RLFE-IDS: A framework of Intrusion Detection System based on Retrieval Augmented Generation and Large Language Model

Abstract

Intrusion Detection Systems (IDS) play a critical role in network security as a key defense measure, often struggle to effectively handle unknown attacks or variations of known attacks. This challenge is exacerbated by the poor generalization of deep learning models. To enhance the adaptability of IDS, this article introduces an innovative framework called LLM-IDS, which explores the feasibility of leveraging Large Language Model (LLMs) for intrusion detection, due to its strong generalization capabilities. However, there is a significant difficulty in deploying LLMs. Moreover, since most LLMs are primarily designed for Natural Language Processing (NLP) tasks, significant differences arise when naively adapting them to intrusion detection tasks. To address them, this article introduces a novel framework called RLFE-IDS, comprising two key modules: Retrieval-Augmented Generation (RAG) and an embedding model called FE-Net. RAG employs a vector database to store network data alongside their corresponding vector representations. Based on the RAG framework, LLMs can be directly called through an Application Programming Interface (API), alleviating the difficulties in its deployment. The embedding model FE-Net, bridges the semantic gap between text data and network data. Upon receiving new network data, RLFE-IDS employs RAG to query the database for the most relevant network data, which is then fed into the LLM to classify. This article validates approach through experiments on four datasets, and deploys RLFE-IDS into the real network environment. Experiments show that the optimal accuracy of LLM-IDS is 99.36%, and that of RLFE-Net is 98.56%. The results demonstrate not only the feasibility of applying LLMs to intrusion detection, but also the robustness and superior performance of RLFE-IDS.