LLM-based Generation of Formal Specification for Run-time Security Monitoring of ICS

Industrial Control Systems (ICS) are vulnerable to cybersecurity threats due to their distributed architecture and critical role in infrastructure sectors. Ensuring their secure operation requires deploying runtime monitoring mechanisms to detect behavioral deviations, with inline security monitorin...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:2025 IEEE International Conference on Cyber Security and Resilience (CSR) S. 957 - 962
Hauptverfasser: Raptis, George E., Khan, Muhammad Taimoor, Koulamas, Christos, Serpanos, Dimitrios
Format: Tagungsbericht
Sprache:Englisch
Veröffentlicht: IEEE 04.08.2025
Schlagworte:
cyberphysical systems
formal specification
Formal specifications
Generative AI
Industrial control
Industrial Control Systems (ICS)
inline monitors
Java Modeling Language (JML)
Large language models
large language models (LLMs)
Monitoring
Runtime
runtime verification
Security
security monitoring
Software
Source coding
water distribution systems
Writing
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Industrial Control Systems (ICS) are vulnerable to cybersecurity threats due to their distributed architecture and critical role in infrastructure sectors. Ensuring their secure operation requires deploying runtime monitoring mechanisms to detect behavioral deviations, with inline security monitoring arising as a practical solution. However, writing these specifications manually is time-consuming, error-prone, and requires deep domain expertise. In this paper, we explore the feasibility of using large language models (LLMs) to assist in generating JML-based inline security monitors for ICS applications. Using a water distribution system as a testbed, we prompt the model with structured templates and evaluate its output against expertwritten specifications. Our results highlight that LLMs can correctly infer key security properties and produce contextaware assertions with minimal guidance, marking an early but promising step toward automated monitor synthesis.
DOI:10.1109/CSR64739.2025.11130130