Think Fast: Real-Time IoT Intrusion Reasoning Using IDS and LLMs at the Edge Gateway

TL;DR

This paper introduces a real-time IoT intrusion detection framework at the network edge that combines lightweight ML models with large language models to improve detection accuracy, interpretability, and operational efficiency.

Contribution

It presents a novel edge-centric IDS system integrating ML models with LLMs for enhanced security and interpretability in resource-constrained IoT environments.

Findings

Achieved up to 98% detection accuracy on real-world cyberattacks.

System provides human-readable threat analyses with low latency (<1.5 s).

Maintains low bandwidth (<1.2 kB) and energy consumption (<75 J).

Abstract

As the number of connected IoT devices continues to grow, securing these systems against cyber threats remains a major challenge, especially in environments with limited computational and energy resources. This paper presents an edge-centric Intrusion Detection System (IDS) framework that integrates lightweight machine learning (ML) based IDS models with pre-trained large language models (LLMs) to improve detection accuracy, semantic interpretability, and operational efficiency at the network edge. The system evaluates six ML-based IDS models: Decision Tree (DT), K-Nearest Neighbors (KNN), Random Forest (RF), Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM), and a hybrid CNN-LSTM model on low-power edge gateways, achieving accuracy up to 98 percent under real-world cyberattacks. For anomaly detection, the system transmits a compact and secure telemetry snapshot (for example, CPU usage, memory usage, latency, and energy consumption) via low-bandwidth API calls to LLMs including GPT-4-turbo, DeepSeek V2, and LLaMA 3.5. These models use zero-shot, few-shot, and chain-of-thought reasoning to produce human-readable threat analyses and actionable mitigation recommendations. Evaluations across diverse attacks such as DoS, DDoS, brute force, and port scanning show that the system enhances interpretability while maintaining low latency (<1.5 s), minimal bandwidth usage (<1.2 kB per prompt), and energy efficiency (<75 J), demonstrating its practicality and scalability as an IDS solution for edge gateways.