TrafficLLM: Enhancing Large Language Models for Network Traffic Analysis with Generic Traffic Representation

TL;DR

This work tackles the limited generalization of ML-based network traffic analysis by adapting large language models through TrafficLLM, a dual-stage fine-tuning framework. It introduces traffic-domain tokenization, a two-stage tuning process that aligns instruction semantics with traffic-pattern learning, and parameter-efficient adaptation (EA-PEFT) for rapid deployment in dynamic environments. Across 10 traffic-downstream tasks and about 0.4M tuning samples, TrafficLLM achieves state-of-the-art results on both detection and generation, with strong generalization to unseen data and real-world enterprise deployments. The approach demonstrates practical applicability, scalability, and a path toward broader adoption of LLMs in traffic analysis, aided by open-source datasets and tools.

Abstract

Machine learning (ML) powered network traffic analysis has been widely used for the purpose of threat detection. Unfortunately, their generalization across different tasks and unseen data is very limited. Large language models (LLMs), known for their strong generalization capabilities, have shown promising performance in various domains. However, their application to the traffic analysis domain is limited due to significantly different characteristics of network traffic. To address the issue, in this paper, we propose TrafficLLM, which introduces a dual-stage fine-tuning framework to learn generic traffic representation from heterogeneous raw traffic data. The framework uses traffic-domain tokenization, dual-stage tuning pipeline, and extensible adaptation to help LLM release generalization ability on dynamic traffic analysis tasks, such that it enables traffic detection and traffic generation across a wide range of downstream tasks. We evaluate TrafficLLM across 10 distinct scenarios and 229 types of traffic. TrafficLLM achieves F1-scores of 0.9875 and 0.9483, with up to 80.12% and 33.92% better performance than existing detection and generation methods. It also shows strong generalization on unseen traffic with an 18.6% performance improvement. We further evaluate TrafficLLM in real-world scenarios. The results confirm that TrafficLLM is easy to scale and achieves accurate detection performance on enterprise traffic.

Figures (17)

• Figure 1: Native LLM's limitation to handle traffic data with default tokenization and tuning strategies. Left and Middle: LLM is ineffective and inaccurate in loading traffic data with language tokens directly. Right: LLM suffers from learning multi-type semantics and traffic data at the same stage.
• Figure 2: The adaptation costs of LLM's retraining to update traffic detection capabilities on new scenarios. TrafficLLM employs EA-PEFT to reduce the cost by using multiple external parameters to encapsulate different capabilities.
• Figure 3: The overall framework of TrafficLLM. TrafficLLM employs three core techniques: traffic-domain tokenization to process instructions and traffic data, dual-stage tuning pipeline to learn text semantics and traffic patterns across different tasks, extensible adaptation with parameter-effective fine-tune to update model parameters for new scenario adaptation.
• Figure 4: Illustration of the dual-stage tuning pipeline to learn natural language and traffic patterns respectively.
• Figure 5: The workflow of the extensible adaptation with parameter-effective fine-tuning (EA-PEFT) in TrafficLLM.