入侵偵測系統的目的在於即時偵測潛在的系統入侵行為或網路安全事件,保護系統免受未經授權的訪問或破壞。傳統的入侵偵測系統監控環境中各種資訊,如:網路流量或系統活動日誌等,將之與攻擊資料庫或是固定的統計特徵進行匹配來偵測攻擊。然而,此機制僅適用於識別已知的攻擊,如病毒、蠕蟲、惡意軟體,對於資料庫中缺漏的攻擊紀錄或是新型態的網路攻擊模式,也就是零日攻擊,則無法妥善應對。另外,不論在特徵選擇或是閥值設定上,現有入侵偵測系統多需倚賴專家進行決策,此舉不但妨礙了系統自動化運作,也將導致防禦效果受限於人類過去的經驗,難以抵抗零日攻擊。 因此,本論文提出了應用跨模態語言模型的自適應零日入侵偵測系統 (ACM-IDS) 來滿足入侵偵測系統的兩大需求:抵禦零日攻擊以及免除人為介入。ACM-IDS 主要由兩個組件組成,基於圖的生成式模型和跨模態大型語言模型,前者將所獲取的網路流量以位元組級別轉換為圖,讓模型能分析到更細緻的資訊,並通過編碼及解碼的架構學習自適應的流量特徵,從而幫助系統有效地識別零日攻擊;而後者透過對網路封包重新編程,將網路流量映射到文字模態中,結合語言提示以及圖結構資訊作為大型語言模型的輸入,並透過與其問答來判斷流量是否異常。由於整個流程不需人為介入,因此 ACM-IDS 可以完全自動化運作。 最後,本論文提供一系列實驗數據來證實 ACM-IDS不但可以妥善防禦各種已知的攻擊,在面對缺乏攻擊情資的零日攻時,ACM-IDS 對比於其他現有入侵偵測系統有著更高的偵測準確率與更低的誤報率。除此之外,實驗數據亦表明了跨模態大型語言模型的使用不但能讓 ACM-IDS 實現全自動運作,更能大幅提升其偵測效率。因此,本論文所提出之 ACM-IDS 將是最有前景的入侵偵測系統。

Generally, Intrusion Detection Systems (IDSs) aim to detect system intrusion events and network security incidents, thereby protecting the system from unauthorized access or damage. To detect attacks, traditional IDSs compare various environmental information, such as network traffic and system logs, with attacking patterns in databases or predefined statistical features. However, this kind of mechanisms is only applicable to identify known attacks, such as viruses, worms, and malware. For the attacks which lack prior knowledge or belong to a new type of attacking patterns, also known as zero-day attacks, existing IDSs fail to identify them well. Moreover, existing IDSs require experts to select appropriate features or determine threshold values. Not only does it lead to the failure of automated operations, but defense effectiveness is also limited by human experience, thereby reducing the detection rate of zero-day attacks. Therefore, this thesis proposes an Adaptive Zero-day Intrusion Detection System applying Cross-modal Large Language Model (ACM-IDS) to meet two major requirements of IDS: detecting zero-day attacks and reducing human intervention. ACM-IDS is composed of two components, the graph-based generative model and the cross-modal large language model. The former converts network traffic into graphs at byte level which allows the model to apply more detailed information for analyzing. Moreover, exploiting an encoding and decoding architecture, it can derive adaptive traffic features to effectively identify zero-day attacks. The latter reprograms network packets, mapping network traffic into the text modality, combining language prompts and graph structure information as the input of the large language model, and then detects abnormal traffic by question-and-answer interactions. Since the entire process requires no human intervention, ACM-IDS can be operated automatically. Finally, this thesis provides a series of experiments to demonstrate that ACM-IDS not only properly defends against various known attacks but also achieves higher detection rate and lower false positive rates on zero-day attacks compared to other existing IDSs. The experiment results also show that the use of cross-modal large language models not only enables ACM-IDS to achieve fully automated operations but also significantly improves its detection performance. Therefore, the proposed ACM-IDS is the most promising Intrusion Detection System.

[1] J. An and S. Cho, "Variational autoencoder based anomaly detection using reconstruction probability," Special lecture on IE, vol. 2, no. 1, pp. 1-18, 2015.
[2] A. Arning, R. Agrawal, and P. Raghavan, "A Linear Method for Deviation Detection in Large Databases," in KDD, 1996, vol. 1141, no. 50, pp. 972-981.
[3] D. Barbara, N. Wu, and S. Jajodia, "Detecting novel network intrusions using bayes estimators," in Proceedings of the 2001 SIAM International Conference on Data Mining, 2001: SIAM, pp. 1-17.
[4] T. Bettencourt and J. Paulson. "How much does a data breach cost?" https://www.ibm.com/reports/data-breach (accessed.
[5] L. Bilge and T. Dumitraş, "Before we knew it: an empirical study of zero-day attacks in the real world," in Proceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 833-844.
[6] C. Chapman, Network performance and security: testing and analyzing using open source and low-cost tools. Syngress, 2016.
[7] Z. Chen, C. K. Yeo, B. S. Lee, and C. T. Lau, "Autoencoder-based network anomaly detection," in 2018 Wireless telecommunications symposium (WTS), 2018: IEEE, pp. 1-5.
[8] G. Cloud. "Cloud IDS overview " https://cloud.google.com/intrusion-detection-system/docs/overview (accessed.
[9] W. Cong, M. Ramezani, and M. Mahdavi, "On provable benefits of depth in training graph convolutional networks," Advances in Neural Information Processing Systems, vol. 34, pp. 9936-9949, 2021.
