This work addresses the challenge of effectively detecting complex distributed denial-of-service (DDoS) attacks using compact on-device large language models (ODLLMs) under stringent resource constraints typical of IoT edge devices. To overcome the limitations of small-scale models in abstract reasoning, the authors propose an analogy-mapping inference mechanism tailored for edge computing, which integrates chain-of-thought (CoT) reasoning with retrieval-augmented generation (RAG). By replacing abstract reasoning with exemplar-driven few-shot analogical inference, the approach significantly enhances detection performance. Experimental evaluations on lightweight ODLLMs—including LLaMA-3.2 (1B/3B) and Gemma-3 (1B/4B)—demonstrate a macro-averaged F1 score of up to 0.85 under strict computational budgets, confirming the method’s effectiveness and superiority in identifying sophisticated DDoS attacks at the edge.

The rapid expansion of IoT deployments has intensified cybersecurity threats, notably Distributed Denial of Service (DDoS) attacks, characterized by increasingly sophisticated patterns. Leveraging Generative AI through On-Device Large Language Models (ODLLMs) provides a viable solution for real-time threat detection at the network edge, though limited computational resources present challenges for smaller ODLLMs. This paper introduces a novel detection framework that integrates Chain-of-Thought (CoT) reasoning with Retrieval-Augmented Generation (RAG), tailored specifically for IoT edge environments. We systematically evaluate compact ODLLMs, including LLaMA 3.2 (1B, 3B) and Gemma 3 (1B, 4B), using structured prompting and exemplar-driven reasoning strategies. Experimental results demonstrate substantial performance improvements with few-shot prompting, achieving macro-average F1 scores as high as 0.85. Our findings highlight the significant advantages of incorporating exemplar-based reasoning, underscoring that CoT and RAG approaches markedly enhance small ODLLMs'capabilities in accurately classifying complex network attacks under stringent resource constraints.