LLM-Based Immune Detection Method for Unknown Network Attacks in ICS Under Few-Shot Conditions

The rapidly evolving landscape of unknown network attacks has significantly ex-panded the range of cyber threats. However, existing intrusion detection systems IDS primarily rely on large amounts of known attack samples for model train-ing and can only effectively detect known network attacks, particularly in indus-trial control system ICS environments, where obtaining attack samples is ex-tremely difficult. In this paper, inspired by artificial immune systems AIS and large language models LLM , we propose an LLM-based immune detection method, named LLM-IDS, for identifying unknown network attacks in ICS un-der few-shot conditions. The artificial immune system, as a biologically inspired intelligent algorithm, inherently possesses the ability to identify unknown threats. Meanwhile, LLM, with its strong reasoning ability, can deeply explore the latent spatial feature information even with limited train samples. Specifically, we first map network attack data to the antigen space of the artificial immune system. Then, we design a specialized prompt template to guide the LLM in learning and analyzing the spatial distribution features of nonself antigens, thereby capturing the latent space feature distribution information. Finally, we generate immune space detectors under the guidance of LLM and activate them through tolerance mechanisms. Extensive experiments on multiple datasets demonstrate that LLM-IDS exhibits superior performance in detecting both known and unknown cyberattacks, significantly outperforming current mainstream IDS research achievements.