Flow-based intrusion detection systems (IDS) typically rely on statistical features extracted from network traffic. Recent fine-tuned LLMs, including instruction-tuned variants, can be adapted for security classification using lightweight, parameter-efficient methods. This paper studies binary flow-level intrusion detection (benign vs. attack) using supervised fine-tuning (SFT) and in-context learning (ICL), targeting practical deployment under limited compute. Each network flow is serialized into a compact instruction format that combines selected flow features with a concise connection log string, enabling a small decoder-only model to operate directly on realistic flow records. We adapt a 0.5B-parameter LLM via Low-Rank Adaptation (LoRA) and evaluate the accuracy–efficiency trade-off by varying LoRA rank and training data size. At inference time, we avoid free-form generation by scoring the conditional log-likelihood of the two label strings and calibrating a bias term on a validation set to control decision thresholds. Experiments on a balanced subset of a standard distributed denial-of-service (DDoS) benchmark show that LoRA-based SFT substantially improves over a zero-shot baseline, while pure ICL achieves strong performance with only a few labeled examples in the prompt. Combining LoRA adaptation with ICL yields the best results, reaching 91% accuracy and 90% macro-F1 on a 10k-flow test set. These findings indicate that small LLMs, paired with careful feature-to-text serialization and lightweight adaptation, can be viable components of flow-based IDS in resource-constrained settings.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Parameter-Efficient LLMs for Flow-Based Intrusion Detection

  • Mamdouh Muhammad,
  • Anton Wunsch,
  • Loui Al Sardy

摘要

Flow-based intrusion detection systems (IDS) typically rely on statistical features extracted from network traffic. Recent fine-tuned LLMs, including instruction-tuned variants, can be adapted for security classification using lightweight, parameter-efficient methods. This paper studies binary flow-level intrusion detection (benign vs. attack) using supervised fine-tuning (SFT) and in-context learning (ICL), targeting practical deployment under limited compute. Each network flow is serialized into a compact instruction format that combines selected flow features with a concise connection log string, enabling a small decoder-only model to operate directly on realistic flow records. We adapt a 0.5B-parameter LLM via Low-Rank Adaptation (LoRA) and evaluate the accuracy–efficiency trade-off by varying LoRA rank and training data size. At inference time, we avoid free-form generation by scoring the conditional log-likelihood of the two label strings and calibrating a bias term on a validation set to control decision thresholds. Experiments on a balanced subset of a standard distributed denial-of-service (DDoS) benchmark show that LoRA-based SFT substantially improves over a zero-shot baseline, while pure ICL achieves strong performance with only a few labeled examples in the prompt. Combining LoRA adaptation with ICL yields the best results, reaching 91% accuracy and 90% macro-F1 on a 10k-flow test set. These findings indicate that small LLMs, paired with careful feature-to-text serialization and lightweight adaptation, can be viable components of flow-based IDS in resource-constrained settings.