{"id":"https://openalex.org/W7158446078","doi":"https://doi.org/10.48550/arxiv.2604.26079","title":"Large Language Models as Explainable Cyberattack Detectors for Energy Industrial Control Systems","display_name":"Large Language Models as Explainable Cyberattack Detectors for Energy Industrial Control Systems","publication_year":2026,"publication_date":"2026-04-28","ids":{"openalex":"https://openalex.org/W7158446078","doi":"https://doi.org/10.48550/arxiv.2604.26079"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.26079","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.26079","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.26079","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5000645671","display_name":"Weiyi Kong","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Kong, Weiyi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5034965559","display_name":"Ahmad Mohammad Saber","orcid":"https://orcid.org/0000-0003-3115-2384"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Saber, Ahmad Mohammad","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5134907829","display_name":"Amr Youssef","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Youssef, Amr","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5134881144","display_name":"Deepa Kundur","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Kundur, Deepa","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10917","display_name":"Smart Grid Security and Resilience","score":0.9381999969482422,"subfield":{"id":"https://openalex.org/subfields/2207","display_name":"Control and Systems Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10917","display_name":"Smart Grid Security and Resilience","score":0.9381999969482422,"subfield":{"id":"https://openalex.org/subfields/2207","display_name":"Control and Systems Engineering"},"field":{"id":"https://openalex.org/fields/22","display_name":"Engineering"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.011699999682605267,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.006599999964237213,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/modbus","display_name":"Modbus","score":0.9577000141143799},{"id":"https://openalex.org/keywords/scada","display_name":"SCADA","score":0.7253000140190125},{"id":"https://openalex.org/keywords/industrial-control-system","display_name":"Industrial control system","score":0.6312000155448914},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.6003999710083008},{"id":"https://openalex.org/keywords/security-token","display_name":"Security token","score":0.5080000162124634},{"id":"https://openalex.org/keywords/pipeline","display_name":"Pipeline (software)","score":0.4537000060081482},{"id":"https://openalex.org/keywords/protocol","display_name":"Protocol (science)","score":0.44690001010894775},{"id":"https://openalex.org/keywords/interrupt","display_name":"Interrupt","score":0.4050999879837036},{"id":"https://openalex.org/keywords/audit","display_name":"Audit","score":0.4004000127315521},{"id":"https://openalex.org/keywords/scheme","display_name":"Scheme (mathematics)","score":0.3889000117778778}],"concepts":[{"id":"https://openalex.org/C2776666747","wikidata":"https://www.wikidata.org/wiki/Q1135322","display_name":"Modbus","level":3,"score":0.9577000141143799},{"id":"https://openalex.org/C113863187","wikidata":"https://www.wikidata.org/wiki/Q17498","display_name":"SCADA","level":2,"score":0.7253000140190125},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6545000076293945},{"id":"https://openalex.org/C40071531","wikidata":"https://www.wikidata.org/wiki/Q2513962","display_name":"Industrial control system","level":3,"score":0.6312000155448914},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.6003999710083008},{"id":"https://openalex.org/C48145219","wikidata":"https://www.wikidata.org/wiki/Q1335365","display_name":"Security token","level":2,"score":0.5080000162124634},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.4537000060081482},{"id":"https://openalex.org/C2780385302","wikidata":"https://www.wikidata.org/wiki/Q367158","display_name":"Protocol (science)","level":3,"score":0.44690001010894775},{"id":"https://openalex.org/C41661131","wikidata":"https://www.wikidata.org/wiki/Q220764","display_name":"Interrupt","level":3,"score":0.4050999879837036},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.4004000127315521},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3928000032901764},{"id":"https://openalex.org/C77618280","wikidata":"https://www.wikidata.org/wiki/Q1155772","display_name":"Scheme (mathematics)","level":2,"score":0.3889000117778778},{"id":"https://openalex.org/C157486923","wikidata":"https://www.wikidata.org/wiki/Q1376436","display_name":"String (physics)","level":2,"score":0.3799999952316284},{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.35580000281333923},{"id":"https://openalex.org/C79403827","wikidata":"https://www.wikidata.org/wiki/Q3988","display_name":"Real-time computing","level":1,"score":0.35519999265670776},{"id":"https://openalex.org/C80958533","wikidata":"https://www.wikidata.org/wiki/Q1047174","display_name":"Audit trail","level":3,"score":0.3440000116825104},{"id":"https://openalex.org/C186370098","wikidata":"https://www.wikidata.org/wiki/Q442787","display_name":"Energy (signal processing)","level":2,"score":0.3402000069618225},{"id":"https://openalex.org/C2777120189","wikidata":"https://www.wikidata.org/wiki/Q780067","display_name":"Triage","level":2,"score":0.33980000019073486},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.3260999917984009},{"id":"https://openalex.org/C29852176","wikidata":"https://www.wikidata.org/wiki/Q373338","display_name":"Critical