pith. sign in

arxiv: 2605.26307 · v1 · pith:KANC3JEXnew · submitted 2026-05-25 · 💻 cs.CR · cs.AI· cs.NI

Intelligent Detection and Mitigation of Carpet-Bombing DDoS Attacks in SDN Using Retrieval-Augmented Generation and Large Language Models

Mohammed N. Swileh , Shengli Zhang , Kai Lei This is my paper

Pith reviewed 2026-06-29 21:08 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.NI
keywords DDoS detectionSDN securityRetrieval-Augmented GenerationLarge Language ModelsCarpet-Bombing attackstraffic classificationnetwork mitigationsemantic embeddings
0
0 comments X

The pith

A RAG framework with LLMs detects carpet-bombing DDoS attacks in SDN from semantic traffic embeddings without any supervised training.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes a framework that represents network traffic features as semantic embeddings, retrieves similar examples using FAISS, and uses large language models to infer whether the traffic is a carpet-bombing DDoS attack. This approach operates without training or retraining models on labeled data. It would matter if true because SDN environments are especially exposed to these evasive attacks that spread traffic across many targets, and a training-free method could adapt quickly to new threats. Experiments across attack scenarios showed high accuracy and stability, with the Gemma model performing best, and real-time tests confirmed mitigation without disrupting the network.

Core claim

The proposed retrieval-augmented generation framework integrates interface-level traffic feature representation into semantic embeddings, FAISS-based similarity retrieval, and LLM-driven contextual inference to classify and mitigate carpet-bombing DDoS attacks in SDN environments in real time, without requiring conventional supervised model training or retraining, and achieves highly accurate and stable detection performance.

What carries the argument

Retrieval-augmented generation pipeline that converts interface traffic features to semantic embeddings, retrieves via FAISS, and feeds to an LLM for zero-training contextual classification of attack behavior.

If this is right

  • The framework delivers highly accurate and stable attack detection across varying attack intensities.
  • The configuration with the Gemma-4-31B-IT model produces the strongest overall detection results.
  • Real-time experiments demonstrate rapid detection and mitigation of attacks while keeping SDN network operation stable.
  • Both structured JSON and natural language representations of traffic can be used with multiple LLMs to support the classification.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If the retrieval database covers representative normal and attack patterns, the system could handle evolving attack strategies without retraining.
  • Deploying this in live SDN controllers might enable on-the-fly security adjustments that traditional signature-based systems cannot match.
  • Testing the framework on other DDoS variants could reveal whether the semantic embedding approach generalizes beyond carpet-bombing patterns.

Load-bearing premise

Semantic embeddings of interface-level traffic features, when retrieved by similarity and interpreted by an LLM, can distinguish carpet-bombing DDoS traffic from normal traffic without any supervised training.

What would settle it

A test where the LLM consistently fails to flag attack traffic or mislabels normal traffic as attacks when the retrieval set includes only standard patterns would show the classification does not reliably work.

read the original abstract

Software-Defined Networking (SDN) provides flexible and programmable network management; however, its centralized control architecture remains highly vulnerable to Distributed Denial-of-Service (DDoS) attacks, particularly Carpet-Bombing DDoS attacks that distribute malicious traffic across multiple targets to evade conventional detection mechanisms. In this paper, a Retrieval-Augmented Generation (RAG)-based framework is proposed for real-time detection and mitigation of Carpet-Bombing DDoS attacks in SDN environments. The proposed framework combines interface-level traffic features representation, semantic embedding generation, FAISS-based similarity retrieval, and Large Language Model (LLM)-driven contextual inference to classify traffic behavior without requiring conventional supervised model training or retraining. To evaluate the effectiveness of the proposed framework, extensive experiments were conducted under multiple Carpet-Bombing DDoS attack scenarios with different attack intensities. In addition, two traffic representation strategies, namely structured JSON-based representation and natural language-based representation (NLR), were investigated using multiple state-of-the-art LLMs. The experimental results demonstrate that the proposed framework achieved highly accurate and stable attack detection performance, while the framework configuration utilizing the Gemma-4-31B-IT model achieved the strongest overall detection results. Furthermore, real-time experiments confirmed the capability of the proposed framework to rapidly detect and mitigate Carpet-Bombing DDoS attacks while maintaining stable SDN network operation. The obtained results highlight the effectiveness of integrating RAG mechanisms with LLM for intelligent and adaptive SDN security analysis.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes a RAG-based framework for real-time detection and mitigation of Carpet-Bombing DDoS attacks in SDN. Interface-level traffic features are converted to semantic embeddings (via structured JSON or natural language representations), retrieved using FAISS, and fed to an off-the-shelf LLM for contextual classification without any supervised training or retraining. Experiments across multiple attack intensities and two representation strategies claim highly accurate and stable detection, with the Gemma-4-31B-IT configuration performing best; real-time tests are said to confirm rapid mitigation while preserving SDN stability.

