Holmes: An Evidence-Grounded LLM Agent for Auditable DDoS Investigation in Cloud Networks
Haodong Chen, Ziheng Zhang, Jinghui Jiang, Qiang Su, Qiao Xiang
TL;DR
Holmes reframes DDoS detection in cloud environments as an auditable investigation conducted by a virtual SRE LLM agent. It combines a hierarchical, on-demand workflow with a semantic Evidence Pack that converts binary traffic into compact, quotable anchors, and a strict quote-grounded reasoning protocol with JSON outputs. Experiments on CICDDoS2019 and scripted floods demonstrate robust, traceable attributions across attack families and reveal how audit logs expose reasoning gaps. The approach enables cost-efficient, auditable DDoS investigation in real-world cloud operations through verifiable evidence chains and structured reports.
Abstract
Cloud environments face frequent DDoS threats due to centralized resources and broad attack surfaces. Modern cloud-native DDoS attacks further evolve rapidly and often blend multi-vector strategies, creating an operational dilemma: defenders need wire-speed monitoring while also requiring explainable, auditable attribution for response. Existing rule-based and supervised-learning approaches typically output black-box scores or labels, provide limited evidence chains, and generalize poorly to unseen attack variants; meanwhile, high-quality labeled data is often difficult to obtain in cloud settings. We present Holmes (DDoS Detective), an LLM-based DDoS detection agent that reframes the model as a virtual SRE investigator rather than an end-to-end classifier. Holmes couples a funnel-like hierarchical workflow (counters/sFlow for continuous sensing and triage; PCAP evidence collection triggered only on anomaly windows) with an Evidence Pack abstraction that converts binary packets into compact, reproducible, high-signal structured evidence. On top of this evidence interface, Holmes enforces a structure-first investigation protocol and strict JSON/quotation constraints to produce machine-consumable reports with auditable evidence anchors. We evaluate Holmes on CICDDoS2019 reflection/amplification attacks and script-triggered flooding scenarios. Results show that Holmes produces attribution decisions grounded in salient evidence anchors across diverse attack families, and when errors occur, its audit logs make the failure source easy to localize, demonstrating the practicality of an LLM agent for cost-controlled and traceable DDoS investigation in cloud operations.
