Evaluating Language Models For Threat Detection in IoT Security Logs
- URL: http://arxiv.org/abs/2507.02390v1
- Date: Thu, 03 Jul 2025 07:38:43 GMT
- Title: Evaluating Language Models For Threat Detection in IoT Security Logs
- Authors: Jorge J. Tejero-Fernández, Alfonso Sánchez-Macián,
- Abstract summary: This paper presents a pipeline to use fine-tuned Large Language Models (LLMs) for anomaly detection and mitigation recommendation using IoT security logs.<n>LLMs give better results on multi-class attack classification than the corresponding baseline models.<n>By mapping detected threats to MITRE CAPEC, defining a set of IoT-specific mitigation actions, and fine-tuning the models with those actions, the models are able to provide a combined detection and recommendation guidance.
- Score: 0.5371337604556311
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Log analysis is a relevant research field in cybersecurity as they can provide a source of information for the detection of threats to networks and systems. This paper presents a pipeline to use fine-tuned Large Language Models (LLMs) for anomaly detection and mitigation recommendation using IoT security logs. Utilizing classical machine learning classifiers as a baseline, three open-source LLMs are compared for binary and multiclass anomaly detection, with three strategies: zero-shot, few-shot prompting and fine-tuning using an IoT dataset. LLMs give better results on multi-class attack classification than the corresponding baseline models. By mapping detected threats to MITRE CAPEC, defining a set of IoT-specific mitigation actions, and fine-tuning the models with those actions, the models are able to provide a combined detection and recommendation guidance.
Related papers
- A Survey on Model Extraction Attacks and Defenses for Large Language Models [55.60375624503877]
Model extraction attacks pose significant security threats to deployed language models.<n>This survey provides a comprehensive taxonomy of extraction attacks and defenses, categorizing attacks into functionality extraction, training data extraction, and prompt-targeted attacks.<n>We examine defense mechanisms organized into model protection, data privacy protection, and prompt-targeted strategies, evaluating their effectiveness across different deployment scenarios.
arXiv Detail & Related papers (2025-06-26T22:02:01Z) - Robust Anomaly Detection in Network Traffic: Evaluating Machine Learning Models on CICIDS2017 [0.0]
We present a comparison of four representative models on the CICIDS 2017 dataset.<n>Supervised and CNN achieve near-perfect accuracy on familiar attacks but suffer drastic recall drops on novel attacks.<n>Unsupervised LOF attains moderate overall accuracy and high recall on unknown threats at the cost of elevated false alarms.
arXiv Detail & Related papers (2025-06-23T15:31:10Z) - PL-Guard: Benchmarking Language Model Safety for Polish [43.39208658482427]
We introduce a manually annotated benchmark dataset for language model safety classification in Polish.<n>We also create adversarially perturbed variants of these samples designed to challenge model robustness.<n>We train these models using different combinations of annotated data and evaluate their performance, comparing it against publicly available guard models.
arXiv Detail & Related papers (2025-06-19T13:56:41Z) - Backdoor Cleaning without External Guidance in MLLM Fine-tuning [76.82121084745785]
Believe Your Eyes (BYE) is a data filtering framework that leverages attention entropy patterns as self-supervised signals to identify and filter backdoor samples.<n>It achieves near-zero attack success rates while maintaining clean-task performance.
arXiv Detail & Related papers (2025-05-22T17:11:58Z) - Learning in Multiple Spaces: Few-Shot Network Attack Detection with Metric-Fused Prototypical Networks [47.18575262588692]
We propose a novel Multi-Space Prototypical Learning framework tailored for few-shot attack detection.<n>By leveraging Polyak-averaged prototype generation, the framework stabilizes the learning process and effectively adapts to rare and zero-day attacks.<n> Experimental results on benchmark datasets demonstrate that MSPL outperforms traditional approaches in detecting low-profile and novel attack types.
arXiv Detail & Related papers (2024-12-28T00:09:46Z) - Optimized IoT Intrusion Detection using Machine Learning Technique [0.0]
Intrusion detection systems (IDSs) are essential for defending against a variety of attacks.<n>The functional and physical diversity of IoT IDS systems causes significant issues.<n>For peculiarity-based IDS, this study proposes and implements a novel component selection and extraction strategy.
arXiv Detail & Related papers (2024-12-03T21:23:54Z) - Defending Large Language Models Against Attacks With Residual Stream Activation Analysis [0.0]
Large Language Models (LLMs) are vulnerable to adversarial threats.<n>This paper presents an innovative defensive strategy, given white box access to an LLM.<n>We apply a novel methodology for analyzing distinctive activation patterns in the residual streams for attack prompt classification.
arXiv Detail & Related papers (2024-06-05T13:06:33Z) - MEAOD: Model Extraction Attack against Object Detectors [45.817537875368956]
Model extraction attacks allow attackers to replicate a substitute model with comparable functionality to the victim model.
We propose an effective attack method called MEAOD for object detection models.
We achieve an extraction performance of over 70% under the given condition of a 10k query budget.
arXiv Detail & Related papers (2023-12-22T13:28:50Z) - Text generation for dataset augmentation in security classification
tasks [55.70844429868403]
This study evaluates the application of natural language text generators to fill this data gap in multiple security-related text classification tasks.
We find substantial benefits for GPT-3 data augmentation strategies in situations with severe limitations on known positive-class samples.
arXiv Detail & Related papers (2023-10-22T22:25:14Z) - IoTGeM: Generalizable Models for Behaviour-Based IoT Attack Detection [3.3772986620114387]
IoTGeM is an approach for modeling IoT network attacks that focuses on generalizability, yet also leads to better detection and performance.<n>We build and test our models using strictly isolated train and test datasets.<n> IoTGeM achieves F1 scores of 99% for ACK, HTTP, SYN, MHD, and PS attacks, as well as a 94% F1 score for UDP attacks.
arXiv Detail & Related papers (2023-10-17T21:46:43Z) - Threat Detection for General Social Engineering Attack Using Machine
Learning Techniques [7.553860996595933]
This paper explores the threat detection for general Social Engineering (SE) attack using Machine Learning (ML) techniques.
The experimental results and analyses show that: 1) the ML techniques are feasible in detecting general SE attacks and some ML models are quite effective; ML-based SE threat detection is complementary with KG-based approaches.
arXiv Detail & Related papers (2022-03-15T14:18:22Z) - An Explainable Machine Learning-based Network Intrusion Detection System
for Enabling Generalisability in Securing IoT Networks [0.0]
Machine Learning (ML)-based network intrusion detection systems bring many benefits for enhancing the security posture of an organisation.
Many systems have been designed and developed in the research community, often achieving a perfect detection rate when evaluated using certain datasets.
This paper tightens the gap by evaluating the generalisability of a common feature set to different network environments and attack types.
arXiv Detail & Related papers (2021-04-15T00:44:45Z) - Few-Shot Named Entity Recognition: A Comprehensive Study [92.40991050806544]
We investigate three schemes to improve the model generalization ability for few-shot settings.
We perform empirical comparisons on 10 public NER datasets with various proportions of labeled data.
We create new state-of-the-art results on both few-shot and training-free settings.
arXiv Detail & Related papers (2020-12-29T23:43:16Z) - One-Shot Object Detection without Fine-Tuning [62.39210447209698]
We introduce a two-stage model consisting of a first stage Matching-FCOS network and a second stage Structure-Aware Relation Module.
We also propose novel training strategies that effectively improve detection performance.
Our method exceeds the state-of-the-art one-shot performance consistently on multiple datasets.
arXiv Detail & Related papers (2020-05-08T01:59:23Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.