{"id":"https://openalex.org/W7119523666","doi":"https://doi.org/10.1007/s10462-025-11432-2","title":"Evaluating large language models effectiveness for flow-based intrusion detection: a comparative study with ML and DL baselines","display_name":"Evaluating large language models effectiveness for flow-based intrusion detection: a comparative study with ML and DL baselines","publication_year":2026,"publication_date":"2026-01-09","ids":{"openalex":"https://openalex.org/W7119523666","doi":"https://doi.org/10.1007/s10462-025-11432-2"},"language":"en","primary_location":{"id":"doi:10.1007/s10462-025-11432-2","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10462-025-11432-2","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10462-025-11432-2.pdf","source":{"id":"https://openalex.org/S122814990","display_name":"Artificial Intelligence Review","issn_l":"0269-2821","issn":["0269-2821","1573-7462"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Artificial Intelligence Review","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://link.springer.com/content/pdf/10.1007/s10462-025-11432-2.pdf","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5049919298","display_name":"Lorena Mehavilla","orcid":null},"institutions":[{"id":"https://openalex.org/I255234318","display_name":"Universidad de Zaragoza","ror":"https://ror.org/012a91z28","country_code":"ES","type":"education","lineage":["https://openalex.org/I255234318"]},{"id":"https://openalex.org/I4210150815","display_name":"Instituto Tecnol\u00f3gico de Arag\u00f3n","ror":"https://ror.org/05sep9w93","country_code":"ES","type":"other","lineage":["https://openalex.org/I4210150815"]}],"countries":["ES"],"is_corresponding":true,"raw_author_name":"Lorena Mehavilla","raw_affiliation_strings":["Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, C/ Mariano Esquillor G\u00f3mez, 50018, Zaragoza, Spain"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, C/ Mariano Esquillor G\u00f3mez, 50018, Zaragoza, Spain","institution_ids":["https://openalex.org/I255234318","https://openalex.org/I4210150815"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Mar\u00eda Rodr\u00edguez","orcid":null},"institutions":[{"id":"https://openalex.org/I255234318","display_name":"Universidad de Zaragoza","ror":"https://ror.org/012a91z28","country_code":"ES","type":"education","lineage":["https://openalex.org/I255234318"]},{"id":"https://openalex.org/I4210150815","display_name":"Instituto Tecnol\u00f3gico de Arag\u00f3n","ror":"https://ror.org/05sep9w93","country_code":"ES","type":"other","lineage":["https://openalex.org/I4210150815"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Mar\u00eda Rodr\u00edguez","raw_affiliation_strings":["Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, C/ Mariano Esquillor G\u00f3mez, 50018, Zaragoza, Spain"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, C/ Mariano Esquillor G\u00f3mez, 50018, Zaragoza, Spain","institution_ids":["https://openalex.org/I255234318","https://openalex.org/I4210150815"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5122382553","display_name":"Jos\u00e9 Garc\u00eda","orcid":null},"institutions":[{"id":"https://openalex.org/I255234318","display_name":"Universidad de Zaragoza","ror":"https://ror.org/012a91z28","country_code":"ES","type":"education","lineage":["https://openalex.org/I255234318"]},{"id":"https://openalex.org/I4210150815","display_name":"Instituto Tecnol\u00f3gico de Arag\u00f3n","ror":"https://ror.org/05sep9w93","country_code":"ES","type":"other","lineage":["https://openalex.org/I4210150815"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Jos\u00e9 Garc\u00eda","raw_affiliation_strings":["Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, C/ Mariano Esquillor G\u00f3mez, 50018, Zaragoza, Spain"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, C/ Mariano Esquillor G\u00f3mez, 50018, Zaragoza, Spain","institution_ids":["https://openalex.org/I255234318","https://openalex.org/I4210150815"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5054935370","display_name":"\u00c1lvaro Alesanco","orcid":"https://orcid.org/0000-0002-5254-1402"},"institutions":[{"id":"https://openalex.org/I255234318","display_name":"Universidad de Zaragoza","ror":"https://ror.org/012a91z28","country_code":"ES","type":"education","lineage":["https://openalex.org/I255234318"]},{"id":"https://openalex.org/I4210150815","display_name":"Instituto Tecnol\u00f3gico de Arag\u00f3n","ror":"https://ror.org/05sep9w93","country_code":"ES","type":"other","lineage":["https://openalex.org/I4210150815"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"\u00c1lvaro Alesanco","raw_affiliation_strings":["Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, C/ Mariano Esquillor G\u00f3mez, 50018, Zaragoza, Spain"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Arag\u00f3n Institute of Engineering Research (I3A), University of Zaragoza, C/ Mariano Esquillor G\u00f3mez, 