What problem does this paper attempt to address?

The main problems that this paper attempts to solve are the low detection accuracy, high false - positive rate, and lack of environmental adaptability faced by existing rule - based intrusion detection systems (PIDS) in actual deployments. Specifically: 1. **Low Detection Accuracy and High False - Positive Rate**: Existing rule - based PIDS are unable to adapt flexibly to different environments due to overly simple and general rules, resulting in detection results that are either too lax (generating a large number of false positives) or too strict (missing real attacks). For example, when dealing with "gray" nodes in cloud services (such as the IP addresses of FaaS platforms), these systems are unable to effectively distinguish between benign and malicious behaviors, leading to false positives or false negatives. 2. **Lack of Environmental Adaptability**: Traditional rule - based PIDS usually rely on static configurations and manual adjustments, and it is difficult to dynamically adjust rules according to the specific environment. This makes the system perform poorly in the face of complex and changeable network environments, especially in security operation centers (SOCs), where analysts need to spend a great deal of time manually configuring models. To solve these problems, the paper proposes a new rule - based PIDS named C APTAIN, which automatically adjusts the rule configuration by introducing adaptive parameters and the gradient - descent optimization algorithm, thereby improving detection accuracy and reducing the false - positive rate. Specifically, C APTAIN introduces three adaptive parameters: - **Label Initialization Parameter (A)**: Used to determine the initial labels of system entities. - **Label Propagation Rate Parameter (G)**: Used to adjust the impact of system events on labels. - **Alarm Generation Threshold Parameter (T)**: Used to adjust the alarm generation rules. Through these adaptive parameters, C APTAIN can automatically learn and optimize the rule configuration during the training process, thereby achieving more accurate detection and response. In addition, C APTAIN also retains the advantages of rule - based PIDS, such as being lightweight, having low latency, and being interpretable. ### Main Contributions of the Paper 1. **Proposing C APTAIN**: A rule - based PIDS that can automatically adjust rules, combining the advantages of traditional rule - based systems (lightweight, low latency, interpretability) and the adaptive capabilities of machine - learning systems. 2. **Designing a Differentiable Label Propagation Framework**: Transforming the rule - based PIDS into a differentiable function and using the gradient - descent algorithm to optimize the adaptive parameters, thereby reducing false positives. 3. **System Evaluation**: Evaluating the performance of C APTAIN in multiple scenarios, including the DARPA data set and the simulated - environment data set. The experimental results show that C APTAIN reduces false positives by more than 90% compared to traditional rule - based PIDS and performs well in terms of detection accuracy, runtime overhead, and latency. Through these improvements, C APTAIN aims to overcome the limitations of existing rule - based PIDS and provide a more flexible and accurate intrusion - detection solution.