Cyber Threat Hunting by Finetuning LLM for DDoS Detection

preprint OA: closed CC-BY-4.0
📄 Open PDF Full text JSON View at publisher

Abstract

Abstract Cybersecurity threats, particularly Distributed Denial-of-Service (DDoS) attacks, pose significant risks to modern network infras- tructures. Traditional detection mechanisms often struggle with scalability and adaptability, necessitating more advanced AI-driven solutions. This research initially explored zero-shot prompting with Large Language Models (LLMs) for cyber threat detection; however, the results highlighted the limitations of general-purpose models in handling domain-specific classification tasks.To improve detection performance, we adopted a supervised fine-tuning approach, using the CICIDS 2019 dataset. Four state-of-the-art LLMs—Llama 3.1, Llama 3.2, Mistral —were fine-tuned using Low-Rank Adaptation (LoRA) to optimize classification performance while maintaining computational efficiency. The models were evaluated on key performance metrics, including accuracy, precision, recall, F1 score, and latency, with Llama 3.2 showing the highest accuracy and the most balanced trade-offs. Structured prompt engineering further enhanced the effectiveness of fine-tuned models in identifying network threats.The findings underscore the potential of supervised fine-tuning for adapting LLMs to cybersecurity domains, offering a scalable and robust solution for real-time intrusion detection. Future work may focus on deployment strategies and integration with multimodal threat intelligence to enhance practical applicability.
Full text 10,901 characters · extracted from preprint-html · click to expand
Cyber Threat Hunting by Finetuning LLM for DDoS Detection | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Cyber Threat Hunting by Finetuning LLM for DDoS Detection Abdul Hannan Chougle, Ronak Ajwani, Shreya Chhatwani, Manit Khira, and 1 more This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-7225835/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Cybersecurity threats, particularly Distributed Denial-of-Service (DDoS) attacks, pose significant risks to modern network infras- tructures. Traditional detection mechanisms often struggle with scalability and adaptability, necessitating more advanced AI-driven solutions. This research initially explored zero-shot prompting with Large Language Models (LLMs) for cyber threat detection; however, the results highlighted the limitations of general-purpose models in handling domain-specific classification tasks.To improve detection performance, we adopted a supervised fine-tuning approach, using the CICIDS 2019 dataset. Four state-of-the-art LLMs—Llama 3.1, Llama 3.2, Mistral —were fine-tuned using Low-Rank Adaptation (LoRA) to optimize classification performance while maintaining computational efficiency. The models were evaluated on key performance metrics, including accuracy, precision, recall, F1 score, and latency, with Llama 3.2 showing the highest accuracy and the most balanced trade-offs. Structured prompt engineering further enhanced the effectiveness of fine-tuned models in identifying network threats.The findings underscore the potential of supervised fine-tuning for adapting LLMs to cybersecurity domains, offering a scalable and robust solution for real-time intrusion detection. Future work may focus on deployment strategies and integration with multimodal threat intelligence to enhance practical applicability. LLM Fine-Tuning Open-Source LLMs Prompt Engineering LLaMA Mistral Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-7225835","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":508162156,"identity":"1f22d586-fb22-4575-9a6c-2666f63596fe","order_by":0,"name":"Abdul Hannan Chougle","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABKUlEQVRIie3RsUoDMRjA8e8jkFtSb00ppa9w5cBF7b1KjgOdBMcODoFCbtG6Xt+iIDinBHQ5d4cOJ4VODoVC7XCI13qgSFo6CuY/ZEjyIyEBcLn+YD4hkwJAo/QAyGbmCIiuF1HaSDNVSbAlpCYUqNhLgjw/5r8IC/bf7EUEHK6n7bEBXF71TU95Nyu+KKHjS6IKi8BMiAAe52FFSCvLTaLY80NzpKCbaUxt5xEutABq4opQ0lAmofzyPmxIwDGg4hZCeSw1fPwknbdZWJYQ7SKMGZSovkmPcoaz6hHiXYR7ikA8nIcjg4MWyy8EZefd11vFk8zYSWT89/ViNW0PnwaTJeufRL5nCr0uT8/u0nRuI9vE1+PJzRjL+vj6mw4oOnCfy+Vy/aM+AZwzZKgxwSRgAAAAAElFTkSuQmCC","orcid":"","institution":"","correspondingAuthor":true,"prefix":"","firstName":"Abdul","middleName":"Hannan","lastName":"Chougle","suffix":""},{"id":508162157,"identity":"1dc97aec-c03f-4937-aff5-8e6ac7d50c0f","order_by":1,"name":"Ronak