabilities of decision trees for pattern recognition and the embedded general logic in LLMs. Experimental results on a real-world network security dataset demonstrate multi-dimensional performance gains, even in scenarios with missing data features.