Traditional machine learning (ML) methods exhibit limited detection performance against increasingly sophisticated DDoS attacks in IoT networks, primarily due to their inability to adapt to dynamic attack patterns. To address this, we propose a lightweight, real-time DDoS detection framework powered by an On-Device Large Language Model (ODLLM), introducing the first ODLLM-driven detection paradigm for edge environments. Our method features a novel feature-ranking-guided hierarchical knowledge base construction mechanism, integrating mutual information and SHAP-based feature selection with a dual-scale knowledge base—comprising long-term global and short-term local representations—to jointly optimize model capability under stringent edge compute constraints and data privacy requirements. Experimental results demonstrate that the framework achieves an average detection accuracy of 98.2% on resource-constrained edge devices—outperforming conventional ML approaches by 12.6%—while maintaining strong robustness against hybrid DDoS attacks and an inference latency below 45 ms.

The widespread adoption of Internet of Things (IoT) devices has introduced significant cybersecurity challenges, particularly with the increasing frequency and sophistication of Distributed Denial of Service (DDoS) attacks. Traditional machine learning (ML) techniques often fall short in detecting such attacks due to the complexity of blended and evolving patterns. To address this, we propose a novel framework leveraging On-Device Large Language Models (ODLLMs) augmented with fine-tuning and knowledge base (KB) integration for intelligent IoT network attack detection. By implementing feature ranking techniques and constructing both long and short KBs tailored to model capacities, the proposed framework ensures efficient and accurate detection of DDoS attacks while overcoming computational and privacy limitations. Simulation results demonstrate that the optimized framework achieves superior accuracy across diverse attack types, especially when using compact models in edge computing environments. This work provides a scalable and secure solution for real-time IoT security, advancing the applicability of edge intelligence in cybersecurity.