To address the dual challenges of resource constraints on IoT edge devices and stringent real-time security requirements, this paper proposes a lightweight ML–LLM fusion framework for real-time intrusion detection. Methodologically, it employs efficient anomaly detectors—including decision trees, k-nearest neighbors (KNN), random forests, and a lightweight CNN–LSTM model—complemented by large language models (LLMs) such as GPT-4-turbo, DeepSeek-V2, and LLaMA 3.5 to perform zero-shot or few-shot reasoning and chain-of-thought analysis on low-bandwidth telemetry snapshots, yielding interpretable threat assessments and actionable response recommendations. Experimental evaluation demonstrates 98% detection accuracy across diverse real-world attack types, average response latency under 1.5 seconds, per-inference communication overhead below 1.2 kB, and energy consumption under 75 J. The framework thus achieves an unprecedented balance of high accuracy, ultra-low computational and communication overhead, and strong interpretability, validating its feasibility and superiority for deployment on resource-constrained edge gateways.

As the number of connected IoT devices continues to grow, securing these systems against cyber threats remains a major challenge, especially in environments with limited computational and energy resources. This paper presents an edge-centric Intrusion Detection System (IDS) framework that integrates lightweight machine learning (ML) based IDS models with pre-trained large language models (LLMs) to improve detection accuracy, semantic interpretability, and operational efficiency at the network edge. The system evaluates six ML-based IDS models: Decision Tree (DT), K-Nearest Neighbors (KNN), Random Forest (RF), Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM), and a hybrid CNN-LSTM model on low-power edge gateways, achieving accuracy up to 98 percent under real-world cyberattacks. For anomaly detection, the system transmits a compact and secure telemetry snapshot (for example, CPU usage, memory usage, latency, and energy consumption) via low-bandwidth API calls to LLMs including GPT-4-turbo, DeepSeek V2, and LLaMA 3.5. These models use zero-shot, few-shot, and chain-of-thought reasoning to produce human-readable threat analyses and actionable mitigation recommendations. Evaluations across diverse attacks such as DoS, DDoS, brute force, and port scanning show that the system enhances interpretability while maintaining low latency (<1.5 s), minimal bandwidth usage (<1.2 kB per prompt), and energy efficiency (<75 J), demonstrating its practicality and scalability as an IDS solution for edge gateways.