HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems

Muhammad M, Shaaban AM, German R, Al Sardy L (2026)

Publication Type: Conference contribution

Publication year: 2026

Journal

Lecture Notes in Computer Science Springer Verlag

Publisher: Springer Science and Business Media Deutschland GmbH

Book Volume: 15955 LNCS

Pages Range: 129-142

Conference Proceedings Title: Lecture Notes in Computer Science

Event location: Stockholm, SWE

ISBN: 9783032020178

DOI: 10.1007/978-3-032-02018-5_10

Abstract

The increasing complexity of cyberattacks on Cyber-Physical Systems (CPS) demands advanced intrusion detection strategies that can effectively interpret contextual threats. Conventional hybrid Intrusion Detection Systems (IDSs) suffer from outdated attack signature databases and limited attack insights. This paper proposes a conceptual work-in-progress framework for an advanced hybrid IDS assisted by Large Language Models (LLMs) with Retrieval-Augmented Generation (RAG) integration in CPS environments (e.g., industrial control systems, smart grids). Our framework combines signature-based and anomaly-based detection with an LLM-RAG threat analysis module to provide context-aware classification of network traffic events using domain-specific knowledge. We outline potential implementation challenges and propose preliminary mitigation strategies. Future work will focus on empirical validation through experimental evaluation.

Authors with CRIS profile

Mamdouh Muhammad Computer Science 7 (Computer Networks and Communication Systems) Reinhard German Computer Science 7 (Computer Networks and Communication Systems) Loui Al Sardy Computer Science 7 (Computer Networks and Communication Systems)

Involved external institutions

AIT Austrian Institute of Technology AT Austria (AT)

How to cite

APA:

Muhammad, M., Shaaban, A.M., German, R., & Al Sardy, L. (2026). HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems. In Martin Törngren, Barbara Gallina, Erwin Schoitsch, Elena Troubitsyna, Friedemann Bitsch (Eds.), Lecture Notes in Computer Science (pp. 129-142). Stockholm, SWE: Springer Science and Business Media Deutschland GmbH.

MLA:

Muhammad, Mamdouh, et al. "HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems." Proceedings of the Co-Design of Communication, Computing and Control in Cyber-Physical Systems, CoC3CPS 2025, 20th Workshop on Dependable Smart Embedded and Cyber-Physical Systems and Systems-of-Systems, DECSoS 2025, 12th International Workshop on Next Generation of System Assurance Approaches for Critical Systems, SASSUR 2025, 4th International Workshop on Safety and Security Interaction, SENSEI 2025, 2nd International Workshop on Safety/Reliability/Trustworthiness of Intelligent Transportation Systems, SRToITS 2025 and 8th International Workshop on Artificial Intelligence Safety Engineering, WAISE 2025 held in conjunction with the 44th International Conference on Computer Safety, Reliability, and Security, SAFECOMP 2025, Stockholm, SWE Ed. Martin Törngren, Barbara Gallina, Erwin Schoitsch, Elena Troubitsyna, Friedemann Bitsch, Springer Science and Business Media Deutschland GmbH, 2026. 129-142.

BibTeX: Download