HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems

Mamdouh Muhammad; Abdelkader Shaaban; Reinhard  German; Loui  Al Sardy

HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems

Mamdouh Muhammad (Autor:in und Vortragende:r)
, Abdelkader Shaaban
, Reinhard German
, Loui Al Sardy

Friedrich-Alexander University Erlangen-Nürnberg

Publikation: Beitrag in Buch oder Tagungsband › Vortrag mit Beitrag in Tagungsband › Begutachtung

Abstract

The increasing complexity of cyberattacks on Cyber-Physical Systems (CPS) demands advanced intrusion detection strategies that can effectively interpret contextual threats. Conventional hybrid Intrusion Detection Systems (IDSs) suffer from outdated attack signature databases and limited attack insights. This paper proposes a conceptual work-in-progress framework for an advanced hybrid IDS assisted by Large Language Models (LLMs) with Retrieval-Augmented Generation (RAG) integration in CPS environments (e.g., industrial control systems, smart grids). Our framework combines signature-based and anomaly-based detection with an LLM-RAG threat analysis module to provide context-aware classification of network traffic events using domain-specific knowledge. We outline potential implementation challenges and propose preliminary mitigation strategies. Future work will focus on empirical validation through experimental evaluation.

Originalsprache	Englisch
Titel	Computer Safety, Reliability, and Security. SAFECOMP 2025
Untertitel	CoC3CPS, DECSoS, SASSUR, SENSEI, SRToITS, and WAISE, Stockholm, Sweden, September 9, 2025, Proceedings
Redakteure/-innen	Martin Törngren, Elena Troubitsyna, Barbara Gallina, Erwin Schoitsch, Friedemann Bitsch
Herausgeber (Verlag)	Springer
Seiten	129-142
Seitenumfang	13
Band	15955
ISBN (elektronisch)	978-3-032-02018-5
ISBN (Print)	978-3-032-02017-8
Publikationsstatus	Veröffentlicht - 21 Aug. 2025
Veranstaltung	Computer Safety, Reliability, and Security. SAFECOMP 2025: 20th International Workshop on Dependable Smart Embedded Cyber-Physical Systems and Systems-of-Systems - Sweeden, Stockholm, Schweden Dauer: 9 Sept. 2025 → 12 Sept. 2025 https://safecomp2025.se/

Publikationsreihe

Name	Lecture Notes in Computer Science
Herausgeber (Verlag)	Springer
Band	15955
ISSN (Print)	0302-9743
ISSN (elektronisch)	1611-3349

Workshop

Workshop	Computer Safety, Reliability, and Security. SAFECOMP 2025
Kurztitel	DECSoS 2025
Land/Gebiet	Schweden
Stadt	Stockholm
Zeitraum	9/09/25 → 12/09/25
Internetadresse	https://safecomp2025.se/

UN SDGs

Dieser Output leistet einen Beitrag zu folgendem(n) Ziel(en) für nachhaltige Entwicklung

SDG 7 – Erschwingliche und saubere Energie

Research Field

Dependable Systems Engineering

Zugriff auf Dokument

https://link.springer.com/chapter/10.1007/978-3-032-02018-5_10

Diese Publikation zitieren

Muhammad, M., Shaaban, A., German , R., & Al Sardy, L. (2025). HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems. in M. Törngren, E. Troubitsyna, B. Gallina, E. Schoitsch, & F. Bitsch (Hrsg.), Computer Safety, Reliability, and Security. SAFECOMP 2025: CoC3CPS, DECSoS, SASSUR, SENSEI, SRToITS, and WAISE, Stockholm, Sweden, September 9, 2025, Proceedings (Band 15955, S. 129-142). ( Lecture Notes in Computer Science ; Band 15955). Springer. https://link.springer.com/chapter/10.1007/978-3-032-02018-5_10

Muhammad, Mamdouh ; Shaaban, Abdelkader ; German , Reinhard et al. / HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems. Computer Safety, Reliability, and Security. SAFECOMP 2025: CoC3CPS, DECSoS, SASSUR, SENSEI, SRToITS, and WAISE, Stockholm, Sweden, September 9, 2025, Proceedings. Hrsg. / Martin Törngren ; Elena Troubitsyna ; Barbara Gallina ; Erwin Schoitsch ; Friedemann Bitsch. Band 15955 Springer, 2025. S. 129-142 ( Lecture Notes in Computer Science ).

@inproceedings{c3c847702e0a4749be5c693061c7651e,

title = "HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems",

abstract = "The increasing complexity of cyberattacks on Cyber-Physical Systems (CPS) demands advanced intrusion detection strategies that can effectively interpret contextual threats. Conventional hybrid Intrusion Detection Systems (IDSs) suffer from outdated attack signature databases and limited attack insights. This paper proposes a conceptual work-in-progress framework for an advanced hybrid IDS assisted by Large Language Models (LLMs) with Retrieval-Augmented Generation (RAG) integration in CPS environments (e.g., industrial control systems, smart grids). Our framework combines signature-based and anomaly-based detection with an LLM-RAG threat analysis module to provide context-aware classification of network traffic events using domain-specific knowledge. We outline potential implementation challenges and propose preliminary mitigation strategies. Future work will focus on empirical validation through experimental evaluation.",

keywords = "Cyber-physical systems, Intrusion detection system, Large language model, Retrieval-augmented generation, cybersecurity",

author = "Mamdouh Muhammad and Abdelkader Shaaban and Reinhard German and \{Al Sardy\}, Loui",

