Industrial control systems (ICS) are vital to modern infrastructure but increasingly vulnerable to cybersecurity threats, particularly through weaknesses in their communication protocols. This paper presents MALF (Multi-Agent LLM Fuzzing Framework), an advanced fuzzing solution that integrates large language models (LLMs) with multi-agent coordination to identify vulnerabilities in industrial control protocols (ICPs). By leveraging Retrieval-Augmented Generation (RAG) for domain-specific knowledge and QLoRA fine-tuning for protocol-aware input generation, MALF enhances fuzz testing precision and adaptability. The multi-agent framework optimizes seed generation, mutation strategies, and feedback-driven refinement, leading to improved vulnerability discovery. Experiments on protocols like Modbus/TCP, S7Comm, and Ethernet/IP demonstrate that MALF surpasses traditional methods, achieving a test case pass rate (TCPR) of 88-92% and generating more exception triggers (ETN). MALF also maintains over 90% seed coverage and Shannon entropy values between 4.2 and 4.6 bits, ensuring diverse, protocol-compliant mutations. Deployed in a real-world Industrial Attack-Defense Range for power plants, MALF identified critical vulnerabilities, including three zero-day flaws, one confirmed and registered by CNVD. These results validate MALF's effectiveness in real-world fuzzing applications. This research highlights the transformative potential of multi-agent LLMs in ICS cybersecurity, offering a scalable, automated framework that sets a new standard for vulnerability discovery and strengthens critical infrastructure security against emerging threats.

翻译：工业控制系统（ICS）对现代基础设施至关重要，但其通信协议中的漏洞使其日益面临网络安全威胁。本文提出MALF（多智能体大语言模型模糊测试框架），这是一种将大语言模型（LLMs）与多智能体协同相结合的先进模糊测试方案，用于识别工业控制协议（ICPs）中的漏洞。通过利用检索增强生成（RAG）获取领域特定知识，并采用QLoRA微调实现协议感知的输入生成，MALF提升了模糊测试的精确性和适应性。该多智能体框架优化了种子生成、变异策略及反馈驱动的迭代改进，从而增强了漏洞发现能力。在Modbus/TCP、S7Comm和Ethernet/IP等协议上的实验表明，MALF超越了传统方法，实现了88-92%的测试用例通过率（TCPR），并生成了更多的异常触发（ETN）。MALF还保持了超过90%的种子覆盖率以及4.2至4.6比特的香农熵值，确保了多样且符合协议的变异。在电厂真实工业攻防靶场中部署时，MALF发现了多个关键漏洞，包括三个零日漏洞，其中一个已获国家信息安全漏洞共享平台（CNVD）确认并收录。这些结果验证了MALF在实际模糊测试应用中的有效性。本研究凸显了多智能体大语言模型在ICS网络安全中的变革潜力，提供了一个可扩展、自动化的框架，为漏洞发现设立了新标准，并增强了关键基础设施应对新兴威胁的安全防护能力。