Lightweight Fine-Tuning of LLMS for Explainable Intrusion Detection in SDN

Cybersecurity concerns are rising with the rapid adoption of technology as cybercriminals grow more active. Protecting complex networks like Software-Defined Networking (SDN) is increasingly challenging because its centralized architecture introduces vulnerabilities that traditional security systems struggle to handle. This paper investigates the application of large language models (LLMs) for intrusion detection in SDN environments. Our proposed approach fine-tunes three LLMs, GPT_NEO, Phi-2, and Llama2-7b, through Quantized Low-Rank Adaptation (QLoRA), enabling efficient 4-bit quantization and reduced memory usage. Structured network features are transformed into natural language prompts for binary classification of benign and malicious traffic. Experimental results show that all models achieve high accuracy, with Llama2-7b and Phi-2 reaching high scores across multiple data scales. CodeCarbon tracking highlights the environmental trade-offs, with Llama27b consuming the most energy and Phi-2 being the most efficient. Our proposed framework for Phi-2 and GPT_NEO achieves a 1.00 accuracy score with the lowest CO2 emission of 0.173 when compared with the baselines. Further, we explore explainability challenges for our LLM models, noting the limitations of token-level interpretability tools in handling dense textual embeddings.