{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,5]],"date-time":"2026-01-05T17:16:36Z","timestamp":1767633396039,"version":"3.48.0"},"reference-count":25,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2026,1,4]],"date-time":"2026-01-04T00:00:00Z","timestamp":1767484800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"U.S. Department of Commerce, National Institute of Standards and Technology and P3R1 Special Initiative Funding through the University of Idaho\u2019s Office of Research and Economic Development","award":["60NANB24D159"],"award-info":[{"award-number":["60NANB24D159"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Algorithms"],"abstract":"<jats:p>Network security tools are indispensable in testing and evaluating the security of computer networks. Existing tools, such as Hping3, however, offer a limited set of options and attack-specific configurations, which restrict their use solely to well-known attack patterns. Although highly parameterizable libraries, such as Scapy, provide more options and scripting capabilities, they require extensive manual setup and often a steep learning curve. The development of powerful AI models, capitalizing on the transformer architecture, has enabled cybersecurity researchers to develop or incorporate these models into existing cyber-defense systems and red-team assessments. Prominent models such as NetGPT, TrafficFormer, and TrafficGPT can be effective, but require extensive computational resources for fine-tuning and a complex setup to adapt to proprietary networking environments and protocols. In this work, we propose AgentRed, a lightweight tool for generating network attack traffic with minimal human configuration and setup. Our tool integrates an AI agent and a large language model with fewer than a billion parameters into the network traffic generation process. Our method creates lightweight Low-Rank Adaptation (LoRA) adapters that can learn specific traffic patterns in a particular network environment. Our agent can autonomously train the LoRA adapters, search online documentation for attack patterns and parameters, and select appropriate adapters to generate network traffic specific to the user\u2019s needs. It utilizes the LoRA adapters to create an intermediate traffic representation that can be parsed and executed by tools such as Scapy to generate malicious traffic in a virtualized test environment. We assess the performance of the proposed approach on six popular network attacks, including flooding attacks, Smurf, Ping-of-Death, and normal ICMP ping traffic. Our results validate the ability of the proposed tool to efficiently generate network packets with 97.9% accuracy using the LoRA adapters, compared to 95.4% accuracy using the base pre-trained Qwen3 0.6B model. When the AI agent performs online searches to enrich the LoRA adapters\u2019 context during traffic generation, our method maintains an accuracy of 96.0% across all tested traffic patterns.<\/jats:p>","DOI":"10.3390\/a19010043","type":"journal-article","created":{"date-parts":[[2026,1,5]],"date-time":"2026-01-05T12:38:56Z","timestamp":1767616736000},"page":"43","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["AgentRed: Towards an Agent-Based Approach to Automated Network Attack Traffic Generation"],"prefix":"10.3390","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-0622-9198","authenticated-orcid":false,"given":"Koffi Anderson","family":"Koffi","sequence":"first","affiliation":[{"name":"Department of Computer Science, University of Idaho, Idaho Falls, ID 83402, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kyle","family":"Lucke","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Idaho, Idaho Falls, ID 83402, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Elijah","family":"Danquah Darko","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Idaho, Idaho Falls, ID 83402, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-8631-5829","authenticated-orcid":false,"given":"Tollan","family":"Berhanu","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Idaho, Idaho Falls, ID 83402, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0274-9253","authenticated-orcid":false,"given":"Robert Angelo","family":"Borrelli","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Idaho, Idaho Falls, ID 83402, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3020-291X","authenticated-orcid":false,"given":"Constantinos","family":"Kolias","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Idaho, Idaho Falls, ID 83402, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2026,1,4]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"5542919","DOI":"10.1155\/2021\/5542919","article-title":"An adaptive protection of flooding attacks model for complex network environments","volume":"2021","author":"Khalaf","year":"2021","journal-title":"Secur. Commun. Netw."