Network Intrusion Detection: Evolution from Conventional Approaches to LLM Collaboration and Emerging Risks

TL;DR

This survey reviews the evolution of network intrusion detection systems from traditional methods to the integration of large language models, highlighting their benefits, challenges, and emerging risks in various environments.

Contribution

It systematically summarizes the current state, limitations, and recent advancements in LLM-based NIDS, providing a comprehensive overview of future research directions.

Findings

Signature-based IDSs remain relevant despite weaknesses.

NN-based detection faces deployment challenges.

LLMs are promising but have practical and security challenges.

Abstract

This survey systematizes the evolution of network intrusion detection systems (NIDS), from conventional methods such as signature-based and neural network (NN)-based approaches to recent integrations with large language models (LLMs). It clearly and concisely summarizes the current status, strengths, and limitations of conventional techniques, and explores the practical benefits of integrating LLMs into NIDS. Recent research on the application of LLMs to NIDS in diverse environments is reviewed, including conventional network infrastructures, autonomous vehicle environments and IoT environments. From this survey, readers will learn that: 1) the earliest methods, signature-based IDSs, continue to make significant contributions to modern systems, despite their well-known weaknesses; 2) NN-based detection, although considered promising and under development for more than two decades, and despite numerous related approaches, still faces significant challenges in practical deployment; 3) LLMs are useful for NIDS in many cases, and a number of related approaches have been proposed; however, they still face significant challenges in practical applications. Moreover, they can even be exploited as offensive tools, such as for generating malware, crafting phishing messages, or launching cyberattacks. Recently, several studies have been proposed to address these challenges, which are also reviewed in this survey; and 4) strategies for constructing domain-specific LLMs have been proposed and are outlined in this survey, as it is nearly impossible to train a NIDS-specific LLM from scratch.