IDS-Agent: An LLM Agent for Explainable Intrusion Detection in IoT Networks

Abstract

Emerging threats to IoT networks have accelerated the development of intrusion detection systems (IDSs), characterized by a shift from traditional approaches based on attack signatures or anomaly detection to approaches based on machine learning (ML). However, current ML-based IDSs often fail to explicitly integrate domain knowledge, lack explainability, and struggle to address zero-day attacks. In this paper, we propose \texttt{IDS-Agent}, the first AI agent powered by large language models (LLMs) for intrusion detection. \texttt{IDS-Agent} predicts whether an input network traffic ios benign or malicious, with an explanation of the prediction results. The workflow of \texttt{IDS-Agent} involves a sequence of actions generated by its core LLM based on reasoning over the state observations. The action space of \texttt{IDS-Agent} includes data extraction and preprocessing, classification, knowledge, and memory retrieval, and results aggregation -- these actions will be executed using abundant tools, mostly specialized for IDS. Furthermore, \texttt{IDS-Agent} is equipped with a memory and knowledge base that retains information from current and previous sessions, along with IDS-related documents, enhancing its reasoning and action generation capabilities. The system prompts of \texttt{IDS-Agent} can be easily customized to adjust detection sensitivity or identify previously unknown types of attacks. In our experiments, we demonstrate the strong detection capabilities of \texttt{IDS-Agent} compared with ML-based IDSs and an IDS based on LLM with prompt engineering. \texttt{IDS-Agent} outperforms these SOTA baselines on the ACI-IoT and CIC-IoT benchmarks, with 0.97 and 0.75 detection F1 scores, respectively. \texttt{IDS-Agent} also achieves a recall of 0.61 in detecting zero-day attacks, outperforming previous approaches specially designed for this task.