{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,18]],"date-time":"2026-06-18T04:44:56Z","timestamp":1781757896223,"version":"3.54.5"},"reference-count":44,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T00:00:00Z","timestamp":1767916800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T00:00:00Z","timestamp":1767916800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100007041","name":"Universidad de Zaragoza","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100007041","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Artif Intell Rev"],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>This paper presents the first systematic benchmark evaluating Large Language Models (LLMs), specifically GPT-2, GPT-Neo-125M, and LLaMA-3.2-1B, as standalone classifiers for intrusion detection, covering both binary and multiclass classification tasks, using structured Zeek logs derived from the CIC IoT 2023 dataset. We compare their performance against established and widely used Machine Learning (XGBoost, Random Forest, Decision Tree) and Deep Learning models (MLP, GRU, LeNet-5) across key evaluation metrics: detection effectiveness (precision, recall and F1-score), inference speed, and resource consumption. All models are consistently trained and rigorously evaluated on the CIC IoT 2023 dataset, ensuring fair, reproducible, and transparent comparisons. Our findings indicate that while LLMs achieve strong F1-score exceeding 95%, and do not fully utilize available GPU resources, they still do not outperform top-performing ML models. Notably XGBoost achieves a higher F1-score of 96.96%, using only 4% of the available CPU. These results emphasize the practical trade-offs between detection capability, inference efficiency, and hardware requirements when applying LLMs in flow-based IDS contexts, particularly in resource-constrained environments such as IoT or edge deployments.<\/jats:p>","DOI":"10.1007\/s10462-025-11432-2","type":"journal-article","created":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T05:51:13Z","timestamp":1767937873000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Evaluating large language models effectiveness for flow-based intrusion detection: a comparative study with ML and DL baselines"],"prefix":"10.1007","volume":"59","author":[{"given":"Lorena","family":"Mehavilla","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mar\u00eda","family":"Rodr\u00edguez","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jos\u00e9","family":"Garc\u00eda","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"\u00c1lvaro","family":"Alesanco","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2026,1,9]]},"reference":[{"key":"11432_CR1","doi-asserted-by":"crossref","unstructured":"Adjewa F, Esseghir M, Merghem-Boulahia L (2024) Efficient Federated Intrusion Detection in 5G ecosystem using optimized BERT-based model. Preprint at arxiv:2409.19390","DOI":"10.1109\/WiMob61911.2024.10770340"},{"key":"11432_CR2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102588","volume":"114","author":"R Ahmad","year":"2022","unstructured":"Ahmad R, Alsmadi I, Alhamdani W, Tawalbeh L (2022) A comprehensive deep learning benchmark for iot ids. Comput Secur 114:102588. https:\/\/doi.org\/10.1016\/j.cose.2021.102588","journal-title":"Comput Secur"},{"issue":"1","key":"11432_CR3","doi-asserted-by":"publisher","first-page":"4150","DOI":"10.1002\/ett.4150","volume":"32","author":"Z Ahmad","year":"2021","unstructured":"Ahmad Z, Shahid Khan A, Wai Shiang C, Abdullah J, Ahmad F (2021) Network intrusion detection system: a systematic study of machine learning and deep learning approaches. Trans Emerg Telecommun Technol 32(1):4150. https:\/\/doi.org\/10.1002\/ett.4150","journal-title":"Trans Emerg Telecommun