DoLLM: How Large Language Models Understanding Network Flow Data to Detect Carpet Bombing DDoS

TL;DR

This paper explores how large language models can understand network flow data to detect sophisticated DDoS attacks like Carpet Bombing, demonstrating improved detection performance using semantic analysis of network flows.

Contribution

It introduces DoLLM, a novel approach that leverages open-source LLMs for network flow analysis and DDoS detection, applying semantic space projections to enhance detection accuracy.

Findings

F1 score increased by up to 33.3% in zero-shot scenarios.

DoLLM effectively detects complex Carpet Bombing DDoS attacks.

Demonstrated strong detection capabilities on public and real ISP datasets.

Abstract

It is an interesting question Can and How Large Language Models (LLMs) understand non-language network data, and help us detect unknown malicious flows. This paper takes Carpet Bombing as a case study and shows how to exploit LLMs' powerful capability in the networking area. Carpet Bombing is a new DDoS attack that has dramatically increased in recent years, significantly threatening network infrastructures. It targets multiple victim IPs within subnets, causing congestion on access links and disrupting network services for a vast number of users. Characterized by low-rates, multi-vectors, these attacks challenge traditional DDoS defenses. We propose DoLLM, a DDoS detection model utilizes open-source LLMs as backbone. By reorganizing non-contextual network flows into Flow-Sequences and projecting them into LLMs semantic space as token embeddings, DoLLM leverages LLMs' contextual understanding to extract flow representations in overall network context. The representations are used to improve the DDoS detection performance. We evaluate DoLLM with public datasets CIC-DDoS2019 and real NetFlow trace from Top-3 countrywide ISP. The tests have proven that DoLLM possesses strong detection capabilities. Its F1 score increased by up to 33.3% in zero-shot scenarios and by at least 20.6% in real ISP traces.