LLM-based Generation of Formal Specification for Run-time Security Monitoring of ICS

Industrial Control Systems (ICS) are vulnerable to cybersecurity threats due to their distributed architecture and critical role in infrastructure sectors. Ensuring their secure operation requires deploying runtime monitoring mechanisms to detect behavioral deviations, with inline security monitorin...

Full description

Saved in:
Bibliographic Details
Published in:2025 IEEE International Conference on Cyber Security and Resilience (CSR) pp. 957 - 962
Main Authors: Raptis, George E., Khan, Muhammad Taimoor, Koulamas, Christos, Serpanos, Dimitrios
Format: Conference Proceeding
Language:English
Published: IEEE 04.08.2025
Subjects:
cyberphysical systems
formal specification
Formal specifications
Generative AI
Industrial control
Industrial Control Systems (ICS)
inline monitors
Java Modeling Language (JML)
Large language models
large language models (LLMs)
Monitoring
Runtime
runtime verification
Security
security monitoring
Software
Source coding
water distribution systems
Writing
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Industrial Control Systems (ICS) are vulnerable to cybersecurity threats due to their distributed architecture and critical role in infrastructure sectors. Ensuring their secure operation requires deploying runtime monitoring mechanisms to detect behavioral deviations, with inline security monitoring arising as a practical solution. However, writing these specifications manually is time-consuming, error-prone, and requires deep domain expertise. In this paper, we explore the feasibility of using large language models (LLMs) to assist in generating JML-based inline security monitors for ICS applications. Using a water distribution system as a testbed, we prompt the model with structured templates and evaluate its output against expertwritten specifications. Our results highlight that LLMs can correctly infer key security properties and produce contextaware assertions with minimal guidance, marking an early but promising step toward automated monitor synthesis.
DOI:10.1109/CSR64739.2025.11130130