LENS: Lightweight and Explainable LLM-Based APT Detection at the Edge for 6G Security

Expected to be deployed in the early 2030s, sixth-generation (6G) wireless networks, with their high speed and integration with cutting-edge technology such as intelligent edge computing, expand the attack surface and face serious cyber threat risks such as Advanced Persistent Threats (APTs). This type of cyber attack can imitate benign network traffic and operate for long periods of time without being detected by traditional detection systems. This paper introduces LENS, a lightweight and explainable LLM-based network security framework designed to address this cybersecurity threat for 6G environments. LENS uses a fine-tuned DistilBERT model to convert raw network streams into natural language commands using contextual metadata and is trained on the CICAPT-IIoT (2024) dataset generated using real-time network traffic data. To evaluate the proposed model, adapted versions of DeepLog and EarlyCrow are compared using F1-score, false positive rate, and explainability metrics for binary APT classification on the CICAPT-IIoT dataset. All models are trained using a high-performance GPU (Nvidia A10) and validated by deploying on a real-world resource-constrained edge node (Raspberry Pi 4). The results confirm that LENS has higher performance in APT detection with 0.82 accuracy and 0.82 recall despite consuming higher energy compared to the other two baselines, and is applicable for edge-enabled 6G environments.