Existing signature-based intrusion detection systems (IDS) suffer from delayed rule updates and sluggish threat response. To address this, we propose the first autonomous agent-based framework for IDS rule generation, leveraging large language models (LLMs) to automatically parse semantic content from raw network threat intelligence and generate executable Snort and YARA rules. The framework incorporates multi-stage formal verification and an expert feedback loop to ensure correctness and operational relevance. Empirical evaluation demonstrates a substantial reduction in rule delivery latency, with an average accuracy of 95% and 84% inter-analyst agreement on rule effectiveness, as validated by multiple cybersecurity analysts. Our core contribution lies in pioneering the integration of LLM-driven autonomous agents into the end-to-end IDS rule generation pipeline—enabling verifiable, deployable, and adaptive rule evolution without manual intervention.

Signature-based Intrusion Detection Systems (IDS) detect malicious activities by matching network or host activity against predefined rules. These rules are derived from extensive Cyber Threat Intelligence (CTI), which includes attack signatures and behavioral patterns obtained through automated tools and manual threat analysis, such as sandboxing. The CTI is then transformed into actionable rules for the IDS engine, enabling real-time detection and prevention. However, the constant evolution of cyber threats necessitates frequent rule updates, which delay deployment time and weaken overall security readiness. Recent advancements in agentic systems powered by Large Language Models (LLMs) offer the potential for autonomous IDS rule generation with internal evaluation. We introduce FALCON, an autonomous agentic framework that generates deployable IDS rules from CTI data in real-time and evaluates them using built-in multi-phased validators. To demonstrate versatility, we target both network (Snort) and host-based (YARA) mediums and construct a comprehensive dataset of IDS rules with their corresponding CTIs. Our evaluations indicate FALCON excels in automatic rule generation, with an average of 95% accuracy validated by qualitative evaluation with 84% inter-rater agreement among multiple cybersecurity analysts across all metrics. These results underscore the feasibility and effectiveness of LLM-driven data mining for real-time cyber threat mitigation.