year = "2025",

month = aug,

day = "21",

language = "English",

isbn = "978-3-032-02017-8",

volume = "15955",

series = " Lecture Notes in Computer Science ",

publisher = "Springer",

pages = "129--142",

editor = "Martin T{\"o}rngren and Elena Troubitsyna and Barbara Gallina and Erwin Schoitsch and Friedemann Bitsch",

booktitle = "Computer Safety, Reliability, and Security. SAFECOMP 2025",

address = "Germany",

note = "Computer Safety, Reliability, and Security. SAFECOMP 2025 : 20th International Workshop on Dependable Smart Embedded Cyber-Physical Systems and Systems-of-Systems, DECSoS 2025 ; Conference date: 09-09-2025 Through 12-09-2025",

url = "https://safecomp2025.se/",

}

Muhammad, M, Shaaban, A, German , R & Al Sardy, L 2025, HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems. in M Törngren, E Troubitsyna, B Gallina, E Schoitsch & F Bitsch (Hrsg.), Computer Safety, Reliability, and Security. SAFECOMP 2025: CoC3CPS, DECSoS, SASSUR, SENSEI, SRToITS, and WAISE, Stockholm, Sweden, September 9, 2025, Proceedings. Bd. 15955, Lecture Notes in Computer Science , Bd. 15955, Springer, S. 129-142, Computer Safety, Reliability, and Security. SAFECOMP 2025, Stockholm, Schweden, 9/09/25. <https://link.springer.com/chapter/10.1007/978-3-032-02018-5_10>

HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems. / Muhammad, Mamdouh (Autor:in und Vortragende:r); Shaaban, Abdelkader; German , Reinhard et al.
Computer Safety, Reliability, and Security. SAFECOMP 2025: CoC3CPS, DECSoS, SASSUR, SENSEI, SRToITS, and WAISE, Stockholm, Sweden, September 9, 2025, Proceedings. Hrsg. / Martin Törngren; Elena Troubitsyna; Barbara Gallina; Erwin Schoitsch; Friedemann Bitsch. Band 15955 Springer, 2025. S. 129-142 ( Lecture Notes in Computer Science ; Band 15955).

Publikation: Beitrag in Buch oder Tagungsband › Vortrag mit Beitrag in Tagungsband › Begutachtung

TY - GEN

T1 - HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems

AU - Shaaban, Abdelkader

AU - German , Reinhard

AU - Al Sardy, Loui

A2 - Muhammad, Mamdouh

A2 - Törngren, Martin

A2 - Troubitsyna, Elena

A2 - Gallina, Barbara

A2 - Schoitsch, Erwin

A2 - Bitsch, Friedemann

PY - 2025/8/21

Y1 - 2025/8/21

N2 - The increasing complexity of cyberattacks on Cyber-Physical Systems (CPS) demands advanced intrusion detection strategies that can effectively interpret contextual threats. Conventional hybrid Intrusion Detection Systems (IDSs) suffer from outdated attack signature databases and limited attack insights. This paper proposes a conceptual work-in-progress framework for an advanced hybrid IDS assisted by Large Language Models (LLMs) with Retrieval-Augmented Generation (RAG) integration in CPS environments (e.g., industrial control systems, smart grids). Our framework combines signature-based and anomaly-based detection with an LLM-RAG threat analysis module to provide context-aware classification of network traffic events using domain-specific knowledge. We outline potential implementation challenges and propose preliminary mitigation strategies. Future work will focus on empirical validation through experimental evaluation.

AB - The increasing complexity of cyberattacks on Cyber-Physical Systems (CPS) demands advanced intrusion detection strategies that can effectively interpret contextual threats. Conventional hybrid Intrusion Detection Systems (IDSs) suffer from outdated attack signature databases and limited attack insights. This paper proposes a conceptual work-in-progress framework for an advanced hybrid IDS assisted by Large Language Models (LLMs) with Retrieval-Augmented Generation (RAG) integration in CPS environments (e.g., industrial control systems, smart grids). Our framework combines signature-based and anomaly-based detection with an LLM-RAG threat analysis module to provide context-aware classification of network traffic events using domain-specific knowledge. We outline potential implementation challenges and propose preliminary mitigation strategies. Future work will focus on empirical validation through experimental evaluation.

KW - Cyber-physical systems

KW - Intrusion detection system

KW - Large language model

KW - Retrieval-augmented generation

KW - cybersecurity

M3 - Conference Proceedings with Oral Presentation

SN - 978-3-032-02017-8

VL - 15955

T3 - Lecture Notes in Computer Science

SP - 129

EP - 142

BT - Computer Safety, Reliability, and Security. SAFECOMP 2025

PB - Springer

T2 - Computer Safety, Reliability, and Security. SAFECOMP 2025

Y2 - 9 September 2025 through 12 September 2025

ER -

Muhammad M, Shaaban A, German R, Al Sardy L. HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems. in Törngren M, Troubitsyna E, Gallina B, Schoitsch E, Bitsch F, Hrsg., Computer Safety, Reliability, and Security. SAFECOMP 2025: CoC3CPS, DECSoS, SASSUR, SENSEI, SRToITS, and WAISE, Stockholm, Sweden, September 9, 2025, Proceedings. Band 15955. Springer. 2025. S. 129-142. ( Lecture Notes in Computer Science ).

HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems

Abstract

Publikationsreihe

Workshop

UN SDGs

Research Field

Zugriff auf Dokument

Fingerprint

Diese Publikation zitieren