infrastructure","level":2,"score":0.31690001487731934},{"id":"https://openalex.org/C2779697362","wikidata":"https://www.wikidata.org/wiki/Q390516","display_name":"Control room","level":2,"score":0.30469998717308044},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.30149999260902405},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.29339998960494995},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.2888000011444092},{"id":"https://openalex.org/C12269588","wikidata":"https://www.wikidata.org/wiki/Q132364","display_name":"Communications protocol","level":2,"score":0.2883000075817108},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.2867000102996826},{"id":"https://openalex.org/C2776303644","wikidata":"https://www.wikidata.org/wiki/Q1020499","display_name":"Interfacing","level":2,"score":0.2838999927043915},{"id":"https://openalex.org/C177212765","wikidata":"https://www.wikidata.org/wiki/Q627335","display_name":"Workflow","level":2,"score":0.27799999713897705},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.27720001339912415},{"id":"https://openalex.org/C200601418","wikidata":"https://www.wikidata.org/wiki/Q2193887","display_name":"Reliability engineering","level":1,"score":0.27630001306533813},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.274399995803833},{"id":"https://openalex.org/C178148461","wikidata":"https://www.wikidata.org/wiki/Q1632136","display_name":"Security controls","level":3,"score":0.2703000009059906},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.26649999618530273},{"id":"https://openalex.org/C29825287","wikidata":"https://www.wikidata.org/wiki/Q1427940","display_name":"Warning system","level":2,"score":0.26100000739097595},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.2578999996185303},{"id":"https://openalex.org/C2776240099","wikidata":"https://www.wikidata.org/wiki/Q327018","display_name":"Interrogation","level":2,"score":0.25760000944137573},{"id":"https://openalex.org/C2779891390","wikidata":"https://www.wikidata.org/wiki/Q964630","display_name":"Custodians","level":2,"score":0.25519999861717224},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.2549999952316284},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.2531000077724457},{"id":"https://openalex.org/C17500928","wikidata":"https://www.wikidata.org/wiki/Q959968","display_name":"Control system","level":2,"score":0.25029999017715454}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.26079","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.26079","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.26079","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.26079","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[{"display_name":"Affordable and clean energy","score":0.5168190598487854,"id":"https://metadata.un.org/sdg/7"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"In":[0,35],"modern":[1],"energy":[2],"systems,":[3],"industrial":[4],"control":[5],"systems":[6],"(ICS)":[7],"and":[8,76,101,123,139,164],"power-system":[9],"SCADA":[10],"require":[11],"intrusion":[12],"detection":[13],"that":[14,170],"is":[15,28,89,140],"not":[16],"only":[17],"accurate":[18],"but":[19],"also":[20],"auditable":[21],"by":[22,31],"operators.":[23],"The":[24],"ICS":[25,70],"intrusion-detection":[26],"landscape":[27],"currently":[29],"dominated":[30],"established":[32],"supervised":[33,145],"detectors.":[34],"this":[36,59],"paper,":[37],"we":[38,158],"study":[39],"whether":[40],"an":[41],"off-the-shelf":[42],"large":[43],"language":[44],"model":[45],"(LLM)":[46],"can":[47],"serve":[48],"as":[49,60,186],"a":[50,61,81,92,102,106,111],"complementary,":[51],"human-in-the-loop":[52],"layer":[53],"for":[54,116],"Modbus":[55,71,86],"traffic.":[56],"We":[57],"cast":[58],"binary":[62],"network-side":[63],"normal/critical":[64,107],"decision":[65],"task":[66],"on":[67,136],"two":[68],"public":[69],"datasets,":[72],"collapsing":[73],"attack":[74],"periods":[75],"other":[77],"safety-critical":[78],"behaviors":[79],"into":[80,91],"single":[82],"critical":[83],"class.":[84],"Each":[85],"communication":[87],"instance":[88],"converted":[90],"compact":[93],"token":[94],"string":[95],"derived":[96],"from":[97],"discretized":[98],"protocol":[99],"fields,":[100],"prompt-configured":[103],"LLM":[104],"produces":[105],"alert":[108],"together":[109],"with":[110],"concise,":[112],"token-grounded":[113],"incident":[114],"record":[115],"analyst":[117],"review.":[118],"Under":[119],"matched":[120],"event":[121],"information":[122],"shared":[124],"evaluation":[125],"splits,":[126],"the":[127,155,171,178],"resulting":[128],"LLM-based":[129],"triage":[130],"pipeline":[131],"achieves":[132],"high":[133],"predictive":[134],"performance":[135],"both":[137],"benchmarks":[138],"broadly":[141],"comparable":[142],"to":[143,177],"strong":[144],"baselines,":[146],"while":[147],"requiring":[148],"no":[149],"task-specific":[150],"weight":[151],"updates.":[152],"To":[153],"assess":[154],"audit":[156,187],"record,":[157],"apply":[159],"intervention-based":[160],"diagnostics,":[161],"including":[162],"sufficiency-":[163],"necessity-style":[165],"tests,":[166],"which":[167],"provide":[168],"evidence":[169],"cited":[172],"tokens":[173],"are":[174,184],"often":[175],"decision-relevant":[176],"model's":[179],"own":[180],"prediction.":[181],"These":[182],"records":[183],"intended":[185],"signals":[188],"rather":[189],"than":[190],"full":[191],"human-grounded":[192],"explanations.":[193]},"counts_by_year":[],"updated_date":"2026-07-01T06:00:48.157686","created_date":"2026-05-01T00:00:00"}
