Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DrLLM: Prompt-Enhanced Distributed Denial-of-Service Resistance Method with Large Language Models

Zhenyu Yin, Shang Liu, Guangyuan Xu

TL;DR

DrLLM targets zero-shot DDoS resistance by transforming network traffic features into text prompts for LLM-based reasoning. It introduces Knowledge Embedding to inject global data statistics, Token Embedding to constrain outputs with CoD and guide progressive reasoning via Zero-shot-CoT, and a Progressive Role Reasoning pipeline that yields probabilistic classifications $P_i$ evaluated against ground truth. Experiments on CICDDoS2019 show improvements in F1 and AUC across several backbones, with Deepseek-chat-v2 often delivering the strongest performance, and stability analyses indicating reduced confidence bias and confidence loss when the modules are applied. The work demonstrates the viability of LLMs for cybersecurity in zero-shot settings and provides open-source code for reproducibility, pointing to future directions like retrieval-augmented generation.

Abstract

The increasing number of Distributed Denial of Service (DDoS) attacks poses a major threat to the Internet, highlighting the importance of DDoS mitigation. Most existing approaches require complex training methods to learn data features, which increases the complexity and generality of the application. In this paper, we propose DrLLM, which aims to mine anomalous traffic information in zero-shot scenarios through Large Language Models (LLMs). To bridge the gap between DrLLM and existing approaches, we embed the global and local information of the traffic data into the reasoning paradigm and design three modules, namely Knowledge Embedding, Token Embedding, and Progressive Role Reasoning, for data representation and reasoning. In addition we explore the generalization of prompt engineering in the cybersecurity domain to improve the classification capability of DrLLM. Our ablation experiments demonstrate the applicability of DrLLM in zero-shot scenarios and further demonstrate the potential of LLMs in the network domains. DrLLM implementation code has been open-sourced at https://github.com/liuup/DrLLM.

DrLLM: Prompt-Enhanced Distributed Denial-of-Service Resistance Method with Large Language Models

TL;DR

DrLLM targets zero-shot DDoS resistance by transforming network traffic features into text prompts for LLM-based reasoning. It introduces Knowledge Embedding to inject global data statistics, Token Embedding to constrain outputs with CoD and guide progressive reasoning via Zero-shot-CoT, and a Progressive Role Reasoning pipeline that yields probabilistic classifications evaluated against ground truth. Experiments on CICDDoS2019 show improvements in F1 and AUC across several backbones, with Deepseek-chat-v2 often delivering the strongest performance, and stability analyses indicating reduced confidence bias and confidence loss when the modules are applied. The work demonstrates the viability of LLMs for cybersecurity in zero-shot settings and provides open-source code for reproducibility, pointing to future directions like retrieval-augmented generation.

Abstract

The increasing number of Distributed Denial of Service (DDoS) attacks poses a major threat to the Internet, highlighting the importance of DDoS mitigation. Most existing approaches require complex training methods to learn data features, which increases the complexity and generality of the application. In this paper, we propose DrLLM, which aims to mine anomalous traffic information in zero-shot scenarios through Large Language Models (LLMs). To bridge the gap between DrLLM and existing approaches, we embed the global and local information of the traffic data into the reasoning paradigm and design three modules, namely Knowledge Embedding, Token Embedding, and Progressive Role Reasoning, for data representation and reasoning. In addition we explore the generalization of prompt engineering in the cybersecurity domain to improve the classification capability of DrLLM. Our ablation experiments demonstrate the applicability of DrLLM in zero-shot scenarios and further demonstrate the potential of LLMs in the network domains. DrLLM implementation code has been open-sourced at https://github.com/liuup/DrLLM.
Paper Structure (20 sections, 1 equation, 1 figure, 2 tables)

This paper contains 20 sections, 1 equation, 1 figure, 2 tables.

Table of Contents

  1. Introduction
  2. Background and Related Works
  3. Cyber IDS and Method
  4. LLMs Enhanced Cybersecurity
  5. Overview and Design
  6. Knowledge Embedding
  7. Token Embedding
  8. Constrain-of-Deviation (CoD)
  9. Zero-shot Chain-of-Thought(CoT)
  10. Token Prompt
  11. Role Reasoning
  12. Experimental Evaluation
  13. Datasets and Data Preprocessing
  14. LLM Backbones
  15. Prompts and Evaluation Metrics
  16. ...and 5 more sections

Figures (1)

  • Figure 1: The overall framework of DrLLM, we have divided the framework into four main modules: preparation module, knowledge embedding module, token embedding module and role reasoning module.