This study addresses the lack of auditable, interpretable, and generalizable detection and attribution mechanisms for multi-vector, rapidly evolving DDoS attacks in cloud environments. The authors propose the first large language model (LLM)-based virtual Site Reliability Engineering (SRE) investigator, which integrates continuous counter/sFlow monitoring, anomaly-triggered PCAP forensics, and structured evidence anchors through a hierarchical workflow and evidence-package abstraction. By employing a structure-first investigation protocol constrained by JSON schemas and citation-based grounding, the approach ensures transparent, traceable outputs. Evaluated on datasets such as CICDDoS2019, the method accurately generates evidence-anchored attribution reports with pinpointable errors, demonstrating the practicality and cost-effectiveness of using LLMs as auditable investigative agents for cloud-based DDoS attribution.

Cloud environments face frequent DDoS threats due to centralized resources and broad attack surfaces. Modern cloud-native DDoS attacks further evolve rapidly and often blend multi-vector strategies, creating an operational dilemma: defenders need wire-speed monitoring while also requiring explainable, auditable attribution for response. Existing rule-based and supervised-learning approaches typically output black-box scores or labels, provide limited evidence chains, and generalize poorly to unseen attack variants; meanwhile, high-quality labeled data is often difficult to obtain in cloud settings. We present Holmes (DDoS Detective), an LLM-based DDoS detection agent that reframes the model as a virtual SRE investigator rather than an end-to-end classifier. Holmes couples a funnel-like hierarchical workflow (counters/sFlow for continuous sensing and triage; PCAP evidence collection triggered only on anomaly windows) with an Evidence Pack abstraction that converts binary packets into compact, reproducible, high-signal structured evidence. On top of this evidence interface, Holmes enforces a structure-first investigation protocol and strict JSON/quotation constraints to produce machine-consumable reports with auditable evidence anchors. We evaluate Holmes on CICDDoS2019 reflection/amplification attacks and script-triggered flooding scenarios. Results show that Holmes produces attribution decisions grounded in salient evidence anchors across diverse attack families, and when errors occur, its audit logs make the failure source easy to localize, demonstrating the practicality of an LLM agent for cost-controlled and traceable DDoS investigation in cloud operations.