50018, Zaragoza, Spain","institution_ids":["https://openalex.org/I255234318","https://openalex.org/I4210150815"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5049919298"],"corresponding_institution_ids":["https://openalex.org/I255234318","https://openalex.org/I4210150815"],"apc_list":{"value":2490,"currency":"EUR","value_usd":3090},"apc_paid":{"value":2490,"currency":"EUR","value_usd":3090},"fwci":33.6391,"has_fulltext":true,"cited_by_count":2,"citation_normalized_percentile":{"value":0.99122681,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":98,"max":99},"biblio":{"volume":"59","issue":"2","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.8697999715805054,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.8697999715805054,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.023900000378489494,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.012299999594688416,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.720300018787384},{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.640999972820282},{"id":"https://openalex.org/keywords/random-forest","display_name":"Random forest","score":0.6049000024795532},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.5982999801635742},{"id":"https://openalex.org/keywords/deep-learning","display_name":"Deep learning","score":0.439300000667572},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.4325999915599823},{"id":"https://openalex.org/keywords/language-model","display_name":"Language model","score":0.42800000309944153},{"id":"https://openalex.org/keywords/enhanced-data-rates-for-gsm-evolution","display_name":"Enhanced Data Rates for GSM Evolution","score":0.3813999891281128},{"id":"https://openalex.org/keywords/resource","display_name":"Resource (disambiguation)","score":0.37619999051094055}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8482999801635742},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.720300018787384},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.6560999751091003},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.640999972820282},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.6233000159263611},{"id":"https://openalex.org/C169258074","wikidata":"https://www.wikidata.org/wiki/Q245748","display_name":"Random forest","level":2,"score":0.6049000024795532},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.5982999801635742},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.439300000667572},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.4325999915599823},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.42800000309944153},{"id":"https://openalex.org/C162307627","wikidata":"https://www.wikidata.org/wiki/Q204833","display_name":"Enhanced Data Rates for GSM Evolution","level":2,"score":0.3813999891281128},{"id":"https://openalex.org/C206345919","wikidata":"https://www.wikidata.org/wiki/Q20380951","display_name":"Resource (disambiguation)","level":2,"score":0.37619999051094055},{"id":"https://openalex.org/C29202148","wikidata":"https://www.wikidata.org/wiki/Q287260","display_name":"Resource allocation","level":2,"score":0.3628999888896942},{"id":"https://openalex.org/C81669768","wikidata":"https://www.wikidata.org/wiki/Q2359161","display_name":"Precision and recall","level":2,"score":0.3296999931335449},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.32839998602867126},{"id":"https://openalex.org/C158251709","wikidata":"https://www.wikidata.org/wiki/Q354025","display_name":"Intrusion","level":2,"score":0.326200008392334},{"id":"https://openalex.org/C48372109","wikidata":"https://www.wikidata.org/wiki/Q3913","display_name":"Binary number","level":2,"score":0.32600000500679016},{"id":"https://openalex.org/C45942800","wikidata":"https://www.wikidata.org/wiki/Q245652","display_name":"Ensemble learning","level":2,"score":0.3206999897956848},{"id":"https://openalex.org/C123860398","wikidata":"https://www.wikidata.org/wiki/Q6934605","display_name":"Multiclass classification","level":3,"score":0.31790000200271606},{"id":"https://openalex.org/C66905080","wikidata":"https://www.wikidata.org/wiki/Q17005494","display_name":"Binary classification","level":3,"score":0.31619998812675476},{"id":"https://openalex.org/C100660578","wikidata":"https://www.wikidata.org/wiki/Q18733","display_name":"Recall","level":2,"score":0.3095000088214874},{"id":"https://openalex.org/C146849305","wikidata":"https://www.wikidata.org/wiki/Q370766","display_name":"Ground truth","level":2,"score":0.30820000171661377},{"id":"https://openalex.org/C119898033","wikidata":"https://www.wikidata.org/wiki/Q3433888","display_name":"Ensemble forecasting","level":2,"score":0.29840001463890076},{"id":"https://openalex.org/C84525736","wikidata":"https://www.wikidata.org/wiki/Q831366","display_name":"Decision tree","level":2,"score":0.2800000011920929},{"id":"https://openalex.org/C158600405","wikidata":"https://www.wikidata.org/wiki/Q5054566","display_name":"Causal inference","level":2,"score":0.27889999747276306},{"id":"https://openalex.org/C45804977","wikidata":"https://www.wikidata.org/wiki/Q7239673","display_name":"Predictive modelling","level":2,"score":0.2685000002384186},{"id":"https://openalex.org/C148524875","wikidata":"https://www.wikidata.org/wiki/Q6975395","display_name":"F1 score","level":2,"score":0.26260000467300415},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.26010000705718994}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1007/s10462-025-11432-2","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10462-025-11432-2","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10462-025-11432-2.pdf","source":{"id":"https://openalex.org/S122814990","display_name":"Artificial