Rule-based network intrusion detection systems play a crucial role in the real-time detection of Web attacks. However, most existing works primarily focus on automatically generating detection rules for new attacks, often overlooking the relationships between new attacks and existing rules, which leads to significant redundancy within the ever-expanding ruleset. To address this issue, we propose GRIDAI, a novel end-to-end framework for the automated Generation and Repair of Intrusion Detection rules through collaboration among multiple LLM-based agents. Unlike traditional methods, GRIDAI first assesses the nature of incoming attack samples. If the sample represents a new attack type, it is used to generate a new rule. Otherwise, the sample is identified as a variant of an attack already covered by an existing rule and used to repair the rule by updating the corresponding signature, thereby enhancing its generalization capability. Additionally, to mitigate syntactic and semantic errors in rules caused by LLM hallucinations, we incorporate a tool-based real-time validation mechanism and a representative attack sample maintained for each rule, enabling fully automated rule generation and repair. Comprehensive experiments were conducted on a public dataset containing seven types of attacks and a private dataset with 43 attack types. The results demonstrate that GRIDAI accurately identifies the relationships between new attack samples and existing rules, efficiently generates and repairs rules to handle new attacks and variants, and effectively mitigates the impact of LLM hallucinations.

翻译：基于规则的网络入侵检测系统在实时检测Web攻击中发挥着关键作用。然而，现有研究大多专注于为新攻击自动生成检测规则，往往忽视了新攻击与现有规则之间的关系，导致不断扩大的规则集存在显著冗余。为解决这一问题，我们提出了GRIDAI，一种通过多个基于大语言模型的智能体协作实现入侵检测规则自动生成与修复的新型端到端框架。与传统方法不同，GRIDAI首先评估输入攻击样本的性质。若样本代表新型攻击，则用于生成新规则；否则，样本被识别为已有规则覆盖攻击的变体，并通过更新相应特征签名来修复该规则，从而增强其泛化能力。此外，为减轻大语言模型幻觉导致的规则句法与语义错误，我们引入了基于工具的实时验证机制，并为每条规则维护代表性攻击样本，实现了全自动的规则生成与修复。我们在包含七类攻击的公共数据集和包含43类攻击的私有数据集上进行了全面实验。结果表明，GRIDAI能够准确识别新攻击样本与现有规则的关系，高效生成与修复规则以应对新攻击及其变体，并有效缓解了大语言模型幻觉的影响。