MA-IDS: Multi-Agent RAG Framework for IoT Network Intrusion Detection with an Experience Library
Summary: arXiv:2604.05458v1 Announce Type: cross
Abstract: Network Intrusion Detection Systems (NIDS) face important limitations. Signature-based methods are effective for known attack patterns, but they struggle to detect zero-day attacks and often miss modified variants of previously known attacks, while many machine learning approaches offer limited interpretability. These challenges become even more severe in IoT environments because of resource constraints and heterogeneous protocols. To address these issues, we propose MA-IDS, a Multi-Agent Intrusion Detection System that combines Large Language Models (LLMs) with Retrieval Augmented Generation (RAG) for reasoning-driven intrusion detection.
The proposed framework grounds LLM reasoning through a persistent, self-building Experience Library. Two specialized agents collaborate through a FAISS-based vector database:
- Traffic Classification Agent: This agent retrieves past error rules before each inference, enhancing the accuracy of the detection process.
- Error Analysis Agent: This agent converts misclassifications into human-readable detection rules stored for future retrieval, facilitating continual learning through external knowledge accumulation without modifying the underlying language model.
In our evaluation, MA-IDS was tested on the NF-BoT-IoT and NF-ToN-IoT benchmark datasets. The results demonstrated impressive performance metrics, achieving Macro F1-Scores of 89.75% and 85.22%. This marks a significant improvement over zero-shot baselines, which were recorded at 17% and 4.96%, showing enhancements of more than 72 and 80 percentage points, respectively.
These results are competitive with Support Vector Machine (SVM) methods while providing rule-level explanations for every classification decision. This aspect is crucial for enhancing the interpretability of the model, making it easier for security analysts to understand the reasoning behind the detections.
Conclusion
MA-IDS represents a promising advancement in the field of IoT network security. By integrating LLMs with a self-improving experience library, it addresses critical issues of interpretability and adaptability in intrusion detection systems. The ability to evolve through continual learning while providing explainable outputs positions MA-IDS as a forward-thinking solution to combat the complex landscape of IoT threats.
As IoT devices proliferate and cyber threats become increasingly sophisticated, frameworks like MA-IDS are essential in safeguarding networks. The combination of advanced retrieval methods and collaborative agents offers a robust framework for enhancing security measures in the rapidly evolving IoT environment.