Zero-shot DDoS attack detection remains challenging due to the absence of labeled training data and the semantic opacity of network traffic. Method: This paper proposes the first unsupervised traffic semantic understanding framework for zero-shot DDoS detection based on large language models (LLMs). It innovatively integrates prompt engineering with cybersecurity domain knowledge, establishing a three-module协同 mechanism—knowledge embedding, token embedding, and progressive role reasoning—to achieve multi-granularity fusion of global and local traffic features, without requiring any model training or annotated data. Contribution/Results: It is the first work to directly apply LLMs to zero-shot DDoS detection; introduces an interpretable and generalizable, semantics-driven paradigm; achieves significant accuracy improvements across multiple real-world traffic datasets (average +12.7%); and releases open-source code demonstrating strong cross-scenario generalization—thereby validating the practical utility and methodological value of LLMs in foundational cybersecurity tasks.

The increasing number of Distributed Denial of Service (DDoS) attacks poses a major threat to the Internet, highlighting the importance of DDoS mitigation. Most existing approaches require complex training methods to learn data features, which increases the complexity and generality of the application. In this paper, we propose DrLLM, which aims to mine anomalous traffic information in zero-shot scenarios through Large Language Models (LLMs). To bridge the gap between DrLLM and existing approaches, we embed the global and local information of the traffic data into the reasoning paradigm and design three modules, namely Knowledge Embedding, Token Embedding, and Progressive Role Reasoning, for data representation and reasoning. In addition we explore the generalization of prompt engineering in the cybersecurity domain to improve the classification capability of DrLLM. Our ablation experiments demonstrate the applicability of DrLLM in zero-shot scenarios and further demonstrate the potential of LLMs in the network domains. DrLLM implementation code has been open-sourced at https://github.com/liuup/DrLLM.