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Kumar, S. (2007, January 1\u20135). Smurf-based distributed denial of service (ddos) attack amplification in internet. Proceedings of the Second International Conference on Internet Monitoring and Protection (ICIMP 2007), San Jose, CA, USA.","DOI":"10.1109\/ICIMP.2007.42"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Yihunie, F., Abdelfattah, E., and Odeh, A. (2018, January 4\u20138). Analysis of ping of death DoS and DDoS attacks. Proceedings of the 2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT), Farmingdale, NY, USA.","DOI":"10.1109\/LISAT.2018.8378010"},{"key":"ref_4","unstructured":"(2025, September 21). hping3 | Kali Linux Tools. Available online: https:\/\/github.com\/antirez\/hping."},{"key":"ref_5","unstructured":"Ghosh, S.K., Satvat, K., Gjomemo, R., and Venkatakrishnan, V. (2025, October 01). Ostinato: Cross-Host Attack Correlation Through Attack Activity Similarity Detection. Available online: https:\/\/ostinato.org\/."},{"key":"ref_6","unstructured":"Fontanini, M. (2025, October 01). C++ Packet Sniffing and Crafting Library. Available online: https:\/\/libtins.github.io\/."},{"key":"ref_7","unstructured":"(2025, September 21). Scapy. Available online: https:\/\/scapy.net\/."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"114936","DOI":"10.1109\/ACCESS.2023.3325727","article-title":"PAC-GPT: A Novel Approach to Generating Synthetic Network Traffic With GPT-3","volume":"11","author":"Kholgh","year":"2023","journal-title":"IEEE Access"},{"key":"ref_9","unstructured":"Meng, X., Lin, C., Wang, Y., and Zhang, Y. (2023). NetGPT: Generative Pretrained Transformer for Network Traffic. arXiv."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Zhou, G., Guo, X., Liu, Z., Li, T., Li, Q., and Xu, K. (2025, January 12\u201315). TrafficFormer: An Efficient Pre-trained Model for Traffic Data. Proceedings of the 2025 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA.","DOI":"10.1109\/SP61157.2025.00102"},{"key":"ref_11","unstructured":"Qu, J., Ma, X., and Li, J. (2024). TrafficGPT: Breaking the Token Barrier for Efficient Long Traffic Analysis and Generation. arXiv."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"237","DOI":"10.1613\/jair.301","article-title":"Reinforcement learning: A survey","volume":"4","author":"Kaelbling","year":"1996","journal-title":"J. Artif. Intell. Res."},{"key":"ref_13","unstructured":"Shao, Z., Wang, P., Zhu, Q., Xu, R., Song, J., Bi, X., Zhang, H., Zhang, M., Li, Y., and Wu, Y. (2024). Deepseekmath: Pushing the limits of mathematical reasoning in open language models. arXiv."},{"key":"ref_14","first-page":"3","article-title":"Lora: Low-rank adaptation of large language models","volume":"1","author":"Hu","year":"2022","journal-title":"ICLR"},{"key":"ref_15","unstructured":"Team, Q. (2025). Qwen3 Technical Report. arXiv."},{"key":"ref_16","first-page":"333","article-title":"Generative Adversarial Networks (GANs): A survey of network traffic generation","volume":"12","author":"Anande","year":"2022","journal-title":"Int. J. Mach. Learn. Comput."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3639037","article-title":"NetDiffusion: Network Data Augmentation Through Protocol-Constrained Traffic Generation","volume":"8","author":"Jiang","year":"2024","journal-title":"Proc. ACM Meas. Anal. Comput. Syst."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"111308","DOI":"10.1016\/j.comnet.2025.111308","article-title":"GPT on the wire: Towards realistic network traffic conversations generated with large language models","volume":"265","author":"Perdices","year":"2025","journal-title":"Comput. Netw."},{"key":"ref_19","unstructured":"(2025, September 29). Aircrack-ng. Available online: https:\/\/www.aircrack-ng.org\/."},{"key":"ref_20","unstructured":"(2025, October 01). Metasploit | Penetration Testing Software, Pen Testing Security. Available online: https:\/\/www.metasploit.com\/."},{"key":"ref_21","unstructured":"(2025, October 01). mdk3 | Kali Linux Tools. Available online: https:\/\/www.kali.org\/tools\/mdk3."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"26","DOI":"10.1109\/MSP.2017.2743240","article-title":"Deep reinforcement learning: A brief survey","volume":"34","author":"Arulkumaran","year":"2017","journal-title":"IEEE Signal Process. Mag."},{"key":"ref_23","unstructured":"Schulman, J., Wolski, F., Dhariwal, P., Radford, A., and Klimov, O. (2017). Proximal policy optimization algorithms. arXiv."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"220","DOI":"10.1038\/s42256-023-00626-4","article-title":"Parameter-efficient fine-tuning of large-scale pre-trained language models","volume":"5","author":"Ding","year":"2023","journal-title":"Nat. Mach. Intell."},{"key":"ref_25","unstructured":"(2025, September 29). TCPDUMP & LIBPCAP. Available online: https:\/\/www.tcpdump.org\/."}],"container-title":["Algorithms"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-4893\/19\/1\/43\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,5]],"date-time":"2026-01-05T12:46:51Z","timestamp":1767617211000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-4893\/19\/1\/43"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,4]]},"references-count":25,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,1]]}},"alternative-id":["a19010043"],"URL":"https:\/\/doi.org\/10.3390\/a19010043","relation":{},"ISSN":["1999-4893"],"issn-type":[{"value":"1999-4893","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,4]]}}}