With the rapid growth of the Internet of Things (IoT), the number of connected devices has significantly increased, producing larger attack surfaces and more complex cyber attacks. Traditional intrusion detection systems (IDS) struggle to known attacks and unknown anomalies and provide clear explanations to security analysts on the findings of detection. This work proposes a hybrid intelligent IDS combining supervised and unsupervised machine learning while also integrating explanations through reasoning offered by large language models (LLM), as well as a conversational interface, RASA. The detection framework includes a Random Forest classifier to detect known attacks, while an Autoen- coder in PyTorch captures anomalous behaviors including human errors, then combines the two detections through a fusion mechanism to improve the com- bined detection accuracy. The malicious traffic flows are logged into an SQLite database for later temporal analysis, as well as for forensic investigation. Threat explanation and firewall rule automation happens through an open-source LLM (Gemma:2b-instruct through ollama), and RASA conducts a secure, context aware analyst interaction. Evaluation from the CICIDS2017 shows high detection accuracy, the ability to generate a timely response through automation, and better process for threat explanation. In conclusion, the framework proposed is a scalable, defendable, interpretable, and adaptive for IoT environments.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

LLM-Augmented Hybrid IDS Framework for IoT Networks with RASA-Based Analyst Interaction

  • Diya Prakash,
  • Sowmya Hardageri,
  • Animesh Giri,
  • Sharavana K

摘要

With the rapid growth of the Internet of Things (IoT), the number of connected devices has significantly increased, producing larger attack surfaces and more complex cyber attacks. Traditional intrusion detection systems (IDS) struggle to known attacks and unknown anomalies and provide clear explanations to security analysts on the findings of detection. This work proposes a hybrid intelligent IDS combining supervised and unsupervised machine learning while also integrating explanations through reasoning offered by large language models (LLM), as well as a conversational interface, RASA. The detection framework includes a Random Forest classifier to detect known attacks, while an Autoen- coder in PyTorch captures anomalous behaviors including human errors, then combines the two detections through a fusion mechanism to improve the com- bined detection accuracy. The malicious traffic flows are logged into an SQLite database for later temporal analysis, as well as for forensic investigation. Threat explanation and firewall rule automation happens through an open-source LLM (Gemma:2b-instruct through ollama), and RASA conducts a secure, context aware analyst interaction. Evaluation from the CICIDS2017 shows high detection accuracy, the ability to generate a timely response through automation, and better process for threat explanation. In conclusion, the framework proposed is a scalable, defendable, interpretable, and adaptive for IoT environments.