Realistic, large-scale, and well-labeled cybersecurity datasets are essential for training and evaluating Intrusion Detection Systems (IDS). However, they remain difficult to obtain due to privacy constraints, data sensitivity, and the cost of building controlled collection environments such as testbeds and cyber ranges. This paper investigates whether Large Language Models (LLMs) can operate as controlled knowledge-to-data engines for generating structured synthetic network traffic datasets suitable for IDS research. We propose a methodology that combines protocol documentation, attack semantics, and explicit statistical rules to condition LLMs without fine-tuning or access to raw samples. Using the AWID3 IEEE~802.11 benchmark as a demanding case study, we generate labeled datasets with four state-of-the-art LLMs and assess fidelity through a multi-level validation framework including global similarity metrics, per-feature distribution testing, structural comparison, and cross-domain classification. Results show that, under explicit constraints, LLM-generated datasets can closely approximate the statistical and structural characteristics of real network traffic, enabling gradient-boosting classifiers to achieve F1-scores up to 0.956 when evaluated on real samples. Overall, the findings suggest that constrained LLM-driven generation can facilitate on-demand IDS experimentation, providing a testbed-free, privacy-preserving alternative that overcomes the traditional bottlenecks of physical traffic collection and manual labeling.

翻译：真实、大规模且标注良好的网络安全数据集对于训练和评估入侵检测系统至关重要。然而，由于隐私限制、数据敏感性以及构建受控采集环境（如测试床和网络靶场）的成本高昂，此类数据集仍然难以获取。本文研究了大语言模型是否能够作为受控的“知识到数据”引擎，生成适用于IDS研究的结构化合成网络流量数据集。我们提出一种方法，该方法结合协议文档、攻击语义和明确的统计规则来约束大语言模型，而无需微调或访问原始样本。以AWID3 IEEE~802.11基准测试作为一项高要求案例研究，我们使用四种先进的大语言模型生成标注数据集，并通过一个多级验证框架（包括全局相似性度量、逐特征分布检验、结构比较和跨域分类）来评估其保真度。结果表明，在明确约束下，大语言模型生成的数据集能够紧密逼近真实网络流量的统计和结构特征，使得梯度提升分类器在真实样本上评估时F1分数最高可达0.956。总体而言，研究结果表明，受约束的大语言模型驱动生成能够促进按需的IDS实验，提供一种免测试床、保护隐私的替代方案，从而克服物理流量采集和手动标注的传统瓶颈。