This paper presents a large language model (LLM)-based framework that adapts and fine-tunes compact LLMs for detecting cyberattacks on transformer current differential relays (TCDRs), which can otherwise cause false tripping of critical power transformers. The core idea is to textualize multivariate time-series current measurements from TCDRs, across phases and input/output sides, into structured natural-language prompts that are then processed by compact, locally deployable LLMs. Using this representation, we fine-tune DistilBERT, GPT-2, and DistilBERT+LoRA to distinguish cyberattacks from genuine fault-induced disturbances while preserving relay dependability. The proposed framework is evaluated against a broad set of state-of-the-art machine learning and deep learning baselines under nominal conditions, complex cyberattack scenarios, and measurement noise. Our results show that LLM-based detectors achieve competitive or superior cyberattack detection performance, with DistilBERT detecting up to 97.62% of attacks while maintaining perfect fault detection accuracy. Additional evaluations demonstrate robustness to prompt formulation variations, resilience under combined time-synchronization and false-data injection attacks, and stable performance under realistic measurement noise levels. The attention mechanisms of LLMs further enable intrinsic interpretability by highlighting the most influential time-phase regions of relay measurements. These results demonstrate that compact LLMs provide a practical, interpretable, and robust solution for enhancing cyberattack detection in modern digital substations. We provide the full dataset used in this study for reproducibility.

翻译：本文提出了一种基于大型语言模型（LLM）的框架，该框架通过适配与微调紧凑型LLM来检测针对变压器电流差动继电器（TCDR）的网络攻击，此类攻击可能导致关键电力变压器的误跳闸。其核心思想是将来自TCDR的多变量时间序列电流测量值（涵盖各相位及输入/输出侧）文本化，转换为结构化的自然语言提示，然后由可本地部署的紧凑型LLM进行处理。利用这种表示方法，我们微调了DistilBERT、GPT-2以及DistilBERT+LoRA模型，以区分网络攻击与真实故障引起的扰动，同时保持继电保护的可靠性。所提框架在标称条件、复杂网络攻击场景及测量噪声下，与一系列先进的机器学习和深度学习基线模型进行了对比评估。结果表明，基于LLM的检测器取得了具有竞争力或更优的网络攻击检测性能，其中DistilBERT可检测高达97.62%的攻击，同时保持完美的故障检测准确率。进一步的评估显示，该方法对提示表述的变体具有鲁棒性，在时间同步与虚假数据注入的复合攻击下具有韧性，并在实际测量噪声水平下保持稳定的性能。LLM的注意力机制通过高亮继电器测量值中最具影响力的时间-相位区域，进一步提供了内在的可解释性。这些结果表明，紧凑型LLM为增强现代数字化变电站中的网络攻击检测提供了一种实用、可解释且鲁棒的解决方案。我们提供了本研究中使用的完整数据集以确保可复现性。