Significance. If the central empirical claims hold, the work would demonstrate a training-free, adaptive alternative to conventional threshold- or ML-based DDoS detectors by exploiting LLM contextual inference on traffic semantics. This could be particularly relevant for subtle, spatially distributed attacks that evade per-interface volume thresholds. The approach also highlights potential for RAG+LLM pipelines in network security, provided the embedding step retains the necessary quantitative signals.

major comments (2)
  1. [Abstract] Abstract: the central claim that the framework 'achieved highly accurate and stable attack detection performance' is unsupported by any reported metrics, baselines, confusion matrices, error bars, dataset sizes, attack-intensity parameters, or statistical tests. Without these, the performance assertions cannot be evaluated.
  2. [Framework description / Methods] Traffic representation and embedding step (implied in the framework description): semantic embeddings of interface-level features (JSON or NLR) may discard the quantitative per-interface packet/byte rates, inter-interface variance, and temporal deltas required to detect Carpet-Bombing DDoS. The paper provides no ablation or explicit encoding showing that these numerical signals survive the embedding/retrieval process; this directly threatens the weakest assumption that the pipeline can reliably separate subtle distributed rate increases from normal traffic.
minor comments (2)
  1. Specify the exact prompting template, how FAISS-retrieved contexts are injected into the LLM input, and any temperature or output-parsing details used for classification.
  2. Clarify the SDN testbed (e.g., Mininet/OpenFlow version, controller, number of interfaces, traffic generation tools) and the precise definition of 'attack intensity' used in the experiments.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We address each major comment below, indicating where revisions will be made to strengthen the paper.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the central claim that the framework 'achieved highly accurate and stable attack detection performance' is unsupported by any reported metrics, baselines, confusion matrices, error bars, dataset sizes, attack-intensity parameters, or statistical tests. Without these, the performance assertions cannot be evaluated.

    Authors: We agree that the abstract should include quantitative support for the performance claims. In the revised manuscript, we will update the abstract to report specific metrics (e.g., accuracy, precision, recall, F1-score) from the experiments, along with details on dataset sizes, attack-intensity parameters, and a summary of the evaluation methodology. The main text will be expanded to include confusion matrices, error bars, and relevant statistical tests or baselines where applicable. revision: yes

  2. Referee: [Framework description / Methods] Traffic representation and embedding step (implied in the framework description): semantic embeddings of interface-level features (JSON or NLR) may discard the quantitative per-interface packet/byte rates, inter-interface variance, and temporal deltas required to detect Carpet-Bombing DDoS. The paper provides no ablation or explicit encoding showing that these numerical signals survive the embedding/retrieval process; this directly threatens the weakest assumption that the pipeline can reliably separate subtle distributed rate increases from normal traffic.

    Authors: We will revise the methods section to explicitly detail the encoding of quantitative features in both representation strategies, including how per-interface packet/byte rates, variances, and temporal information are preserved as structured fields in JSON and as explicit numerical values in natural language descriptions. To directly address retention of these signals, we will add an ablation study in the experiments section comparing detection performance when numerical features are included versus omitted from the embeddings. revision: yes

