Paul R. B. Houssel, Priyanka Singh, Siamak Layeghy, Marius Portmann
{"title":"Towards Explainable Network Intrusion Detection using Large Language Models","authors":"Paul R. B. Houssel, Priyanka Singh, Siamak Layeghy, Marius Portmann","doi":"arxiv-2408.04342","DOIUrl":null,"url":null,"abstract":"Large Language Models (LLMs) have revolutionised natural language processing\ntasks, particularly as chat agents. However, their applicability to threat\ndetection problems remains unclear. This paper examines the feasibility of\nemploying LLMs as a Network Intrusion Detection System (NIDS), despite their\nhigh computational requirements, primarily for the sake of explainability.\nFurthermore, considerable resources have been invested in developing LLMs, and\nthey may offer utility for NIDS. Current state-of-the-art NIDS rely on\nartificial benchmarking datasets, resulting in skewed performance when applied\nto real-world networking environments. Therefore, we compare the GPT-4 and\nLLama3 models against traditional architectures and transformer-based models to\nassess their ability to detect malicious NetFlows without depending on\nartificially skewed datasets, but solely on their vast pre-trained acquired\nknowledge. Our results reveal that, although LLMs struggle with precise attack\ndetection, they hold significant potential for a path towards explainable NIDS.\nOur preliminary exploration shows that LLMs are unfit for the detection of\nMalicious NetFlows. Most promisingly, however, these exhibit significant\npotential as complementary agents in NIDS, particularly in providing\nexplanations and aiding in threat response when integrated with Retrieval\nAugmented Generation (RAG) and function calling capabilities.","PeriodicalId":501280,"journal":{"name":"arXiv - CS - Networking and Internet Architecture","volume":"78 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-08-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Networking and Internet Architecture","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2408.04342","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
Large Language Models (LLMs) have revolutionised natural language processing
tasks, particularly as chat agents. However, their applicability to threat
detection problems remains unclear. This paper examines the feasibility of
employing LLMs as a Network Intrusion Detection System (NIDS), despite their
high computational requirements, primarily for the sake of explainability.
Furthermore, considerable resources have been invested in developing LLMs, and
they may offer utility for NIDS. Current state-of-the-art NIDS rely on
artificial benchmarking datasets, resulting in skewed performance when applied
to real-world networking environments. Therefore, we compare the GPT-4 and
LLama3 models against traditional architectures and transformer-based models to
assess their ability to detect malicious NetFlows without depending on
artificially skewed datasets, but solely on their vast pre-trained acquired
knowledge. Our results reveal that, although LLMs struggle with precise attack
detection, they hold significant potential for a path towards explainable NIDS.
Our preliminary exploration shows that LLMs are unfit for the detection of
Malicious NetFlows. Most promisingly, however, these exhibit significant
potential as complementary agents in NIDS, particularly in providing
explanations and aiding in threat response when integrated with Retrieval
Augmented Generation (RAG) and function calling capabilities.