RuleMaster+: LLM-Based Automated Rule Generation Framework for Intrusion Detection Systems

Intrusion detection is vital for network security, but traditional IDS face challenges in complex rule writing, requiring significant resources. The rise of large language models (LLMs) offers new possibilities, yet limited research exists on applying LLMs to IDS rule generation. Existing LLMs often fall short for this task. This paper presents RuleMaster, an LLM fine-tuned with a curated instruction dataset to automate IDS rule generation. Even for new attacks, as long as the proof-of-concepts (PoC) for the attack is available, the RuleMaster can generate effective IDS rules. Our evaluation shows that RuleMaster outperforms ChatGPT in rule generation tasks, as demonstrated through winrate evaluation and manual assessment. Furthermore, we refine RuleMaster into RuleMaster+, which not only generates IDS rules but also provides explanations for rules and PoC, along with corresponding defense recommendations. Our approach effectively improves the quality and efficiency of rule writing, providing a new solution for enhancing IDS performance.