Circularity Check

0 steps flagged

No circularity; empirical LLM-RAG evaluation is self-contained

full rationale

The provided abstract and description present an empirical framework evaluated on multiple attack scenarios using off-the-shelf LLMs, JSON/NLR representations, FAISS retrieval, and RAG without any equations, parameter fitting, or derivations. No self-citations, uniqueness theorems, or ansatzes are referenced as load-bearing. The detection results are reported from direct experiments rather than reducing to inputs by construction, satisfying the default expectation of no significant circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Only the abstract is available; no free parameters, axioms, or invented entities are described in sufficient detail to populate the ledger.

pith-pipeline@v0.9.1-grok · 5807 in / 1195 out tokens · 29035 ms · 2026-06-29T21:08:58.681066+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

35 extracted references · 30 canonical work pages

  1. [1]

    B., & Ayyash, M

    Alhijawi, B., Almajali, S., Elgala , H., Salameh, H. B., & Ayyash, M. (2022). A survey on DoS/DDoS mitigation techniques in SDNs: Classification, comparison, solutions, testing tools and datasets. Computers and Electrical Engineering , 99, 107706. https://doi.org/10.1016/j.compeleceng.2022.107706

    work page doi:10.1016/j.compeleceng.2022.107706 2022

  2. [2]

    Sahay, R., Meng, W., & Jensen, C. D. (2019). The application of Software Defined Networking on securing computer networks: A survey. Journal of Network and Computer Applications, 131, 89-108. https://doi.org/10.1016/j.jnca.2019.01.019

    work page doi:10.1016/j.jnca.2019.01.019 2019

  3. [3]

    Kim, H., & Feamster, N. (2013). Improving network management with software defined networking. IEEE Communications magazine , 51(2), 114-119. https://doi.org/10.1109/MCOM.2013.6461195

    work page doi:10.1109/mcom.2013.6461195 2013

  4. [4]

    X., Gregory, M

    Wibowo, F. X., Gregory, M. A., Ahmed, K., & Gomez, K. M. (2017). Multi-domain software defined networking: research status and challenges. Journal of Network and Computer Applications, 87, 32-45. https://doi.org/10.1016/j.jnca.2017.03.004

    work page doi:10.1016/j.jnca.2017.03.004 2017

  5. [5]

    Ahmad, S., & Mir, A. H. (2021). Scalability, consistency, reliability and security in SDN controllers: a survey of diverse SDN controllers. Journal of Network and Systems Management, 29(1), 9. https://doi.org/10.1007/s10922-020-09575-4

    work page doi:10.1007/s10922-020-09575-4 2021

  6. [6]

    Son, J., & Buyya, R. (2018). A taxonomy of software-defined networking (SDN)-enabled cloud computing. ACM computing surveys (CSUR), 51(3), 1-36. https://doi.org/10.1145/3190617

    work page doi:10.1145/3190617 2018

  7. [7]

    Sanoussi, N., Chetioui, K., Orhanou, G., & El Hajji, S. (2023). ITC: Intrusion tolerant controller for multicontroller SDN architecture. Computers & Security, 132, 103351. https://doi.org/10.1016/j.cose.2023.103351

    work page doi:10.1016/j.cose.2023.103351 2023

  8. [8]

    Singh, J., & Behal, S. (202 0). Detection and mitigation of DDoS attacks in SDN: A comprehensive review, research challenges and future directions. Computer Science Review, 37, 100279. https://doi.org/10.1016/j.cosrev.2020.100279

    work page doi:10.1016/j.cosrev.2020.100279 2020

  9. [9]

    Maleh, Y., Qasmaoui, Y., El Gholami, K., Sadqi, Y., & Mounir, S. (2023). A comprehensive survey on SDN security: threats, mitigations, and future directions. Journal of Reliable Intelligent Environments, 9(2), 201-239. https://doi.org/10.1007/s40860-022-00171-8

    work page doi:10.1007/s40860-022-00171-8 2023

  10. [10]

    A., Idris, I., Olaniyi, O

    Wabi, A. A., Idris, I., Olaniyi, O. M., & Ojeniyi, J. A. (2024). DDOS attack detection in SDN: Method of attacks, detection t echniques, challenges and research gaps. Computers & Security, 139, 103652. https://doi.org/10.1016/j.cose.2023.103652

    work page doi:10.1016/j.cose.2023.103652 2024

  11. [11]