Ajwani","email":"","orcid":"","institution":"","correspondingAuthor":false,"prefix":"","firstName":"Ronak","middleName":"","lastName":"Ajwani","suffix":""},{"id":508162158,"identity":"1739ee59-e69f-45e9-84ed-d458fe89006a","order_by":2,"name":"Shreya Chhatwani","email":"","orcid":"","institution":"","correspondingAuthor":false,"prefix":"","firstName":"Shreya","middleName":"","lastName":"Chhatwani","suffix":""},{"id":508162159,"identity":"6de571ed-9a38-4ccc-ad3e-39b07546352c","order_by":3,"name":"Manit Khira","email":"","orcid":"","institution":"","correspondingAuthor":false,"prefix":"","firstName":"Manit","middleName":"","lastName":"Khira","suffix":""},{"id":508162160,"identity":"5b863d15-03a4-4614-8c53-5595b28021be","order_by":4,"name":"Dr. Nupur Giri","email":"","orcid":"","institution":"","correspondingAuthor":false,"prefix":"Dr.","firstName":"Nupur","middleName":"","lastName":"Giri","suffix":""}],"badges":[],"createdAt":"2025-07-27 11:08:22","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-7225835/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-7225835/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":95604445,"identity":"72d7d059-9ea5-44e1-9c0b-a297d1ca972c","added_by":"auto","created_at":"2025-11-11 06:39:13","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":626620,"visible":true,"origin":"","legend":"","description":"","filename":"Manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7225835/v1_covered_2c4d44a8-17f0-4cbf-b21d-9f1c43bf1d9c.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Cyber Threat Hunting by Finetuning LLM for DDoS Detection","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"LLM Fine-Tuning, Open-Source LLMs, Prompt Engineering, LLaMA, Mistral","lastPublishedDoi":"10.21203/rs.3.rs-7225835/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-7225835/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eCybersecurity threats, particularly Distributed Denial-of-Service (DDoS) attacks, pose significant risks to modern network infras- tructures. Traditional detection mechanisms often struggle with scalability and adaptability, necessitating more advanced AI-driven solutions. This research initially explored zero-shot prompting with Large Language Models (LLMs) for cyber threat detection; however, the results highlighted the limitations of general-purpose models in handling domain-specific classification tasks.To improve detection performance, we adopted a supervised fine-tuning approach, using the CICIDS 2019 dataset. Four state-of-the-art LLMs—Llama 3.1, Llama 3.2, Mistral —were fine-tuned using Low-Rank Adaptation (LoRA) to optimize classification performance while maintaining computational efficiency. The models were evaluated on key performance metrics, including accuracy, precision, recall, F1 score, and latency, with Llama 3.2 showing the highest accuracy and the most balanced trade-offs. Structured prompt engineering further enhanced the effectiveness of fine-tuned models in identifying network threats.The findings underscore the potential of supervised fine-tuning for adapting LLMs to cybersecurity domains, offering a scalable and robust solution for real-time intrusion detection. Future work may focus on deployment strategies and integration with multimodal threat intelligence to enhance practical applicability.\u003c/p\u003e","manuscriptTitle":"Cyber Threat Hunting by Finetuning LLM for DDoS Detection","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-09-02 09:28:11","doi":"10.21203/rs.3.rs-7225835/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"13e87a10-3629-44d3-a3cc-082cef80ac55","owner":[],"postedDate":"September 2nd, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[],"tags":[],"updatedAt":"2025-11-11T06:38:59+00:00","versionOfRecord":[],"versionCreatedAt":"2025-09-02 09:28:11","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-7225835","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-7225835","identity":"rs-7225835","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2025) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00
unpaywall
last seen: 2026-06-02T02:00:03.124865+00:00
License: CC-BY-4.0