Abstract
Traditional rule-based expert systems fail to detect unknown faults or zero-day attacks in cybersecurity environments. We propose a generative-AI-driven expert system combining rule-based reasoning with generative adversarial networks (GANs) and large language models (LLMs) to enable adaptive and explainable fault diagnosis. Experimental evaluation on benchmark intrusion detection datasets shows improved accuracy, reduced false positives, and high-quality diagnostic explanations.
Keywords
Expert system, generative AI, fault diagnosis, cybersecurity, GAN, LLM, explainability.
1. Introduction
Fault diagnosis in cybersecurity seeks to identify failures and attacks compromising system integrity. Rule-based expert systems [1] struggle with evolving threats due to rigid knowledge bases. Generative models can learn distributions of normal behavior and detect deviations, offering an adaptive mechanism for identifying new or zero-day faults [3,5]. We present an integrated expert system architecture leveraging generative AI to augment static rule reasoning.
2. Related Work
Expert systems like EMERALD [1] and Snort [2] use predefined rules. Kasimalla et al. [5] introduced F2GAN for detecting unknown anomalies in microgrids, while Zaboli et al. [6] applied conversational generative AI for anomaly detection in digital substations. These works motivate our integration of generative AI into fault diagnosis for cybersecurity.
3. Proposed Architecture.
3.1 System Overview
Our architecture combines:
- A Knowledge Base: predefined rules from security experts.
- A Generative Module: GANs trained on normal behaviors to generate synthetic anomalies.
- An Inference Engine: integrates rule matching and generative anomaly detection.
- An Explainability Layer: LLM-based diagnostics and recommendations.
3.2 Flowchart of the Proposed System
Here’s a conceptual flowchart:
3.3 Explainability Module
Uses a fine-tuned LLM to generate natural language explanations:
4. Experimental Setup
Datasets: CIC-IDS 2017, UNSW-NB15 [8].
Environment: Simulated enterprise network with injected misconfigurations and attack traffic.
Metrics: Detection accuracy, false positive rate, explanation clarity.
5. Results
6. Discussion
Our system significantly improves detection of unknown attacks by leveraging generative models, reducing false positives compared to static expert systems. Generated explanations using LLMs improved analyst trust and understanding, supporting human-in-the-loop workflows [7].
7. Conclusion
We proposed a generative-AI-driven expert system for adaptive, explainable cybersecurity fault diagnosis. Future work includes integrating reinforcement learning for automated response and exploring defenses against adversarial attacks targeting the generative module.
References
[1] Porras, P. A., et al. EMERALD: Event monitoring enabling responses to anomalous live disturbances. USENIX Security Symposium (1999).
[2] Roesch, M. Snort – lightweight intrusion detection for networks. LISA ’99.
[3] Goodfellow, I., et al. Generative adversarial networks. NeurIPS (2014).
[4] Cannady, J. Artificial neural networks for misuse detection. NISS Conference (1998).
[5] Kasimalla, S. R., et al. Deep learning–enabled system diagnosis in microgrids: A feature-feedback GAN approach. IEEE Access (2025). https://arxiv.org/abs/2505.01366
[6] Zaboli, A., et al. Leveraging conversational generative AI for anomaly detection in digital substations. arXiv preprint (2024). https://arxiv.org/abs/2411.16692
[7] Adebayo, A., et al. Generative AI revolution in cybersecurity: a comprehensive review. AI Review (2025). https://link.springer.com/article/10.1007/s10462-025-11285-9
[8] Moustafa, N., & Slay, J. UNSW-NB15: A comprehensive data set for network intrusion detection systems. MILCOM (2015).
Post a Comment