Abstract
The Internet of Things (IoT), particularly its industrial subset Industrial IoT (IIoT), presents a critical attack surface due to its interconnected nature. As emerging threats exploit IoT edge networks, there is a growing demand for anomaly detection systems capable of addressing zero-day attacks while providing explainable predictions. Existing machine learning (ML) and deep learning (DL) methods often lack explainability, sensitivity, absence of a large language model (LLM) agent for adaptive detection and struggle with unseen zero-day threats. Motivated by these challenges, we introduce Anomaly-Agent, a novel LLM-powered explainable anomaly detection framework for IoT/IIoT edge environments. Anomaly-Agent leverages a reasoning-followed-by-action pipeline, integrating domain tools, external knowledge retrieval, and memory-augmented decisions to detect and explain anomalies. Unlike static ML/DL models, Anomaly-Agent adapts to evolving zero-day threats and supports sensitivity customization. We evaluated Anomaly-Agent on the Edge-IIoTset (IIoT-specific) and CIC-IoT2023 (general IoT) datasets; it achieved accuracies of 0.96 and 0.89, respectively, with a false alarm rate (FAR) below 0.04. It also attains a recall of 0.65 for zero-day attacks, surpassing traditional ML models and LLM baselines including GPT-4o, Claude 3.5, and GPT-4o-mini. Anomaly-Agent outperformed GPT-4o and Claude 3.5 due to their reliance on generic prompting, which limits performance to 64%–70% multiclass -score on CIC-IoT2023. Their high FAR of 10%–13% stems from misclassifying benign edge traffic as malicious. It also surpasses GPT-4o-mini, where token constraints reduce accuracy to 58% for multiclass tasks. The agent’s performance benefits from integration with Shapley additive explanation (SHAP), enhancing transparency and trust. While demonstrating strong performance, Anomaly-Agent faces inherent challenges in latency in complex scenarios and adversarial robustness that guide future improvements. These results demonstrate Anomaly-Agent’s robustness and interpretability, offering a viable path toward resilient, LLM-driven IoT/IIoT security solutions.