From Alerts to Intelligence: A Novel LLM-Aided Framework for Host-based Intrusion Detection

TL;DR

This paper introduces SHIELD, a novel LLM-based framework for host-based intrusion detection that improves accuracy and interpretability by integrating specialized techniques, addressing common challenges faced by traditional HIDS.

Contribution

The paper presents a customized LLM pipeline, SHIELD, which enhances HIDS by overcoming token limits and noise confusion through innovative methods like event-level MAE and DDA.

Findings

SHIELD outperforms five existing HIDS across three datasets.

The system achieves high detection accuracy and interpretability.

Extensive experiments validate the effectiveness of the proposed techniques.

Abstract

Host-based intrusion detection system (HIDS) is a key defense component to protect the organizations from advanced threats like Advanced Persistent Threats (APT). By analyzing the fine-grained logs with approaches like data provenance, HIDS has shown successes in capturing sophisticated attack traces. Despite the progresses embarked by the research community and industry, HIDS still frequently encounters backlash from their operators in the deployed environments, due to issues like high false-positive rate, inconsistent outcomes across environments and human-unfriendly detection results. Large Language Models (LLMs) have great potentials to advance the state of HIDS, given their extensive knowledge of attack techniques and their ability to detect anomalies through semantic analysis, anchored by recent studies. Yet, our preliminary analysis indicates that building an HIDS by naively prompting an LLM is unlikely to succeed. In this work, we explore the direction of building a customized LLM pipeline for HIDS and develop a system named SHIELD. SHIELD addresses challenges related to LLM's token limits, confusion of background noises, etc., by integrating a variety of techniques like event-level Masked Autoencoder (MAE) for attack window detection, attack evidence identification and expansion, Deterministic Data Augmentation (DDA) for profiling normal activities, and multi-purpose prompting that guides the LLM to conduct precise and interpretable attack investigations. Extensive experiments on three log datasets (DARPA-E3, NodLink-simulated-data and ATLASv2) show that SHIELD consistently achieves outstanding performance in comparison with 5 representative HIDS. These findings highlight the potential of LLMs as powerful tools for intrusion detection and pave the way for future research in this domain.