FALCON: Autonomous Cyber Threat Intelligence Mining with LLMs for IDS Rule Generation

TL;DR

FALCON leverages Large Language Models to autonomously generate and validate IDS rules from cyber threat intelligence data in real-time, enhancing security responsiveness.

Contribution

The paper introduces FALCON, a novel autonomous framework using LLMs for real-time IDS rule generation and validation from CTI data, applicable to network and host-based systems.

Findings

Achieves 95% accuracy in rule generation

Demonstrates high inter-rater agreement (84%) among cybersecurity analysts

Validates effectiveness across multiple IDS platforms

Abstract

Signature-based Intrusion Detection Systems (IDS) detect malicious activities by matching network or host activity against predefined rules. These rules are derived from extensive Cyber Threat Intelligence (CTI), which includes attack signatures and behavioral patterns obtained through automated tools and manual threat analysis, such as sandboxing. The CTI is then transformed into actionable rules for the IDS engine, enabling real-time detection and prevention. However, the constant evolution of cyber threats necessitates frequent rule updates, which delay deployment time and weaken overall security readiness. Recent advancements in agentic systems powered by Large Language Models (LLMs) offer the potential for autonomous IDS rule generation with internal evaluation. We introduce FALCON, an autonomous agentic framework that generates deployable IDS rules from CTI data in real-time and evaluates them using built-in multi-phased validators. To demonstrate versatility, we target both network (Snort) and host-based (YARA) mediums and construct a comprehensive dataset of IDS rules with their corresponding CTIs. Our evaluations indicate FALCON excels in automatic rule generation, with an average of 95% accuracy validated by qualitative evaluation with 84% inter-rater agreement among multiple cybersecurity analysts across all metrics. These results underscore the feasibility and effectiveness of LLM-driven data mining for real-time cyber threat mitigation.