Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Intelligent IoT Attack Detection Design via ODLLM with Feature Ranking-based Knowledge Base

Satvik Verma, Qun Wang, E. Wes Bethel

TL;DR

This work targets real-time IoT DDoS detection under edge resource and privacy constraints by deploying on-device large language models (ODLLMs) augmented with knowledge bases (KBs). It combines feature ranking via a Random Forest Regressor to identify attack-type discriminative features and constructs long and short KBs tailored to model capacity, enabling efficient yet accurate anomaly detection on edge devices. The approach is validated on the CICIoT 2023 dataset, showing high accuracy across DDoS types such as ICMP, UDP, TCP floods, and PSHACK floods, with medium-size models benefiting from both KB formats and small models achieving practicality through KB simplification embedded in prompts. The results demonstrate that carefully designed KBs, including a two-tier feature strategy, can bridge the gap between model capacity and resource constraints, paving the way for scalable and privacy-preserving edge-security solutions in IoT ecosystems.

Abstract

The widespread adoption of Internet of Things (IoT) devices has introduced significant cybersecurity challenges, particularly with the increasing frequency and sophistication of Distributed Denial of Service (DDoS) attacks. Traditional machine learning (ML) techniques often fall short in detecting such attacks due to the complexity of blended and evolving patterns. To address this, we propose a novel framework leveraging On-Device Large Language Models (ODLLMs) augmented with fine-tuning and knowledge base (KB) integration for intelligent IoT network attack detection. By implementing feature ranking techniques and constructing both long and short KBs tailored to model capacities, the proposed framework ensures efficient and accurate detection of DDoS attacks while overcoming computational and privacy limitations. Simulation results demonstrate that the optimized framework achieves superior accuracy across diverse attack types, especially when using compact models in edge computing environments. This work provides a scalable and secure solution for real-time IoT security, advancing the applicability of edge intelligence in cybersecurity.

Intelligent IoT Attack Detection Design via ODLLM with Feature Ranking-based Knowledge Base

TL;DR

This work targets real-time IoT DDoS detection under edge resource and privacy constraints by deploying on-device large language models (ODLLMs) augmented with knowledge bases (KBs). It combines feature ranking via a Random Forest Regressor to identify attack-type discriminative features and constructs long and short KBs tailored to model capacity, enabling efficient yet accurate anomaly detection on edge devices. The approach is validated on the CICIoT 2023 dataset, showing high accuracy across DDoS types such as ICMP, UDP, TCP floods, and PSHACK floods, with medium-size models benefiting from both KB formats and small models achieving practicality through KB simplification embedded in prompts. The results demonstrate that carefully designed KBs, including a two-tier feature strategy, can bridge the gap between model capacity and resource constraints, paving the way for scalable and privacy-preserving edge-security solutions in IoT ecosystems.

Abstract

The widespread adoption of Internet of Things (IoT) devices has introduced significant cybersecurity challenges, particularly with the increasing frequency and sophistication of Distributed Denial of Service (DDoS) attacks. Traditional machine learning (ML) techniques often fall short in detecting such attacks due to the complexity of blended and evolving patterns. To address this, we propose a novel framework leveraging On-Device Large Language Models (ODLLMs) augmented with fine-tuning and knowledge base (KB) integration for intelligent IoT network attack detection. By implementing feature ranking techniques and constructing both long and short KBs tailored to model capacities, the proposed framework ensures efficient and accurate detection of DDoS attacks while overcoming computational and privacy limitations. Simulation results demonstrate that the optimized framework achieves superior accuracy across diverse attack types, especially when using compact models in edge computing environments. This work provides a scalable and secure solution for real-time IoT security, advancing the applicability of edge intelligence in cybersecurity.

Paper Structure

This paper contains 17 sections, 6 equations, 5 figures, 2 tables.

Table of Contents

  1. Introduction
  2. System Model and Problem Formulation
  3. System Model
  4. Types of DDoS Attack
  5. Problem Formulation
  6. Feature Ranking and Knowledge Base Design
  7. Feature Ranking with Random Forest Regressor
  8. DDoS ICMP Flood
  9. DDoS UDP Flood
  10. DDoS TCP Flood
  11. DDoS PSHACK Flood
  12. Introducing Key Features for Targeted Predictions
  13. Challenges with Smaller Models and KB Simplification
  14. Simulation and Performance Evaluation
  15. Performance of Medium-size Detectors
  16. ...and 2 more sections

Figures (5)

  • Figure 1: System model.
  • Figure 2: Ranked features for DDoS ICMP Flood attack using Random Forest Regressor on the CIC IoT 2023 Dataset.
  • Figure 3: Ranked features for DDoS UDP Flood attack using Random Forest Regressor on the CIC IoT 2023 Dataset.
  • Figure 4: Ranked features for DDoS TCP Flood attack using Random Forest Regressor on the CIC IoT 2023 Dataset.
  • Figure 5: Ranked features for DDoS PSHACK Flood attack using Random Forest Regressor on the CIC IoT 2023 Dataset.