Technol"},{"issue":"2","key":"11432_CR4","doi-asserted-by":"publisher","first-page":"735","DOI":"10.1109\/TCST.2022.3196809","volume":"31","author":"M Azzam","year":"2023","unstructured":"Azzam M, Pasquale L, Provan G, Nuseibeh B (2023) Efficient predictive monitoring of linear time-invariant systems under stealthy attacks. IEEE Trans Control Syst Technol 31(2):735\u2013747. https:\/\/doi.org\/10.1109\/TCST.2022.3196809","journal-title":"IEEE Trans Control Syst Technol"},{"key":"11432_CR5","doi-asserted-by":"publisher","unstructured":"Babaey V, Ravindran A (2025) Gensqli: a generative artificial intelligence framework for automatically securing web application firewalls against structured query language injection attacks. Future Internet 17(1) https:\/\/doi.org\/10.3390\/fi17010008","DOI":"10.3390\/fi17010008"},{"key":"11432_CR6","doi-asserted-by":"publisher","unstructured":"Bhandari G, Lyth A, Shalaginov A, Gr\u00f8nli T.-M (2023) Distributed deep neural-network-based middleware for cyber-attacks detection in smart iot ecosystem: a novel framework and performance evaluation approach. Electronics 12(2) https:\/\/doi.org\/10.3390\/electronics12020298","DOI":"10.3390\/electronics12020298"},{"key":"11432_CR7","doi-asserted-by":"publisher","unstructured":"Bhandari G.P, Lyth A, Shalaginov A, Gr\u00f8nli T.-M (2022) Artificial intelligence enabled middleware for distributed cyberattacks detection in IoT-based smart environments. Paper presented at IEEE International Conference on Big Data (Big Data), Osaka, Japan, pp. 3023-3032, https:\/\/doi.org\/10.1109\/BigData55660.2022.10020531","DOI":"10.1109\/BigData55660.2022.10020531"},{"key":"11432_CR8","doi-asserted-by":"publisher","unstructured":"Black S, Leo G, Wang P, Leahy C, Biderman S (2021) GPT-Neo: Large scale autoregressive language modeling with mesh-tensorflow. https:\/\/doi.org\/10.5281\/zenodo.5297715","DOI":"10.5281\/zenodo.5297715"},{"key":"11432_CR9","doi-asserted-by":"publisher","unstructured":"Bui M.-T, Boffa M, Valentim R.V, Navarro J.M, Chen F, Bao X, Houidi Z.B, Rossi D (2024) A systematic comparison of large language models performance for intrusion detection. Proc. ACM Netw. 2(CoNEXT4) https:\/\/doi.org\/10.1145\/3696379","DOI":"10.1145\/3696379"},{"key":"11432_CR10","unstructured":"Cisco: cyber threat trends report: From Trojan Takeovers to Ransomware Roulette. Cisco. [Online]. Available: https:\/\/www.cisco.com\/c\/en\/us\/products\/security\/cyber-threat-trends-report.html [Accessed: May 25, 2025] (2024)"},{"key":"11432_CR11","unstructured":"Dettmers T, Pagnoni A, Holtzman A, Zettlemoyer L (2023) LoRA: efficient finetuning of quantized LLMs. Preprint at arxiv:2305.14314"},{"key":"11432_CR12","doi-asserted-by":"publisher","unstructured":"Diaf A, Korba A.A, Karabadji N.E, Ghamri-Doudane Y (2024) Beyond detection: leveraging large language models for cyber attack prediction in IoT networks. Paper presented at 20th International Conference on Distributed Computing in Smart Systems and the Internet of Things (DCOSS-IoT), Abu Dhabi, United Arab Emirates, pp. 117-123, https:\/\/doi.org\/10.1109\/DCOSS-IoT61029.2024.00026.","DOI":"10.1109\/DCOSS-IoT61029.2024.00026."},{"key":"11432_CR13","doi-asserted-by":"publisher","unstructured":"Fieblinger R, Alam M.T, Rastogi N (2024) Actionable cyber threat intelligence using knowledge graphs and large language models. Paper presented at 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), Vienna, Austria, pp. 100-111, https:\/\/doi.org\/10.1109\/EuroSPW61312.2024.00018","DOI":"10.1109\/EuroSPW61312.2024.00018"},{"key":"11432_CR14","unstructured":"Fox J (2023) Top cybersecurity statics for 2024. Cobalt. [Online]. Available: https:\/\/www.cobalt.io\/blog\/cybersecurity-statistics-2024 [Accessed: May 25, 2025] (December 