INVARLLM: LLM-assisted Physical Invariant Extraction for Cyber-Physical Systems Anomaly Detection

TL;DR

INVARLLM leverages large language models to extract and validate physical invariants from CPS documentation, significantly improving anomaly detection accuracy and reliability in cyber-physical systems.

Contribution

This work introduces a hybrid LLM-based framework that combines semantic invariant extraction with empirical validation for enhanced CPS anomaly detection.

Findings

Achieved 100% precision in anomaly detection on SWaT and WADI datasets.

Outperformed existing methods in CPS security anomaly detection.

Provided a scalable approach combining semantic understanding with statistical validation.

Abstract

Cyber-Physical Systems (CPS) are vulnerable to cyber-physical attacks that violate physical laws. While invariant-based anomaly detection is effective, existing methods are limited: data-driven approaches lack semantic context, and physics-based models require extensive manual work. We propose INVARLLM, a hybrid framework that uses large language models (LLMs) to extract semantic information from CPS documentation and generate physical invariants, then validates these against real system data using a PCMCI+-inspired K-means method. This approach combines LLM semantic understanding with empirical validation to ensure both interpretability and reliability. We evaluate INVARLLM on SWaT and WADI datasets, achieving 100% precision in anomaly detection with no false alarms, outperforming all existing methods. Our results demonstrate that integrating LLM-derived semantics with statistical validation provides a scalable and dependable solution for CPS security.