Evaluating Language Models For Threat Detection in IoT Security Logs
This work addresses cybersecurity threats in IoT networks by providing a combined detection and recommendation pipeline, though it is incremental as it applies existing LLM methods to a new domain-specific dataset.
The paper tackled the problem of threat detection in IoT security logs by fine-tuning large language models (LLMs) for anomaly detection and mitigation recommendations, resulting in LLMs outperforming baseline machine learning classifiers in multi-class attack classification.
Log analysis is a relevant research field in cybersecurity as they can provide a source of information for the detection of threats to networks and systems. This paper presents a pipeline to use fine-tuned Large Language Models (LLMs) for anomaly detection and mitigation recommendation using IoT security logs. Utilizing classical machine learning classifiers as a baseline, three open-source LLMs are compared for binary and multiclass anomaly detection, with three strategies: zero-shot, few-shot prompting and fine-tuning using an IoT dataset. LLMs give better results on multi-class attack classification than the corresponding baseline models. By mapping detected threats to MITRE CAPEC, defining a set of IoT-specific mitigation actions, and fine-tuning the models with those actions, the models are able to provide a combined detection and recommendation guidance.