pith. sign in

arxiv: 2405.07638 · v1 · pith:GRI35BODnew · submitted 2024-05-13 · 💻 cs.NI · cs.AI· cs.CR

DoLLM: How Large Language Models Understanding Network Flow Data to Detect Carpet Bombing DDoS

classification 💻 cs.NI cs.AIcs.CR
keywords networkddosdollmllmsbombingcarpetdetectiondata
0
0 comments X
read the original abstract

It is an interesting question Can and How Large Language Models (LLMs) understand non-language network data, and help us detect unknown malicious flows. This paper takes Carpet Bombing as a case study and shows how to exploit LLMs' powerful capability in the networking area. Carpet Bombing is a new DDoS attack that has dramatically increased in recent years, significantly threatening network infrastructures. It targets multiple victim IPs within subnets, causing congestion on access links and disrupting network services for a vast number of users. Characterized by low-rates, multi-vectors, these attacks challenge traditional DDoS defenses. We propose DoLLM, a DDoS detection model utilizes open-source LLMs as backbone. By reorganizing non-contextual network flows into Flow-Sequences and projecting them into LLMs semantic space as token embeddings, DoLLM leverages LLMs' contextual understanding to extract flow representations in overall network context. The representations are used to improve the DDoS detection performance. We evaluate DoLLM with public datasets CIC-DDoS2019 and real NetFlow trace from Top-3 countrywide ISP. The tests have proven that DoLLM possesses strong detection capabilities. Its F1 score increased by up to 33.3% in zero-shot scenarios and by at least 20.6% in real ISP traces.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Cardinality is Not Enough: Super Host Detection via Segmented Cardinality Estimation

    cs.NI 2026-04 unverdicted novelty 6.0

    SegSketch improves super host detection F1-score by up to 8.04x over prior methods by estimating cardinality inside subnets via segmented hashing under tight memory limits.

  2. Intelligent Detection and Mitigation of Carpet-Bombing DDoS Attacks in SDN Using Retrieval-Augmented Generation and Large Language Models

    cs.CR 2026-05 unverdicted novelty 4.0

    RAG-LLM framework detects Carpet-Bombing DDoS in SDN via traffic embeddings and contextual inference, achieving high accuracy with Gemma-4-31B-IT model in experiments.