8)"},{"key":"11432_CR15","doi-asserted-by":"publisher","DOI":"10.1016\/j.iot.2024.101367","volume":"28","author":"J Garc\u00eda","year":"2024","unstructured":"Garc\u00eda J, Entrena J (2024) Alesanco: empirical evaluation of feature selection methods for machine learning based intrusion detection in iot scenarios. Internet Things 28:101367. https:\/\/doi.org\/10.1016\/j.iot.2024.101367","journal-title":"Internet Things"},{"key":"11432_CR16","doi-asserted-by":"publisher","unstructured":"Guastalla M, Li Y, Hekmati A, Krishnamachari B (2024) Application of large language models to ddos attack detection, 83\u201399 https:\/\/doi.org\/10.1007\/978-3-031-51630-6_6","DOI":"10.1007\/978-3-031-51630-6_6"},{"key":"11432_CR17","doi-asserted-by":"publisher","unstructured":"Guti\u00e9rrez-Galeano L, Dom\u00ednguez-Jim\u00e9nez J.-J, Sch\u00e4fer J, Medina-Bulo I (2025) Llm-based cyberattack detection using network flow statistics. Appl Sci 15(12) https:\/\/doi.org\/10.3390\/app15126529","DOI":"10.3390\/app15126529"},{"key":"11432_CR18","doi-asserted-by":"publisher","DOI":"10.1016\/j.adhoc.2024.103645","volume":"166","author":"M Hassanin","year":"2025","unstructured":"Hassanin M, Keshk M, Salim S, Alsubaie M, Sharma D (2025) Pllm-cs: Pre-trained large language model (llm) for cyber threat detection in satellite networks. Ad Hoc Netw 166:103645. https:\/\/doi.org\/10.1016\/j.adhoc.2024.103645","journal-title":"Ad Hoc Netw"},{"key":"11432_CR19","doi-asserted-by":"crossref","unstructured":"Houssel P.R.B, Singh P, Layeghy S, Portmann M (2024) Towards explainable network intrusion detection using large language models. Preprint at arxiv:2408.04342","DOI":"10.1109\/BDCAT63179.2024.00021"},{"key":"11432_CR20","doi-asserted-by":"publisher","unstructured":"Huda S, Musthafa M.B, Nogami Y (2024) Zeek intrusion detection on raspberry pi for iot-based agriculture monitoring systems: Preliminary investigation. In: 2024 IEEE International Symposium on Consumer Technology (ISCT), pp. 372\u2013377 . https:\/\/doi.org\/10.1109\/ISCT62336.2024.10791229","DOI":"10.1109\/ISCT62336.2024.10791229"},{"key":"11432_CR21","unstructured":"Hugging face: The AI community building the future. [Online]. Available: https:\/\/huggingface.co\/ [Accessed: May 25, 2025]"},{"key":"11432_CR22","doi-asserted-by":"publisher","DOI":"10.1016\/j.inffus.2025.103347","volume":"124","author":"H Kheddar","year":"2025","unstructured":"Kheddar H (2025) Transformers and large language models for efficient intrusion detection systems: a comprehensive survey. Inf Fusion 124:103347. https:\/\/doi.org\/10.1016\/j.inffus.2025.103347","journal-title":"Inf Fusion"},{"key":"11432_CR23","doi-asserted-by":"publisher","unstructured":"Khediri A, Slimi H, Yahiaoui A, Derdour M, Bendjenna H, Ghenai C.E (2024) Enhancing machine learning model interpretability in intrusion detection systems through SHAP explanations and LLM-generated descriptions. Paper presented at 6th International Conference on Pattern Analysis and Intelligent Systems (PAIS), EL OUED, Algeria, pp. 1-6, https:\/\/doi.org\/10.1109\/PAIS62114.2024.10541168","DOI":"10.1109\/PAIS62114.2024.10541168"},{"key":"11432_CR24","unstructured":"LLaMA-3.2-1B: large language model meta AI. [Online]. Available: https:\/\/www.llama.com\/ [Accessed: May 25, 2025]"},{"key":"11432_CR25","doi-asserted-by":"publisher","unstructured":"Li M, Song X, Zhao J, Cui B (2022) Tcmal: a hybrid deep learning model for encrypted malicious traffic classification. In: 2022 IEEE 8th international conference on computer and communications (ICCC), pp. 1634\u20131640. https:\/\/doi.org\/10.1109\/ICCC56324.2022.10065869","DOI":"10.1109\/ICCC56324.2022.10065869"},{"key":"11432_CR26","doi-asserted-by":"publisher","first-page":"9374","DOI":"10.1109\/TIFS.2024.3433446","volume":"19","author":"Y Liu","year":"2024","unstructured":"Liu