INVARLLM: LLM-assisted Physical Invariant Extraction for Cyber-Physical Systems Anomaly Detection
This addresses the challenge of scalable and reliable anomaly detection for cyber-physical systems security, offering a novel integration of semantic and empirical approaches.
The paper tackled the problem of detecting anomalies in cyber-physical systems by proposing INVARLLM, a hybrid framework that uses LLMs to extract physical invariants from documentation and validates them with data-driven methods, achieving 100% precision with no false alarms on SWaT and WADI datasets.
Cyber-Physical Systems (CPS) are vulnerable to cyber-physical attacks that violate physical laws. While invariant-based anomaly detection is effective, existing methods are limited: data-driven approaches lack semantic context, and physics-based models require extensive manual work. We propose INVARLLM, a hybrid framework that uses large language models (LLMs) to extract semantic information from CPS documentation and generate physical invariants, then validates these against real system data using a PCMCI+-inspired K-means method. This approach combines LLM semantic understanding with empirical validation to ensure both interpretability and reliability. We evaluate INVARLLM on SWaT and WADI datasets, achieving 100% precision in anomaly detection with no false alarms, outperforming all existing methods. Our results demonstrate that integrating LLM-derived semantics with statistical validation provides a scalable and dependable solution for CPS security.