This paper addresses the potential and challenges of leveraging large language models (LLMs) for malicious network traffic detection. We propose a three-stage LLM-driven framework comprising pretraining, task-adaptive fine-tuning, and real-time detection. For the first time, we systematically define the tripartite roles of LLMs in threat detection—as classifier, encoder, and predictor—and introduce an end-to-end context-aware modeling mechanism coupled with malicious traffic representation learning. Evaluated on DDoS detection under sweep-style attack scenarios, our approach achieves ~35% performance improvement over state-of-the-art methods. Key contributions include: (1) establishing a novel functional paradigm for LLMs in network traffic analysis—classifying, encoding, and predicting; (2) developing the first full-stack LLM adaptation framework specifically designed for network threat detection; and (3) empirically demonstrating LLMs’ strong generalization capability in low-label, highly dynamic traffic environments.

Network attack detection is a pivotal technology to identify network anomaly and classify malicious traffic. Large Language Models (LLMs) are trained on a vast corpus of text, have amassed remarkable capabilities of context-understanding and commonsense knowledge. This has opened up a new door for network threat detection. Researchers have already initiated discussions regarding the application of LLMs on specific cyber-security tasks. Unfortunately, there is still a lack of comprehensive elaboration how to mine LLMs' potentials in network threat detections, as well as the opportunities and challenges. In this paper, we mainly focus on the classification of malicious traffic from the perspective of LLMs' capability. We present a holistic view of the architecture of LLM-powered network attack detection, including Pre-training, Fine-tuning, and Detection. Especially, by exploring the knowledge and capabilities of LLM, we identify three distinct roles LLM can act in network attack detection: extit{Classifier, Encoder, and Predictor}. For each of them, the modeling paradigm, opportunities and challenges are elaborated. Finally, we present our design on LLM-powered DDoS detection as a case study. The proposed framework attains accurate detection on carpet bombing DDoS by exploiting LLMs' capabilities in contextual mining. The evaluation shows its efficacy, exhibiting a nearly $35$% improvement compared to existing systems.