Existing rule-based web intrusion detection systems suffer from rule redundancy and insufficient variant coverage due to neglecting semantic relationships between novel attacks and existing rules. To address this, we propose the first end-to-end large language model (LLM)-driven framework for automated rule generation and repair. Our approach employs a multi-agent collaboration mechanism integrating attack-sample relationship identification, tool-augmented syntactic/semantic validation, incremental signature updating, and real-time feedback verification—enabling adaptive evolution of rule sets. Innovatively, multiple specialized LLMs coordinate tasks—including attack-type classification, rule generation, and consistency checking—to mitigate hallucination while ensuring accuracy and interpretability. Experiments on public and private datasets demonstrate that our method reduces rule redundancy by 38.7% on average, improves variant attack detection by 22.4%, achieves 91.3% accuracy in rule generation and repair, and exhibits superior generalization over baseline approaches.

Rule-based network intrusion detection systems play a crucial role in the real-time detection of Web attacks. However, most existing works primarily focus on automatically generating detection rules for new attacks, often overlooking the relationships between new attacks and existing rules, which leads to significant redundancy within the ever-expanding ruleset. To address this issue, we propose GRIDAI, a novel end-to-end framework for the automated Generation and Repair of Intrusion Detection rules through collaboration among multiple LLM-based agents. Unlike traditional methods, GRIDAI first assesses the nature of incoming attack samples. If the sample represents a new attack type, it is used to generate a new rule. Otherwise, the sample is identified as a variant of an attack already covered by an existing rule and used to repair the rule by updating the corresponding signature, thereby enhancing its generalization capability. Additionally, to mitigate syntactic and semantic errors in rules caused by LLM hallucinations, we incorporate a tool-based real-time validation mechanism and a representative attack sample maintained for each rule, enabling fully automated rule generation and repair. Comprehensive experiments were conducted on a public dataset containing seven types of attacks and a private dataset with 43 attack types. The results demonstrate that GRIDAI accurately identifies the relationships between new attack samples and existing rules, efficiently generates and repairs rules to handle new attacks and variants, and effectively mitigates the impact of LLM hallucinations.