Intelligence Review","issn_l":"0269-2821","issn":["0269-2821","1573-7462"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Artificial Intelligence Review","raw_type":"journal-article"},{"id":"pmh:oai:zaguan.unizar.es:168101","is_oa":true,"landing_page_url":"http://zaguan.unizar.es/record/168101","pdf_url":null,"source":{"id":"https://openalex.org/S4306401812","display_name":"Zaguan (University of Zaragoza Repository)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I255234318","host_organization_name":"Universidad de Zaragoza","host_organization_lineage":["https://openalex.org/I255234318"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":null,"raw_type":"info:eu-repo/semantics/publishedVersion"}],"best_oa_location":{"id":"doi:10.1007/s10462-025-11432-2","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10462-025-11432-2","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10462-025-11432-2.pdf","source":{"id":"https://openalex.org/S122814990","display_name":"Artificial Intelligence Review","issn_l":"0269-2821","issn":["0269-2821","1573-7462"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Artificial Intelligence Review","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320324111","display_name":"Universidad de Zaragoza","ror":"https://ror.org/012a91z28"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W7119523666.pdf","grobid_xml":"https://content.openalex.org/works/W7119523666.grobid-xml"},"referenced_works_count":34,"referenced_works":["https://openalex.org/W3093410479","https://openalex.org/W3169302118","https://openalex.org/W3212496002","https://openalex.org/W4200094870","https://openalex.org/W4310398036","https://openalex.org/W4310511492","https://openalex.org/W4313890394","https://openalex.org/W4318185040","https://openalex.org/W4318570479","https://openalex.org/W4328011352","https://openalex.org/W4382281941","https://openalex.org/W4385776184","https://openalex.org/W4389805125","https://openalex.org/W4391519594","https://openalex.org/W4393141599","https://openalex.org/W4399307557","https://openalex.org/W4399979468","https://openalex.org/W4400975454","https://openalex.org/W4402157545","https://openalex.org/W4402158164","https://openalex.org/W4402334473","https://openalex.org/W4402446610","https://openalex.org/W4402980400","https://openalex.org/W4404691174","https://openalex.org/W4404849649","https://openalex.org/W4405490903","https://openalex.org/W4405974330","https://openalex.org/W4406265325","https://openalex.org/W4406595425","https://openalex.org/W4408324654","https://openalex.org/W4408325106","https://openalex.org/W4409261757","https://openalex.org/W4410857897","https://openalex.org/W4411183121"],"related_works":[],"abstract_inverted_index":{"Abstract":[0],"This":[1],"paper":[2],"presents":[3],"the":[4,37,89,139,145],"first":[5],"systematic":[6],"benchmark":[7],"evaluating":[8],"Large":[9],"Language":[10],"Models":[11],"(LLMs),":[12],"specifically":[13],"GPT-2,":[14],"GPT-Neo-125M,":[15],"and":[16,27,48,58,73,77,85,97,111,153],"LLaMA-3.2-1B,":[17],"as":[18,168],"standalone":[19],"classifiers":[20],"for":[21],"intrusion":[22],"detection,":[23],"covering":[24],"both":[25],"binary":[26],"multiclass":[28],"classification":[29],"tasks,":[30],"using":[31,135],"structured":[32],"Zeek":[33],"logs":[34],"derived":[35],"from":[36],"CIC":[38,90],"IoT":[39,91,169],"2023":[40,92],"dataset.":[41],"We":[42],"compare":[43],"their":[44],"performance":[45],"against":[46],"established":[47],"widely":[49],"used":[50],"Machine":[51],"Learning":[52,60],"(XGBoost,":[53],"Random":[54],"Forest,":[55],"Decision":[56],"Tree)":[57],"Deep":[59],"models":[61,81],"(MLP,":[62],"GRU,":[63],"LeNet-5)":[64],"across":[65],"key":[66],"evaluation":[67],"metrics:":[68],"detection":[69,149],"effectiveness":[70],"(precision,":[71],"recall":[72],"F1-score),":[74],"inference":[75,151],"speed,":[76],"resource":[78],"consumption.":[79],"All":[80],"are":[82],"consistently":[83],"trained":[84],"rigorously":[86],"evaluated":[87],"on":[88],"dataset,":[93],"ensuring":[94],"fair,":[95],"reproducible,":[96],"transparent":[98],"comparisons.":[99],"Our":[100],"findings":[101],"indicate":[102],"that":[103],"while":[104],"LLMs":[105,158],"achieve":[106],"strong":[107],"F1-score":[108,132],"exceeding":[109],"95%,":[110],"do":[112,121],"not":[113,122],"fully":[114],"utilize":[115],"available":[116,140],"GPU":[117],"resources,":[118],"they":[119],"still":[120],"outperform":[123],"top-performing":[124],"ML":[125],"models.":[126],"Notably":[127],"XGBoost":[128],"achieves":[129],"a":[130],"higher":[131],"of":[133,138],"96.96%,":[134],"only":[136],"4%":[137],"CPU.":[141],"These":[142],"results":[143],"emphasize":[144],"practical":[146],"trade-offs":[147],"between":[148],"capability,":[150],"efficiency,":[152],"hardware":[154],"requirements":[155],"when":[156],"applying":[157],"in":[159,164],"flow-based":[160],"IDS":[161],"contexts,":[162],"particularly":[163],"resource-constrained":[165],"environments":[166],"such":[167],"or":[170],"edge":[171],"deployments.":[172]},"counts_by_year":[{"year":2026,"cited_by_count":2}],"updated_date":"2026-06-18T10:00:31.954636","created_date":"2026-01-09T00:00:00"}