DrLLM: Prompt-Enhanced Distributed Denial-of-Service Resistance Method with Large Language Models

TL;DR

DrLLM leverages large language models with prompt engineering to detect DDoS attacks in zero-shot scenarios, reducing complexity and enhancing generalization without extensive training.

Contribution

This paper introduces DrLLM, a novel LLM-based method with modules for traffic data reasoning, enabling effective DDoS detection in zero-shot settings.

Findings

Effective zero-shot DDoS detection demonstrated

Modules improve traffic data representation and reasoning

Open-source implementation available

Abstract

The increasing number of Distributed Denial of Service (DDoS) attacks poses a major threat to the Internet, highlighting the importance of DDoS mitigation. Most existing approaches require complex training methods to learn data features, which increases the complexity and generality of the application. In this paper, we propose DrLLM, which aims to mine anomalous traffic information in zero-shot scenarios through Large Language Models (LLMs). To bridge the gap between DrLLM and existing approaches, we embed the global and local information of the traffic data into the reasoning paradigm and design three modules, namely Knowledge Embedding, Token Embedding, and Progressive Role Reasoning, for data representation and reasoning. In addition we explore the generalization of prompt engineering in the cybersecurity domain to improve the classification capability of DrLLM. Our ablation experiments demonstrate the applicability of DrLLM in zero-shot scenarios and further demonstrate the potential of LLMs in the network domains. DrLLM implementation code has been open-sourced at https://github.com/liuup/DrLLM.