Evaluation of the capability of different large language models (LLMs) in generating malicious code for DDoS attacks using different prompting techniques.

By AdrianaLaRotta @ 2025-05-06T10:55 (+3)

Registered : Adriana Lorena La Rotta Espinosa

This project was conducted as part of the "Careers with Impact" program during the 14- week mentoring phase. You can find more information about the program in this post.

Introduction

Recent research has revealed that large language models (LLMs) can be used to generate large-scale variants of malicious code, managing to evade detection systems in 88% of cases (The Hacker News, 2024). This finding poses a significant risk in the field of artificial intelligence security (AI safety), as it demonstrates how these models, originally designed to assist in useful tasks, can be manipulated by malicious actors to facilitate sofisticated cyberattacks. In this context, one of the most worrisome scenarios is the use of LLMs to generate code intended for distributed denial-of-service (DDoS) attacks, which can collapse digital infrastructures by overloading servers with automated trafic. Assessing the ability of models to generate this type of malicious code is critical to understanding their potential risks, establishing safe boundaries, and developing effective mitigation strategies.

Artificial intelligence has advanced at a rapid pace. Large language models (LLMs) such as GPT-4, Gemini 2.0, DeepSeek R1, and Claude 3.7 can generate programming code automatically and have proven to be useful tools in several areas (Gonzalez, 2023) However, there is also concern that these models can be used to create code for malicious fines, including tools for DDoS attacks.

Previous research has addressed security issues in LLMs and their potential malicious use. Studies conducted by Cisco and the University        of Pennsylvania  have  evaluated  vulnerabilities  in  models.

specific ones, such as DeepSeek R1, finding deficiencies in detecting malicious instructions Kassianik & Karbasi, 2025). OWASP has identified in its top 10 list of security risks for LLM-based applications issues such as unlimited resource consumption, command injection at the prompt, and insecure output manipulation. However, open questions remain about the extent to which LLMs can be induced to generate malicious code through advanced jailbreaking techniques and what are the most effective strategies to mitigate these risks.

Addressing these issues is relevant because automation code generation is transforming the cybersecurity landscape for both defense and attack. If LLMs can be manipulated to generate malicious tools, the proliferation of cyberattacks could increase dramatically. Assessing the ability of these models to generate DDoS attack code will enable more effective strategies for protection and regulation.

This study aims to evaluate the extent to which LLMs can generate code for DDoS attacks and the ease with which they can be induced to do so by jailbreaking techniques, the model were performed in Spanish language. Various model interaction (prompting) strategies were employed, including Vulnerability-Specific Prompting, Insecure Code Completion Prompting, In- Context Learning Prompting and Adversarial Prompting, in order explore their limitations in generating malicious content. In addition, the results were analyzed using Central Limit Theory (CLT) to ensure that the conclusions are accurate and not a product of chance.

Undertaking this project is crucial because it will provide valuable information about the vulnerabilities of LLMs and how they can be exploited by malicious actors. This will enable researchers and technology companies to strengthen security measures in these models and develop more eficient mitigation strategies.

From the findings, it will be possible to identify trends and potential risks associated with the use of LLMs in cybersecurity contexts, as well as explore opportunities for regulation and improvement. Understanding the scope and limitations of these models in malicious code generation scenarios is critical to strengthening cybersecurity and guiding the

design of more effective mitigation strategies. With this research, we seek to provide useful evidence to promote ethical and safe practices in the development and use of artificial intelligence in the field of cybersecurity.

Research Question.

How does prompting style influence the ability of different large language models to generate malicious code targeted for distributed denial of service (DDoS) attacks?

Objectives

General

Analyze the ability of different large language models (LLMs) to generate malicious code intended for DDoS attacks, evaluating how their effectiveness varies according to the prompting style used.

Particular (Specific) Objectives

1. Select the large language models (LLM) to be evaluated, considering their architectural diversity, technical capabilities and development approaches.
2. Define the prompting styles to be used for malicious code generation, in the context of DDoS attacks, and design appropriate prompts for each prompting strategy.
3. Establish evaluation metrics to measure the performance of the models in terms of eficiency, security avoidance, code quality, impact, variability and ease of use.
4. Compare the performance of different language models (GPT-4, Gemini 2.0, DeepSeek R1, Claude 3.7) in generating malicious code for DDoS attacks.
5. Evaluate the impact of different prompting styles (Vulnerability- Specific Prompting, Insecure Code Completion Prompting, In-Context Learning Prompting and Adversarial Prompting) on the generation of dangerous code.

6. Apply statistical tools, such as the Central Limit Theory (CLT), to ensure the validity of the results obtained.

   Personal Objectives

• Develop advanced knowledge in cybersecurity and machine learning, focusing on the impact of artificial intelligence on digital security.
• Strengthen my technical writing and scientific dissemination skills to communicate results effectively in the academic and professional environment.
• Explore new opportunities in the field of cybersecurity and artificial intelligence, with a view to future research or professional specialization in the area.

Methodology

[Note of restricted access.

