Abstract:The increasing number of Distributed Denial of Service (DDoS) attacks poses a major threat to the Internet, highlighting the importance of DDoS mitigation. Most existing approaches require complex training methods to learn data features, which increases the complexity and generality of the application. In this paper, we propose DrLLM, which aims to mine anomalous traffic information in zero-shot scenarios through Large Language Models (LLMs). To bridge the gap between DrLLM and existing approaches, we embed the global and local information of the traffic data into the reasoning paradigm and design three modules, namely Knowledge Embedding, Token Embedding, and Progressive Role Reasoning, for data representation and reasoning. In addition we explore the generalization of prompt engineering in the cybersecurity domain to improve the classification capability of DrLLM. Our ablation experiments demonstrate the applicability of DrLLM in zero-shot scenarios and further demonstrate the potential of LLMs in the network domains. DrLLM implementation code has been open-sourced at <a class="link-external link-https" href="https://github.com/liuup/DrLLM" rel="external noopener nofollow">this https URL</a>.
What problem does this paper attempt to address?
The problem that this paper attempts to solve is the significant threat that Distributed Denial - of - Service (DDoS) attacks pose to the Internet. The frequency and complexity of DDoS attacks are constantly increasing, posing a serious threat to key Internet devices and systems such as routers, switches or firewalls. Although existing Intrusion Detection Systems (IDS) have made significant progress in dealing with DDoS attacks, these methods usually require complex training processes to learn data features, increasing the complexity of application and the problem of universality.
To solve these problems, the paper proposes a new method named DrLLM, aiming to mine abnormal traffic information in zero - shot scenarios through Large Language Models (LLMs). Specifically, the goals of DrLLM include:
1. **Efficiently classify network traffic data**: By introducing LLMs, improve the classification ability of network traffic data and enhance the interpretability of classification basis.
2. **Reduce complexity and improve universality**: By embedding global and local information into the reasoning paradigm, three modules - Knowledge Embedding, Token Embedding and Progressive Role Reasoning are designed to improve data representation and reasoning process.
3. **Explore the generalization of prompt engineering techniques**: Through the improvement of prompt engineering techniques, further enhance the classification ability of DrLLM in the field of network security.
Through these innovations, DrLLM can effectively detect DDoS attacks in zero - shot scenarios, demonstrating the potential of LLMs in the network field.
### Presentation of formulas in Markdown format
To ensure that all involved formulas are accurate and easy to read, the following is the Markdown - format display of several key formulas:
1. **Global information calculation**:
\[
G_j=(a_j, b_j, c_j, d_j, v_j)\quad\text{for}\quad j = 1,2,\ldots,m
\]
where \(a_j\) is the maximum value, \(b_j\) is the minimum value, \(c_j\) is the median, \(d_j\) is the mean, and \(v_j\) is the variance.
2. **Knowledge embedding string construction**:
\[
K(G)=\text{Concat}(Global_m\oplus S)
\]
where \(S = (\text{"Max"}, \text{"Min"}, \text{"Median"}, \text{"Mean"}, \text{"Variance"})^\top\).
3. **Token prompt construction**:
\[
TP_i(F_j, X_i)=\text{Concat}(F_j:X_i)\quad\text{for}\quad j = 1,2,\ldots,m,\quad i = 1,2,\ldots,n
\]
These formulas show how to extract and process global and local information from the original data to enhance the classification performance of LLMs.