Lightweight LLMs for Network Attack Detection in IoT Networks

TL;DR

This paper explores lightweight, fine-tuned LLMs with retrieval augmentation for IoT network attack detection, achieving competitive known attack detection and promising zero-shot recognition of unseen threats.

Contribution

It introduces a novel approach combining structured-to-text conversion, QLoRA fine-tuning, and RAG to enable resource-efficient IoT attack detection with zero-shot capabilities.

Findings

QLoRA-tuned LLaMA-1B achieves 0.7124 F1-score on known attacks.

RAG enables 42.63% accuracy on unseen attack types without retraining.

The approach offers a practical, adaptable solution for resource-constrained IoT security.

Abstract

The rapid growth of Internet of Things (IoT) devices has increased the scale and diversity of cyberattacks, exposing limitations in traditional intrusion detection systems. Classical machine learning (ML) models such as Random Forest and Support Vector Machine perform well on known attacks but require retraining to detect unseen or zero-day threats. This study investigates lightweight decoder-only Large Language Models (LLMs) for IoT attack detection by integrating structured-to-text conversion, Quantized Low-Rank Adaptation (QLoRA) fine-tuning, and Retrieval-Augmented Generation (RAG). Network traffic features are transformed into compact natural-language prompts, enabling efficient adaptation under constrained hardware. Experiments on the CICIoT2023 dataset show that a QLoRA-tuned LLaMA-1B model achieves an F1-score of 0.7124, comparable to the Random Forest (RF) baseline (0.7159) for known attacks. With RAG, the system attains 42.63% accuracy on unseen attack types without additional training, demonstrating practical zero-shot capability. These results highlight the potential of retrieval-enhanced lightweight LLMs as adaptable and resource-efficient solutions for next-generation IoT intrusion detection.