LLM-Enhanced Intrusion Detection for Containerized Applications: A Two-Tier Strategy for SDN and Kubernetes Environments

LLM-Enhanced Intrusion Detection for Containerized Applications: A Two-Tier Strategy for SDN and Kubernetes Environments

연구 분야: Software Development

학회: International Conference on Availability, Reliability and Security

Traditional Intrusion Detection Systems mainly rely on rule-based mechanisms, which are limited in detecting unknown attack patterns and often result in false positives or false negatives. Deep packet inspection, although effective, demands significant computational resources as it requires processing large network traffic data volumes. Similarly, AI-based solutions frequently consume excessive resources, making them impractical for production environments, especially those with resource constraints or high-volume traffic patterns. In this paper, we propose and investigate a two-tier intrusion detection strategy, targeting an optimal balance between effective threat detection and resource efficiency. Our approach combines lightweight statistical monitoring for continuous anomaly detection with on-demand LLM-based traffic analysis, activating deep inspection only when necessary. We implement and evaluate two systems that enable centralized data collection among distributed containers, one for SDN-based environments utilizing the OpenFlow protocol and another for Kubernetes-based infrastructures utilizing Cilium-Hubble integration. Both systems initiate deep traffic analysis via LLMs only when statistical anomalies are detected, targeting low overhead while maintaining high detection accuracy. We demonstrate the efficiency of our approach through real-world attack scenarios, showing performance in detecting network-based attacks such as DDoS, port scans, and brute-force attempts.