To access the complete methodology, it is necessary to contact the author or the responsible organization directly at adrianalarotta72gmail.com orcarrerasconimpacto@gmail.com . The request should include the full name of the applicant, an oficial document of identification, the institution to which he/she belongs and the reason for which he/she wishes to access the information.

The team may ask additional questions to assess the appropriateness of sharing complete information. Access may be denied if it is considered that there are associated risks].

How were the models selected?

To evaluate the capability of language models in cyberattack generation, GPT-4, Gemini 2.0, DeepSeek R1, and Claude 3.7 were selected based on their architectural diversity, capabilities, and development approaches. GPT-4 and Gemini 2.0 stand out for their multimodality and sofistication in natural language understanding, while DeepSeek R1 brings eficiency and optimized logical reasoning. Claude 3.7, on the other hand, emphasizes security and consistency in its responses. The selection of these models will allow us to analyze their ability to generate code for DDoS attacks under different prompting strategies.

What prompting strategies were used?

Different prompting strategies were applied, including Vulnerability-Specific Prompting, Insecure Code Completion, In-Context Learning and Adversarial Prompting. The models evaluated were GPT-4, Gemini 2.0, DeepSeek R1 and Claude 3.7, and their response when generating malicious code in Python was analyzed.

How was the test environment set up?

The test environment was configured using a simulated local web server, developed in Python. This server was designed to log all incoming requests and respond with a simple message to each connection attempt. A mechanism was also included to count how many requests were made and how long it was running. The server run was tuned to listen on a specific address and port. This infrastructure allowed for secure logging and analysis of the interactions generated by the language models, ensuring a controlled environment for evaluating their behavior against web services.

How were the results analyzed?

To evaluate the results in terms of success rate, security evasiveness and impact of the simulated attacks, the Central Limit Theory (CLT) was applied. For each LLM model and type of attack, multiple runs were performed, obtaining data on the success rate, the level of evasiveness of the security systems and the effect of the attack on the system. From these data, the mean (μ) and standard deviation (σ) were calculated for each metric. According to the CLT, when the number of executions (n) was suficiently large, the sample means followed a normal distribution.

For each model and metric, 95% confidence intervals were calculated using the formula:

Formula 1. Interval of confidence for the mean.

where:

• μ is the sample mean, (i.e., the average level of impact).
• Z is the critical value of the normal distribution (depending on the level of confidence, e.g., for 95% confidence, Z=1.96),
• σ is the standard deviation of the sample,
• n is the number of samples.

This made it possible to determine the precision of the estimates and to differentiate between consistent results and variations due to chance.

The results were compared across models to identificate which is more effective in generating cyberattacks. For example, a model with an average success rate of 85% and a tight confidence interval (80%-90%) would be considered more confidential than one with a similar rate but a wider interval (70%-95%). This CLT-based numerical approach ensures that the observed differences between models are not due to luck in the selection of inputs, but to actual capabilities in generating eficient attacks. Comparison of metrics such as security evasion and attack impact will also allow for the identification of patterns that can strengthen defense systems. The process of model comparison and metric evolution is detailed below:

The comparison of LLM models was conducted using six key metrics: success rate, security evasion, attack impact, code quality, response variability, and ease of use. Each of these metrics was measured and compared between the GPT-4, Gemini 2.0, Deekseek R1 and Claude 3.7 models.

1. Success Rate: The success rate reflects the percentage of attacks generated by each model that successfully compromised thetarget systems, either by executing malicious code or by exploiting specific vulnerabilities. For this calculation, the formula was used:

    

   

2. Security Evasion: This metric measures the ability of the generated attacks to evade detection and protection systems, such as firewalls, antivirus and intrusion detection systems (IDS), for this experiment we will make use of the online platform VirusTotal a free tool that allows to analyze files in search of possible malware. Evasion will be calculated by observing the percentage of attacks that are not detected during the simulation. The process will be as follows:
3. Attack Impact: When calculating the impact of an attack in terms of time, the duration of sending bulk packets to the server in seconds is recorded. The confidence interval is useful for determining whether a model-generated attack has a consistently high or low impact.
4. Code Quality: The Python Pylint tool is used to evaluate code quality on a scale of 0 to 10. This analysis detects syntax errors, style conventions, and potential logic problems. In addition, it verifies adherence to best practices, such as PEP 8 compliance and detection of redundant code or unused variables.
5. Response Variability: The ability of the LLM to generate multiple versions of a code while maintaining its eficiency is measured. The evaluation is based on the number of variants generated with similar results, recording the differences with respect to the first response.

