LLM-based Continuous Intrusion Detection Framework for Next-Gen Networks

TL;DR

This paper introduces an adaptive, transformer-based intrusion detection framework that effectively detects and classifies emerging network attacks with high accuracy, continuously evolving to new threats in real-time.

Contribution

It presents a novel framework combining transformer encoders and GMM clustering to detect and identify unknown attacks dynamically in network traffic.

Findings

Achieved 100% recall in malicious activity detection.

Maintained 95.6% accuracy in classifying known and unknown attacks.

Demonstrated adaptability to evolving network threats.

Abstract

In this paper, we present an adaptive framework designed for the continuous detection, identification and classification of emerging attacks in network traffic. The framework employs a transformer encoder architecture, which captures hidden patterns in a bidirectional manner to differentiate between malicious and legitimate traffic. Initially, the framework focuses on the accurate detection of malicious activities, achieving a perfect recall of 100\% in distinguishing between attack and benign traffic. Subsequently, the system incrementally identifies unknown attack types by leveraging a Gaussian Mixture Model (GMM) to cluster features derived from high-dimensional BERT embeddings. This approach allows the framework to dynamically adjust its identification capabilities as new attack clusters are discovered, maintaining high detection accuracy. Even after integrating additional unknown attack clusters, the framework continues to perform at a high level, achieving 95.6\% in both classification accuracy and recall.The results demonstrate the effectiveness of the proposed framework in adapting to evolving threats while maintaining high accuracy in both detection and identification tasks. Our ultimate goal is to develop a scalable, real-time intrusion detection system that can continuously evolve with the ever-changing network threat landscape.