Traditional intrusion detection systems (IDS) struggle to identify zero-day and evolving threats in resource-constrained, heterogeneous IoT environments. To address this, we propose a hybrid IDS framework integrating signature-based detection with large language model (LLM)-driven semantic understanding. Specifically, we introduce a lightweight GPT-2 variant for contextual, generalizable semantic modeling of network traffic—enabling detection of previously unseen attack patterns—while retaining rule-based signature matching to ensure detection stability and interpretability. The framework is designed for distributed IoT deployments, supporting dynamic, adaptive inference under strict computational and memory constraints. Evaluations on standard benchmark datasets demonstrate a 6.3% improvement in detection accuracy and a 9.0% reduction in false positive rate, while maintaining sub-second inference latency suitable for near-real-time operation. This work establishes a deployable, robust paradigm for zero-day threat detection in IoT systems.

This paper presents a novel approach to intrusion detection by integrating traditional signature-based methods with the contextual understanding capabilities of the GPT-2 Large Language Model (LLM). As cyber threats become increasingly sophisticated, particularly in distributed, heterogeneous, and resource-constrained environments such as those enabled by the Internet of Things (IoT), the need for dynamic and adaptive Intrusion Detection Systems (IDSs) becomes increasingly urgent. While traditional methods remain effective for detecting known threats, they often fail to recognize new and evolving attack patterns. In contrast, GPT-2 excels at processing unstructured data and identifying complex semantic relationships, making it well-suited to uncovering subtle, zero-day attack vectors. We propose a hybrid IDS framework that merges the robustness of signature-based techniques with the adaptability of GPT-2-driven semantic analysis. Experimental evaluations on a representative intrusion dataset demonstrate that our model enhances detection accuracy by 6.3%, reduces false positives by 9.0%, and maintains near real-time responsiveness. These results affirm the potential of language model integration to build intelligent, scalable, and resilient cybersecurity defences suited for modern connected environments.