Hybrid LLM-Assisted IDS to SAFECOMP 2025
From 09 to 12 September 2025, the 44th edition of SAFECOMP (the International Conference on Computer Safety, Reliability, and Security) was held at KTH Royal Institute of Technology, Stockholm (Sweden). The event comprised the main conference plus 8 co-located workshops, where we presented our work.
What was on offer?
SAFECOMP centers on dependable, secure computer-based systems across safety-critical domains. Core themes included safety–security co-engineering, assurance and certification, model-based engineering, AI/ML in safety and security, resilience of cyber-physical systems (CPS), industrial control, and critical infrastructure. Emphasis was on methods that bridge research with deployment in CPS and related sectors.
Our presentation
Presenter: Our research assistant, „Mamdouh Muhammad”
Title: HyLLM-IDS: A Conceptual Hybrid LLM-Assisted Intrusion Detection Framework for Cyber-Physical Systems
Mamdouh introduced HyLLM-IDS, a conceptual hybrid IDS for CPS that couples parallel detection with an LLM-RAG threat analysis layer: it runs signature-based IDS alongside unsupervised anomaly detection to cover both known and novel attacks. Alerts feed a structured prompt builder; an LLM, augmented via Retrieval-Augmented Generation from CPS threat knowledge, classifies events (Benign/Anomaly/Ambiguous) and can synthesize new signature rules.