Y, Wang X, Qu B, Zhao F (2024) Atvitsc: a novel encrypted traffic classification method based on deep learning. IEEE Trans Inf Forensics Secur 19:9374\u20139389. https:\/\/doi.org\/10.1109\/TIFS.2024.3433446","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"11432_CR27","doi-asserted-by":"publisher","unstructured":"Mahmoodi M, Jameii S.M (2024) Utilizing large language models for DDoS attack detection. Paper presented at OPJU International Technology Conference (OTCON) on Smart Computing for Innovation and Advancement in Industry 4.0, Raigarh, India, pp. 1-6, https:\/\/doi.org\/10.1109\/OTCON60325.2024.10688345","DOI":"10.1109\/OTCON60325.2024.10688345"},{"key":"11432_CR28","unstructured":"Martin J (2024 )How many cyber attacks occur each day? (2024). Exploding Topics, [Online]. Available: https:\/\/explodingtopics.com\/blog\/cybersecurity-stats [Accessed: May 25, 2025] (September 30)"},{"key":"11432_CR29","unstructured":"Mehavilla L, Garcia J, Alesanco A (2022) Hunting@home: plug and play setup for intrusion detection in home networks. In: VI Jornadas Nacionales de Investigacion en Ciberseguridad (JNIC), Bilbao, Espa\u00f1a, pp. 26\u201329"},{"issue":"1","key":"11432_CR30","doi-asserted-by":"publisher","first-page":"496","DOI":"10.1002\/spy2.496","volume":"8","author":"M Naif Alatawi","year":"2025","unstructured":"Naif Alatawi M (2025) Enhancing intrusion detection systems with advanced machine learning techniques: An ensemble and explainable artificial intelligence (AI) approach. Secur Privacy 8(1):496. https:\/\/doi.org\/10.1002\/spy2.496","journal-title":"Secur Privacy"},{"key":"11432_CR31","doi-asserted-by":"publisher","unstructured":"Neto E, Dadkhah S, Ferreira R, Zohourian A, Lu R, Ghorbani A (2023) Ciciot2023: a real-time dataset and benchmark for large-scale attacks in iot environment. Sensors 23(13) https:\/\/doi.org\/10.3390\/s23135941","DOI":"10.3390\/s23135941"},{"key":"11432_CR32","doi-asserted-by":"publisher","unstructured":"Nguyen L.G, Watabe K (2022) Flow-based network intrusion detection based on BERT masked language model. Paper presented at 3rd International CoNEXT Student Workshop (CoNEXT-SW \u201922), New York, NY, USA, pp. 7-8. https:\/\/doi.org\/10.1145\/3565477.3569152","DOI":"10.1145\/3565477.3569152"},{"key":"11432_CR33","doi-asserted-by":"publisher","unstructured":"Nwafor E, Baskota U, Parwez M.S, Blackstone J, Olufowobi H (2024) Evaluating large language models for enhanced intrusion detection in internet of things networks. In: GLOBECOM 2024-2024 IEEE Global Communications Conference, pp. 3358\u20133363. https:\/\/doi.org\/10.1109\/GLOBECOM52923.2024.10901300","DOI":"10.1109\/GLOBECOM52923.2024.10901300"},{"key":"11432_CR34","unstructured":"Radford A, Wu J, Child R, Luan D, Amodei D, Sutskever I (2019) Language models are unsupervised multitask learners . https:\/\/api.semanticscholar.org\/CorpusID:160025533"},{"key":"11432_CR35","doi-asserted-by":"publisher","unstructured":"Rodr\u00edguez M, Alesanco\u00a0Mehavilla L, Garc\u00eda J (2022) Evaluation of machine learning techniques for traffic flow-based intrusion detection. Sensors 22 (23:9326) https:\/\/doi.org\/10.3390\/s22239326","DOI":"10.3390\/s22239326"},{"key":"11432_CR36","doi-asserted-by":"publisher","first-page":"2049","DOI":"10.1016\/j.procs.2023.01.181","volume":"218","author":"N Saran","year":"2023","unstructured":"Saran N, Kesswani N (2023) A comparative study of supervised machine learning classifiers for intrusion detection in internet of things. Proc Comput Sci 218:2049\u20132057. https:\/\/doi.org\/10.1016\/j.procs.2023.01.181","journal-title":"Proc Comput Sci"},{"key":"11432_CR37","doi-asserted-by":"publisher","unstructured":"Udurume M, Shakhov V, Koo I (2024) Comparative evaluation of network-based intrusion detection: deep