[10] C. De Stefano, C. Sansone, and M. Vento, "To reject or not to reject: that is the question-an answer in case of neural classifiers," IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), vol. 30, no. 1, pp. 84-94, 2000.
[11] K. A. ElDahshan, A. A. AlHabshy, and B. I. Hameed, "Meta-heuristic optimization algorithm-based hierarchical intrusion detection system," Computers, vol. 11, no. 12, p. 170, 2022.
[12] W. Elmasry, A. Akbulut, and A. H. Zaim, "Empirical study on multiclass classification‐based network intrusion detection," Computational Intelligence, vol. 35, no. 4, pp. 919-954, 2019.
[13] M. Goldstein and A. Dengel, "Histogram-based outlier score (hbos): A fast unsupervised anomaly detection algorithm," KI-2012: poster and demo track, vol. 1, pp. 59-63, 2012.
[14] Y. Guo, "A review of Machine Learning-based zero-day attack detection: Challenges and future directions," Computer communications, vol. 198, pp. 175-185, 2023.
[15] A. Halbouni, T. S. Gunawan, M. H. Habaebi, M. Halbouni, M. Kartiwi, and R. Ahmad, "CNN-LSTM: hybrid deep neural network for network intrusion detection system," IEEE Access, vol. 10, pp. 99837-99849, 2022.
[16] W. Hamilton, Z. Ying, and J. Leskovec, "Inductive representation learning on large graphs," Advances in neural information processing systems, vol. 30, 2017.
[17] S. Haikun, M. Jianliang and B. Ling, " The application on intrusion detection based on k-means cluster algorithm " International Forum on Information Technology and Applications, 2009, pp. 150-152.
[18] E. Hjelmvik. "What is a PCAP file?" https://www.netresec.com/?page=Blog&month=2022-10&post=What-is-a-PCAP-file (accessed.
[19] N. Kaloudi and J. Li, "The ai-based cyber threat landscape: A survey," ACM Computing Surveys (CSUR), vol. 53, no. 1, pp. 1-34, 2020.
[20] A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman, "Survey of intrusion detection systems: techniques, datasets and challenges," Cybersecurity, vol. 2, no. 1, pp. 1-22, 2019.
[21] M. Liberato, "Secbert: Analyzing reports using bert-like models," University of Twente, 2022.
[22] N. Moustafa and J. Slay, "UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)," in 2015 military communications and information systems conference (MilCIS), 2015: IEEE, pp. 1-6.
[23] T. T. Nguyen and V. J. Reddi, "Deep reinforcement learning for cyber security," IEEE Transactions on Neural Networks and Learning Systems, vol. 34, no. 8, pp. 3779-3795, 2021.
[24] S. S. Panwar, Y. Raiwani, and L. S. Panwar, "An intrusion detection model for CICIDS-2017 dataset using machine learning algorithms," in 2022 International Conference on Advances in Computing, Communication and Materials (ICACCM), 2022: IEEE, pp. 1-10.
[25] E. W. Powers, D. J. Fincher, and J. Silber. "A deeper look at the business impacts of a cyberattack." https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-risk-beneath-the-surface-infographic.pdf (accessed.
[26] S. Ramaswamy, R. Rastogi, and K. Shim, "Efficient algorithms for mining outliers from large data sets," in Proceedings of the 2000 ACM SIGMOD international conference on Management of data, 2000, pp. 427-438.
[27] H. Ringberg, A. Soule, J. Rexford, and C. Diot, "Sensitivity of PCA for traffic anomaly detection," in Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, 2007, pp. 109-120.
[28] R. C. Ripan et al., "An isolation forest learning based outlier detection approach for effectively classifying cyber anomalies," in Hybrid Intelligent Systems: 20th International Conference on Hybrid Intelligent Systems (HIS 2020), December 14-16, 2020, 2021: Springer, pp. 270-279.
[29] V. Roth, "Kernel fisher discriminants for outlier detection," Neural computation, vol. 18, no. 4, pp. 942-960, 2006.
[30] L. Ruff et al., "Deep one-class classification," in International conference on machine learning, 2018: PMLR, pp. 4393-4402.
[31] M. Sarhan, G. Kulatilleke, W. W. Lo, S. Layeghy, and M. Portmann, "Doc-nad: A hybrid deep one-class classifier for network anomaly detection," in 2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW), 2023: IEEE, pp. 1-7.
[32] B. Schölkopf, J. C. Platt, J. Shawe-Taylor, A. J. Smola, and R. C. Williamson, "Estimating the support of a high-dimensional distribution," Neural computation, vol. 13, no. 7, pp. 1443-1471, 2001.
[33] L. Weng. "From Autoencoder to Beta-VAE." https://lilianweng.github.io/posts/2018-08-12-vae/ (accessed.
[34] Wikipedia. "Pointwise mutual information." https://en.wikipedia.org/wiki/Pointwise_mutual_information (accessed.
[35] D. Winder. "Google Confirms 97 Zero-Day Attacks And Points Finger At China For 12." https://www.forbes.com/sites/daveywinder/2024/03/27/google-confirms-97-zero-day-attacks-and-points-finger-at-china-for-12/ (accessed.
[36] L. Yang, A. Moubayed, and A. Shami, "MTH-IDS: A multitiered hybrid intrusion detection system for internet of vehicles," IEEE Internet of Things Journal, vol. 9, no. 1, pp. 616-632, 2021.