Intelligent Detection and Mitigation of Carpet-Bombing DDoS Attacks in SDN Using Retrieval-Augmented Generation and Large Language Models

Researchers propose a RAG-based framework leveraging Large Language Models to detect and mitigate Carpet-Bombing DDoS attacks in Software-Defined Networks. The system achieves high detection accuracy without traditional supervised training, addressing a critical vulnerability in SDN's centralized architecture through intelligent traffic behavior classification.

This research addresses a fundamental security gap in Software-Defined Networking infrastructure, where centralized control planes present attractive targets for sophisticated DDoS attacks. Carpet-Bombing attacks represent an evolution in threat sophistication by distributing malicious traffic across multiple targets simultaneously, making detection through conventional signature-based or threshold-based methods ineffective. The integration of Retrieval-Augmented Generation with Large Language Models offers a paradigm shift in network security by enabling adaptive, context-aware threat detection without requiring continuous model retraining.

The technical approach combines interface-level traffic feature extraction with semantic embedding and similarity matching through FAISS, allowing the LLM to perform real-time contextual inference on network behavior. This architectural design proves particularly valuable for SDN environments where network topology and traffic patterns change dynamically. The comparative analysis of multiple LLMs, with Gemma-4-31B-IT demonstrating superior performance, suggests that model selection significantly impacts detection efficacy in production environments.

For infrastructure operators and cloud service providers, this framework presents substantial operational benefits. Real-time detection capability maintains network stability during attacks while reducing false positives that plague traditional DDoS mitigation systems. The elimination of supervised training cycles accelerates deployment timelines and reduces expertise requirements. As DDoS attack sophistication continues escalating, organizations managing SDN infrastructure face mounting pressure to adopt intelligence-driven security solutions rather than purely statistical approaches.

• →RAG-based framework with LLMs enables real-time Carpet-Bombing DDoS detection in SDN without conventional supervised model retraining.
• →Gemma-4-31B-IT model achieved strongest detection performance among evaluated state-of-the-art LLMs in experimental scenarios.
• →Natural language-based traffic representation alongside structured JSON representation improved contextual inference accuracy.
• →Framework maintains stable SDN network operation while rapidly detecting and mitigating sophisticated distributed attacks.
• →Semantic embedding and FAISS-based similarity retrieval enable adaptive threat detection across dynamic network topologies.