learning vs traditional machine learning approach. Paper presented at Fifteenth International Conference on Ubiquitous and Future Networks (ICUFN), Budapest, Hungary, pp. 520-525, https:\/\/doi.org\/10.1109\/ICUFN61752.2024.10625037","DOI":"10.1109\/ICUFN61752.2024.10625037"},{"key":"11432_CR38","doi-asserted-by":"publisher","unstructured":"Vikram A, Shnain A.H, Jeet R, Vennila C, Sahu P, Krishnakumar K (2024) Ai-powered network intrusion detection systems. In: 2024 IEEE international conference on communication, computing and signal processing (IICCCS), pp. 1\u20136 . https:\/\/doi.org\/10.1109\/IICCCS61609.2024.10763627","DOI":"10.1109\/IICCCS61609.2024.10763627"},{"key":"11432_CR39","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2023.109982","volume":"235","author":"S Wang","year":"2023","unstructured":"Wang S, Xu W, Liu Y (2023) Res-tranbilstm: an intelligent approach for intrusion detection in the internet of things. Comput Netw 235:109982. https:\/\/doi.org\/10.1016\/j.comnet.2023.109982","journal-title":"Comput Netw"},{"key":"11432_CR40","doi-asserted-by":"publisher","unstructured":"Wangsa K, Karim S, Gide E, Elkhodr M (2024) A systematic review and comprehensive analysis of pioneering ai chatbot models from education to healthcare: Chatgpt, bard, llama, ernie and grok. Future Internet 16(7) https:\/\/doi.org\/10.3390\/fi16070219","DOI":"10.3390\/fi16070219"},{"key":"11432_CR41","unstructured":"Zeek Network security monitor. [Online]. Available: https:\/\/zeek.org\/ [Accessed: May 25, 2025]"},{"key":"11432_CR42","doi-asserted-by":"publisher","unstructured":"Zhang X, Chen T, Wu J, Yu Q (2023) Intelligent network threat detection engine based on open source GPT-2 Model. Paper presented at 2023 International Conference on Computer Science and Automation Technology (CSAT), Shanghai, China, pp. 392-397, https:\/\/doi.org\/10.1109\/CSAT61646.2023.00107","DOI":"10.1109\/CSAT61646.2023.00107"},{"key":"11432_CR43","doi-asserted-by":"publisher","unstructured":"Zhang H, Bin\u00a0Sediq A, Afana A, Erol-Kantarci M (2024) Large language models in wireless application design: In-context learning-enhanced automatic network intrusion detection. In: GLOBECOM 2024 - 2024 IEEE Global Communications Conference, pp. 2479\u20132484 . https:\/\/doi.org\/10.1109\/GLOBECOM52923.2024.10901312","DOI":"10.1109\/GLOBECOM52923.2024.10901312"},{"key":"11432_CR44","doi-asserted-by":"publisher","first-page":"1","DOI":"10.4018\/IJSWIS.334845","volume":"20","author":"Q Zhou","year":"2024","unstructured":"Zhou Q, Wang Z (2024) A network intrusion detection method for information systems using federated learning and improved transformer. Int J Semant Web Inf Syst 20:1\u201320. https:\/\/doi.org\/10.4018\/IJSWIS.334845","journal-title":"Int J Semant Web Inf Syst"}],"container-title":["Artificial Intelligence Review"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10462-025-11432-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10462-025-11432-2","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10462-025-11432-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,19]],"date-time":"2026-02-19T05:49:06Z","timestamp":1771480146000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10462-025-11432-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,9]]},"references-count":44,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,2]]}},"alternative-id":["11432"],"URL":"https:\/\/doi.org\/10.1007\/s10462-025-11432-2","relation":{},"ISSN":["1573-7462"],"issn-type":[{"value":"1573-7462","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,9]]},"assertion":[{"value":"19 May 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"19 October 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"9 January 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"50"}}