Towards Explainable Network Intrusion Detection using Large Language Models

arXiv - CS - Networking and Internet Architecture Pub Date : 2024-08-08 DOI:arxiv-2408.04342

Paul R. B. Houssel, Priyanka Singh, Siamak Layeghy, Marius Portmann

{"title":"Towards Explainable Network Intrusion Detection using Large Language Models","authors":"Paul R. B. Houssel, Priyanka Singh, Siamak Layeghy, Marius Portmann","doi":"arxiv-2408.04342","DOIUrl":null,"url":null,"abstract":"Large Language Models (LLMs) have revolutionised natural language processing\ntasks, particularly as chat agents. However, their applicability to threat\ndetection problems remains unclear. This paper examines the feasibility of\nemploying LLMs as a Network Intrusion Detection System (NIDS), despite their\nhigh computational requirements, primarily for the sake of explainability.\nFurthermore, considerable resources have been invested in developing LLMs, and\nthey may offer utility for NIDS. Current state-of-the-art NIDS rely on\nartificial benchmarking datasets, resulting in skewed performance when applied\nto real-world networking environments. Therefore, we compare the GPT-4 and\nLLama3 models against traditional architectures and transformer-based models to\nassess their ability to detect malicious NetFlows without depending on\nartificially skewed datasets, but solely on their vast pre-trained acquired\nknowledge. Our results reveal that, although LLMs struggle with precise attack\ndetection, they hold significant potential for a path towards explainable NIDS.\nOur preliminary exploration shows that LLMs are unfit for the detection of\nMalicious NetFlows. Most promisingly, however, these exhibit significant\npotential as complementary agents in NIDS, particularly in providing\nexplanations and aiding in threat response when integrated with Retrieval\nAugmented Generation (RAG) and function calling capabilities.","PeriodicalId":501280,"journal":{"name":"arXiv - CS - Networking and Internet Architecture","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-08-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Networking and Internet Architecture","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2408.04342","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Large Language Models (LLMs) have revolutionised natural language processing tasks, particularly as chat agents. However, their applicability to threat detection problems remains unclear. This paper examines the feasibility of employing LLMs as a Network Intrusion Detection System (NIDS), despite their high computational requirements, primarily for the sake of explainability. Furthermore, considerable resources have been invested in developing LLMs, and they may offer utility for NIDS. Current state-of-the-art NIDS rely on artificial benchmarking datasets, resulting in skewed performance when applied to real-world networking environments. Therefore, we compare the GPT-4 and LLama3 models against traditional architectures and transformer-based models to assess their ability to detect malicious NetFlows without depending on artificially skewed datasets, but solely on their vast pre-trained acquired knowledge. Our results reveal that, although LLMs struggle with precise attack detection, they hold significant potential for a path towards explainable NIDS. Our preliminary exploration shows that LLMs are unfit for the detection of Malicious NetFlows. Most promisingly, however, these exhibit significant potential as complementary agents in NIDS, particularly in providing explanations and aiding in threat response when integrated with Retrieval Augmented Generation (RAG) and function calling capabilities.

查看原文本刊更多论文

利用大型语言模型实现可解释的网络入侵检测

大型语言模型（LLMs）已经彻底改变了自然语言处理任务，尤其是作为聊天代理。然而，它们在威胁检测问题上的适用性仍不明确。本文研究了将 LLMs 用作网络入侵检测系统（NIDS）的可行性，尽管 LLMs 的计算要求很高，这主要是出于可解释性的考虑。当前最先进的 NIDS 依赖于人工基准数据集，因此在应用于真实世界的网络环境时，性能会出现偏差。因此，我们将 GPT-4 和 LLama3 模型与传统架构和基于变压器的模型进行了比较，以评估它们在不依赖人为倾斜数据集的情况下检测恶意 NetFlows 的能力，而只依赖其大量预训练获得的知识。我们的研究结果表明，尽管 LLM 在精确攻击检测方面很吃力，但它们在通往可解释 NIDS 的道路上具有巨大潜力。不过，最有希望的是，LLM 作为 NIDS 的补充代理具有巨大潜力，尤其是在与检索增强生成（RAG）和函数调用功能集成后，LLM 在提供解释和协助威胁响应方面。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

arXiv - CS - Networking and Internet Architecture

自引率

0.00%

发文量