    M., Verissimo, P

    Kreutz, D., Ramos, F. M., Verissimo, P. E., Rothenberg, C. E., Azodolmolky, S., & Uhlig, S. (2014). Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103(1), 14-76. https://doi.org/10.1109/JPROC.2014.2371999

    work page doi:10.1109/jproc.2014.2371999 2014

  12. [12]

    A., Anbar, M., Manickam, S., Al -Amiedy, T

    Bahashwan, A. A., Anbar, M., Manickam, S., Al -Amiedy, T. A., Aladaileh, M. A., & Hasbullah , I. H. (2023). A systematic literature review on machine learning and deep learning approaches for detecting DDoS attacks in software -defined networking. Sensors, 23(9), 4441. https://doi.org/10.3390/s23094441

    work page doi:10.3390/s23094441 2023

  13. [13]

    R., & Patil, N

    Kaur, A., Krishna, C. R., & Patil, N. V. (2025). A comprehensive review on Software -Defined Networking (SDN) and DDoS attacks: Ecosystem, taxonomy, traffic engineering, challenges and research directions. Computer Science Review, 55, 100692. https://doi.org/10.1016/j.cosrev.2024.100692

    work page doi:10.1016/j.cosrev.2024.100692 2025

  14. [14]

    E., Chong, Y

    Ali, T. E., Chong, Y. W., & Manickam, S. (2023). Machine learning techniques to detect a DDoS attack in SDN: A systematic rev iew. Applied Sciences, 13(5), 3183. https://doi.org/10.3390/app13053183

    work page doi:10.3390/app13053183 2023

  15. [15]

    Radware: https://www.radware.com/blog/ddos-protection/ddos-carpet-bombing-coming-in-fast-and-brutal/

  16. [16]

    Corero Network Security: https://www.corero.com/threat-report-carpet-bomb-intro/

  17. [17]

    A10 Networks: https://www.a10networks.com/blog/carpet-bombing-attacks-highlight-the-need-for-intelligent-and-automated-ddos- protection/

  18. [18]

    NETSCOUT: https://www.netscout.com/solutions/carpet-bombing-protection

  19. [19]

    Zhang, X., Meng, H., Li, Q., Tan, Y., & Zhang, L. (2025). Large language models powered malicious traffic detection: Architecture, opportunities and case study. IEEE Network. https://doi.org/10.1109/MNET.2025.3583088

    work page doi:10.1109/mnet.2025.3583088 2025

  20. [20]

    & Zhang, X

    Li, Q., Zhang, Y., Jia, Z., Hu, Y., Zhang, L., Zhang, J., ... & Zhang, X. (2024). Dollm: How large language models understand ing network flow data to detect carpet bombing ddos. arXiv preprint arXiv:2405.07638. https://doi.org/10.48550/arXiv.2405.07638

    work page doi:10.48550/arxiv.2405.07638 2024

  21. [21]

    (2024, December)

    Huang, Z., Liu, S., Zhao, K., & Xiang, Y. (2024, December). GMCB: An Efficient and Light Graph Analysis Model for Detecting Carpet Bombing DDoS Attacks. In 2024 10th International Conference on Computer and Communications (ICCC) (pp. 1918 -1922). IEEE. https://doi.org/10.1109/ICCC62609.2024.10942215

    work page doi:10.1109/iccc62609.2024.10942215 2024

  22. [22]

    N., & Zhang, S

    Swileh, M. N., & Zhang, S. (2026). Proactive DDoS detection and mitigation in decentralized Software -Defined Networking via Port -Level monitoring and Zero-Training large language models. Expert Systems with Applications, 132179. https://doi.org/10.1016/j.eswa.2026.132179

    work page doi:10.1016/j.eswa.2026.132179 2026

  23. [23]

    N., & Zhang, S

    Swileh, M. N., & Zhang, S. (2025). Unseen attack detection in software-defined networking using a BERT-based large language model. AI, 6(7),

    2025

  24. [24]

    https://doi.org/10.3390/ai6070154

    work page doi:10.3390/ai6070154

  25. [25]

