{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,28]],"date-time":"2026-04-28T15:30:39Z","timestamp":1777390239292,"version":"3.51.4"},"publisher-location":"Cham","reference-count":17,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032006417","type":"print"},{"value":"9783032006424","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,8,10]],"date-time":"2025-08-10T00:00:00Z","timestamp":1754784000000},"content-version":"vor","delay-in-days":221,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Traditional Intrusion Detection Systems mainly rely on rule-based mechanisms, which are limited in detecting unknown attack patterns and often result in false positives or false negatives. Deep packet inspection, although effective, demands significant computational resources as it requires processing large network traffic data volumes. Similarly, AI-based solutions frequently consume excessive resources, making them impractical for production environments, especially those with resource constraints or high-volume traffic patterns. In this paper, we propose and investigate a two-tier intrusion detection strategy, targeting an optimal balance between effective threat detection and resource efficiency. Our approach combines lightweight statistical monitoring for continuous anomaly detection with on-demand LLM-based traffic analysis, activating deep inspection only when necessary. We implement and evaluate two systems that enable centralized data collection among distributed containers, one for SDN-based environments utilizing the OpenFlow protocol and another for Kubernetes-based infrastructures utilizing Cilium-Hubble integration. Both systems initiate deep traffic analysis via LLMs only when statistical anomalies are detected, targeting low overhead while maintaining high detection accuracy. We demonstrate the efficiency of our approach through real-world attack scenarios, showing performance in detecting network-based attacks such as DDoS, port scans, and brute-force attempts.\n<\/jats:p>","DOI":"10.1007\/978-3-032-00642-4_4","type":"book-chapter","created":{"date-parts":[[2025,8,9]],"date-time":"2025-08-09T06:59:27Z","timestamp":1754722767000},"page":"55-73","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["LLM-Enhanced Intrusion Detection for\u00a0Containerized Applications: A Two-Tier Strategy for\u00a0SDN and\u00a0Kubernetes Environments"],"prefix":"10.1007","author":[{"given":"Sarantis","family":"Kalafatidis","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nikos","family":"Papageorgopoulos","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Andreas","family":"Kartakoullis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Giannis","family":"Ledakis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2025,8,10]]},"reference":[{"key":"4_CR1","doi-asserted-by":"crossref","unstructured":"Radain, D., Almalki, S., Alsaadi, H., Salama, S.: A review on defense mechanisms against distributed denial of service (DDoS) attacks on cloud computing. In: 2021 International Conference of Women in Data Science at Taif University (WiDSTaif), pp.\u00a01\u20136. IEEE (2021)","DOI":"10.1109\/WiDSTaif52235.2021.9430220"},{"key":"4_CR2","unstructured":"Darwish, M., Ouda, A., Capretz, L.F.: Cloud-based DDoS attacks and defenses. In: International Conference on Information Society (i-Society 2013), pp.\u00a067\u201371. IEEE (2013)"},{"issue":"1","key":"4_CR3","doi-asserted-by":"publisher","first-page":"661","DOI":"10.1109\/COMST.2018.2870658","volume":"21","author":"A Praseed","year":"2018","unstructured":"Praseed, A., Thilagam, P.S.: DDoS attacks at the application layer: challenges and research perspectives for safeguarding web applications. IEEE Commun. Surv. Tutorials 21(1), 661\u2013685 (2018)","journal-title":"IEEE Commun. Surv. Tutorials"},{"issue":"16","key":"4_CR4","doi-asserted-by":"publisher","first-page":"3724","DOI":"10.1002\/sec.1539","volume":"9","author":"M Masdari","year":"2016","unstructured":"Masdari, M., Jalali, M.: A survey and taxonomy of DoS attacks in cloud computing. Secur. Commun. Networks 9(16), 3724\u20133751 (2016)","journal-title":"Secur. Commun. Networks"},{"key":"4_CR5","doi-asserted-by":"publisher","first-page":"80813","DOI":"10.1109\/ACCESS.2019.2922196","volume":"7","author":"S