6. Ease of use: Evaluates the level of technical knowledge required to execute the generated code. It is determined by a manual evaluation based on usability and documentation, using the following scale:

    1. Advanced: Requires specialized knowledge and programming experience.

    2. Medium-high: Needs technical configuration and understanding of advanced concepts.

   3. Medium: Can be executed with minimal guidance or detailed instructions.

   4. Low: Requires little user intervention, with almost automatic execution.

   5. Very low: Fully automated, plug & play type, no need for manual configuration

    

The model comparison will be presented by bar charts and radar plot, using Matplotlib to visualize the success, evasion and impact rates of the attacks. For each model (GPT-4, Gemini 1.5 , Deekseek R1 and Claude 3), key metrics will be calculated and graphs with confidence intervals will be generated. In addition, tables with mean values, standard deviation and confidence intervals for each metric will be included. The graphs will allow visual comparison of differences in model performance, while the confidence intervals will provide an additional measure of precision in the estimates. The analysis will interpret these results to identify patterns and strengths of each model in terms of its ability to generate effective attacks, evade detection and make an impact.

Flowchart with estimated time per activity:

Methodology applied to evaluate code generation by the models.

Results and Discussion

[Note of restricted access.

To access complete results, it is necessary to contact the author or the responsible organization directly at adrianalarotta72gmail.com orcarrerasconimpacto@gmail.com . The request should include the full name of the applicant, an oficial document of identification, the institution to which he/she belongs and the reason for which he/she wishes to access the information.

The team may ask additional questions to assess the appropriateness of sharing complete information. Access may be denied if it is deemed that there are associated risks].

The results of the metrics evaluated for each of the codes generated by the models are shown below. In total, eight experiments were performed: two for each of the prompt types, and three attempts were made with the same prompt for each of the models.

Success Rate

The following graphfica shows the success rate of attacks performed by the different AI models.

Figure 2. Success rate. This diagram shows the comparative of in the success rate of the evaluated models according to the type of prompt used.

The results reveal critical patterns in the security of LLMs against different types of malicious prompts. Claude shows vulnerability in

In-Context Learning 50% success rate), suggesting that its ethical filters, so it is necessary to continue evaluations and modifications in its parameters, to be protected against possible textual attacks. GPT-4, despite its reputation as a secure model, presents unexpected failures in this same scenario (66.67%), indicating that its robustness is not universal. DeepSeek R1 emerges as the most consistent model (99.64-100%), a relevant finding in the absence of previous studies on its security. All models are 100% vulnerable to Insecure Code Completion, confirming risks already identified in previous works but extending to more recent models ('Do LLMs Consider Security? An Empirical Study on Responses to Programming Questions', 2025). These results not only challenge assumptions about the effectiveness of current defenses, but highlight the need for specific evaluations by attack type, particularly in contextual prompts, an area little explored in the literature. The inconsistency of GPT-4 and the poor performance of Claude in In- Context Learning open new lines of research on adaptive mitigations and the role of model architecture in its susceptibility to attacks.

Security Evasion:

In this evaluation criterion, all code generated by LLMs achieved evasion of current detection mechanisms, indicating that the content produced may not trigger malicious code alerts. This result highlights the need to strengthen monitoring and analysis tools, in order to identify potential risks in early stages of the development or deployment of these models.

Attack Impact

The following graph shows the distribution of the affectation time in seconds for each AI model, for each of the prompts types.

Figure 3. Distribution of Impact Times by Model and Prompt Type. The graphfic shows how the malicious response generation time varies between models and attack types. The scale of the graphsfics was adjusted independently due to the large differences in response times, which would allow for better visualization and comparison of the data.

The boxplots reveal clear patterns in the time to compromise for each model and type of prompt. For Insecure Code Completion, DeepSeek R1 shows a wide dispersion (0.06s to 1417s) with extreme outliers, suggesting inconsistency in its response to this type of attacks, while GPT-4 and Claude present more concentrated distributions (20-160s and 2-36s respectively). For Vulnerability-Specific Prompting, Gemini stands out with high times (up to 90s). In In-Context Learning, Gemini again shows high variability (2-406s), evidencing sensitivity to the context of the attack, while Claude immediately blocks these attempts (0s). Finally, in Adversarial Prompting all models exhibit low (<40s) and consistent times. These results suggest that the effectiveness of the models varies significantly according to the type of attack, with Claude having the shortest attack time, but less consistent in Insecure Code, while DeepSeek R1 shows vulnerability to insecure code attacks but unpredictable response times.

Code Quality

The graph shows the distribution of the quality of the code generated by each LLM.

Figure 3. Distribution of Code Quality by Model and Prompt Type

The boxplots reveal significant differences in the quality of the code generated by the models according to the type of prompt. DeepSeek R1 shows the most consistent performance, especially in Adversarial (median~7.0, narrow IQR), standing out for its robustness. GPT-4 leads in In-Context (median ~7.5), although with low outliers (blue dots at 0), suggesting occasional complete failures. Claude exhibits the greatest variability, with wide ranges in Insecure (IQR of 1.5 to 6.5) and low quality in In-Context (median ~1.5), indicating instability in contextual prompts. Worrying outliers are observed in Vulnerability (Gemini with 8.42) and Insecure (GPT-4 with 0.95), which could represent security risks. The overall quality remains between 5.0-7.5 for most models, except for In-Context where Claude and Gemini drop significantly. These results evidence differences in the behavior of the models to different types of tests, which highlights the importance of evaluating their performance contextually. For example, