Think Fast: Real-Time IoT Intrusion Reasoning Using IDS and LLMs at the Edge Gateway
Saeid Jamshidi, Amin Nikanjam, Negar Shahabi, Kawser Wazed Nafi, Foutse Khomh, Samira Keivanpour, Rolando Herrero
TL;DR
The paper addresses securing resource-constrained IoT edge gateways by integrating lightweight ML-based IDS with external LLMs to provide semantic, human-readable threat analyses and mitigations in real time. It introduces an edge-centric architecture where ML detectors run on the gateway, telemetry snapshots are securely transmitted to LLMs for reasoning via zero-shot, few-shot, and chain-of-thought strategies, and a constrained optimization ensures end-to-end latency, energy, and confidence thresholds are met. Across brute force, DoS, DDoS, and port scanning, GPT-4-turbo consistently delivers the strongest security reasoning and actionable mitigations, while classical ML backbones maintain efficiency and enable scalable edge deployment. The results demonstrate that the approach yields substantial interpretability gains with manageable resource overhead, offering a practical path to deploy AI-augmented IDS at the IoT edge and informing future work on on-device reasoning and federated edge security. This work thus advances real-time, interpretable, and scalable edge defenses for IoT ecosystems, balancing detection performance with practical hardware constraints.
Abstract
As the number of connected IoT devices continues to grow, securing these systems against cyber threats remains a major challenge, especially in environments with limited computational and energy resources. This paper presents an edge-centric Intrusion Detection System (IDS) framework that integrates lightweight machine learning (ML) based IDS models with pre-trained large language models (LLMs) to improve detection accuracy, semantic interpretability, and operational efficiency at the network edge. The system evaluates six ML-based IDS models: Decision Tree (DT), K-Nearest Neighbors (KNN), Random Forest (RF), Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM), and a hybrid CNN-LSTM model on low-power edge gateways, achieving accuracy up to 98 percent under real-world cyberattacks. For anomaly detection, the system transmits a compact and secure telemetry snapshot (for example, CPU usage, memory usage, latency, and energy consumption) via low-bandwidth API calls to LLMs including GPT-4-turbo, DeepSeek V2, and LLaMA 3.5. These models use zero-shot, few-shot, and chain-of-thought reasoning to produce human-readable threat analyses and actionable mitigation recommendations. Evaluations across diverse attacks such as DoS, DDoS, brute force, and port scanning show that the system enhances interpretability while maintaining low latency (<1.5 s), minimal bandwidth usage (<1.2 kB per prompt), and energy efficiency (<75 J), demonstrating its practicality and scalability as an IDS solution for edge gateways.