TinyLLM-Assisted Intrusion Detection for Real-Time IoT Networks

Abstract

This paper presents a reproducible intrusion-detection study for real-time Internet of Things (IoT) networks using the RT-IoT2022 traffic-classification dataset. The dataset file used in the experiment contained 123,117 flow instances, 83 usable features after removal of a generated index column, 2 categorical features, 81 numeric features, 0 missing values, three normal traffic labels, and nine attack labels. The study trained and evaluated four models on the complete dataset with a fixed stratified 80/20 split: Random Forest, XGBoost, a supervised autoencoder, and a compact TabTransformer. A TinyLLM-style explanation component was added after prediction to convert each detected attack type into a concise analyst-facing explanation and response action. The explanation component did not modify classifier outputs, which keeps the performance evaluation attributable to the trained detectors. The best empirical result was obtained by Random Forest, with 0.9984 Random Forest accuracy, 0.9771 Random Forest macro-F1, 0.9984 Random Forest weighted-F1, and 0.9993 Random Forest binary anomaly-F1 on 24,624 held-out flows. XGBoost provided a compact speed-storage compromise with 0.0440 MB model size and 0.8642 macro-F1. The autoencoder and TabTransformer retained high binary anomaly-F1 values but produced weaker attack-type macro-F1, showing that rare-class resolution remains the dominant challenge for tiny neural edge deployments on this imbalanced dataset. The results replace illustrative claims with measured findings, include confusion-matrix and per-class evidence, and provide code, data, and generated artifacts for rerunning the evaluation.