Dong","year":"2019","unstructured":"Dong, S., Abbas, K., Jain, R.: A survey on distributed denial of service (DDoS) attacks in SDN and cloud computing environments. IEEE Access 7, 80813\u201380828 (2019)","journal-title":"IEEE Access"},{"key":"4_CR6","doi-asserted-by":"crossref","unstructured":"Tripathi, N.: Delays have dangerous ends: slow HTTP\/2 DoS attacks into the wild and their real-time detection using event sequence analysis. IEEE Trans. Dependable Secure Comput. (2023)","DOI":"10.1109\/TDSC.2023.3276062"},{"key":"4_CR7","doi-asserted-by":"crossref","unstructured":"Khraisat, A., Gondal, I., Vamplew, P., Kamruzzaman, J.: Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity 2(1), 1\u201322 (2019)","DOI":"10.1186\/s42400-019-0038-7"},{"key":"4_CR8","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2022.109553","volume":"222","author":"AB De Neira","year":"2023","unstructured":"De Neira, A.B., Kantarci, B., Nogueira, M.: Distributed denial of service attack prediction: challenges, open issues and opportunities. Comput. Netw. 222, 109553 (2023)","journal-title":"Comput. Netw."},{"key":"4_CR9","doi-asserted-by":"crossref","unstructured":"Agrafiotis, G., Kalafatidis, S., Giapantzis, K., Lalas, A., Votis, K.: Advancing cybersecurity with AI: a multimodal fusion approach for intrusion detection systems. In: 2024 IEEE International Mediterranean Conference on Communications and Networking (MeditCom), pp.\u00a051\u201356. IEEE (2024)","DOI":"10.1109\/MeditCom61057.2024.10621237"},{"key":"4_CR10","doi-asserted-by":"crossref","unstructured":"Hasanov, I., Virtanen, S., Hakkala, A., Isoaho, J.: Application of large language models in cybersecurity: a systematic literature review. IEEE Access (2024)","DOI":"10.1109\/ACCESS.2024.3505983"},{"key":"4_CR11","unstructured":"Cilium-hubble. https:\/\/docs.cilium.io\/en\/stable\/overview\/intro\/"},{"issue":"6","key":"4_CR12","doi-asserted-by":"publisher","first-page":"46","DOI":"10.1109\/MNET.004.2100333","volume":"36","author":"S Kalafatidis","year":"2022","unstructured":"Kalafatidis, S., Mamatas, L.: Microservices-adaptive software-defined load balancing for 5G and beyond ecosystems. IEEE Network 36(6), 46\u201353 (2022)","journal-title":"IEEE Network"},{"key":"4_CR13","doi-asserted-by":"crossref","unstructured":"Kalafatidis, S., Agrafiotis, G., Giapantzis, K., Lalas, A., Votis, K.: Experiments with digital security processes over SDN-based cloud-native 5g core networks. In: 2024 27th Conference on Innovation in Clouds, Internet and Networks (ICIN), pp.\u00a097\u201399. IEEE (2024)","DOI":"10.1109\/ICIN60470.2024.10494481"},{"key":"4_CR14","unstructured":"\u201cFloodlight SDN Controller\u201d. https:\/\/github.com\/floodlight\/floodlight"},{"key":"4_CR15","unstructured":"\u201cContainernet\u201d. https:\/\/containernet.github.io"},{"key":"4_CR16","unstructured":"\u201ctshark\u201d. https:\/\/tshark.dev\/"},{"key":"4_CR17","unstructured":"\u201cTogether AI platform\u201d. https:\/\/www.together.ai\/"}],"container-title":["Lecture Notes in Computer Science","Availability, Reliability and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-00642-4_4","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,8]],"date-time":"2025-09-08T20:09:26Z","timestamp":1757362166000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-00642-4_4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783032006417","9783032006424"],"references-count":17,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-00642-4_4","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"10 August 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ARES","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Availability, Reliability and Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Ghent","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Belgium","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"11 August 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14 August 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ares-12025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/2025.ares-conference.eu","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}