    Lodh, S., Obaidat, I., Rustam, F., & Jurcut, A. D. (2025, October). Lightweight Fine-Tuning of LLMS for Explainable Intrusion Detection in SDN. In 2025 21th International Co nference on Wireless and Mobile Computing, Networking and Communications (WiMob) (pp. 1 -6). IEEE. https://doi.org/10.1109/WiMob66857.2025.11257572

    work page doi:10.1109/wimob66857.2025.11257572 2025

  26. [26]

    Yue, M., Yan, H., Han, R., & Wu, Z. (2025). A DDoS attack detection method based on IQR and DFFCNN in SDN. Journal of Network and Computer Applications, 240, 104203. https://doi.org/10.1016/j.jnca.2025.104203

    work page doi:10.1016/j.jnca.2025.104203 2025

  27. [27]

    A., & Naik, S

    Najar, A. A., & Naik, S. M. (2024). Cyber-secure SDN: A CNN-based approach for efficient detection and mitigation of DDoS attacks. Computers & Security, 139, 103716. https://doi.org/10.1016/j.cose.2024.103716

    work page doi:10.1016/j.cose.2024.103716 2024

  28. [28]

    Fotse, Y. S. N., Tchendji, V. K., & Velempini, M. (2024). Federated learning based DDoS attacks detection in large scale software-defined network. IEEE Transactions on Computers, 74(1), 101-115. https://doi.org/10.1109/TC.2024.3474180

    work page doi:10.1109/tc.2024.3474180 2024

  29. [29]

    G., Ibrahim, H

    Gadallah, W. G., Ibrahim, H. M., & Omar, N. M. (2024). A deep learning technique to detect distributed denial of service atta cks in software- defined networks. Computers & Security, 137, 103588. https://doi.org/10.1016/j.cose.2023.103588

    work page doi:10.1016/j.cose.2023.103588 2024

  30. [30]

    A., Nhung-Nguyen, H., Hussain, J., & Sugali, M

    Hnamte, V., Najar, A. A., Nhung-Nguyen, H., Hussain, J., & Sugali, M. N. (2024). DDoS attack detection and mitigation using deep neural network in SDN environment. Computers & Security, 138, 103661. https://doi.org/10.1016/j.cose.2023.103661

    work page doi:10.1016/j.cose.2023.103661 2024

  31. [31]

    (2023, October)

    Guastalla, M., Li, Y., Hekmati, A., & Krishnamachari, B. (2023, October). Application of large language model s to ddos attack detection. In International Conference on Security and Privacy in Cyber-Physical Systems and Smart Vehicles (pp. 83-99). Cham: Springer Nature Switzerland. https://doi.org/10.1007/978-3-031-51630-6_6

    work page doi:10.1007/978-3-031-51630-6_6 2023

  32. [32]

    Türkoğlu, M., Polat, H., Koçak, C., & Polat, O. (2022). Recognition of DDoS attacks on SD -VANET based on combination of hyperparameter optimization and feature selection. Expert Systems with Applications, 203, 117500. https://doi.org/10.1016/j.eswa.2022.117500

    work page doi:10.1016/j.eswa.2022.117500 2022

  33. [33]

    Zainudin, A., Ahakonye, L. A. C., Akter, R., Kim, D. S., & Lee, J. M. (2022). An efficient hybrid-dnn for ddos detection and classification in software- defined iiot networks. IEEE Internet of Things Journal, 10(10), 8491-8504. https://doi.org/10.1109/JIOT.2022.3196942

    work page doi:10.1109/jiot.2022.3196942 2022

  34. [34]

    E., Yildiz, K., & Buldu , A

    Cil, A. E., Yildiz, K., & Buldu , A. (2021). Detection of DDoS attacks with feed forward based deep neural network model. Expert Systems with Applications, 169, 114520. https://doi.org/10.1016/j.eswa.2020.114520

    work page doi:10.1016/j.eswa.2020.114520 2021

  35. [35]

    Ahuja, N., Singal, G., Mukhopadhyay, D., & Kumar, N. (2021). Automated DDOS attack detection in software defined networking. Journal of Network and Computer Applications, 187, 103108. https://doi.org/10.1016/j.jnca.2021.103108

    work page doi:10.1016/j.jnca.2021.103108 2021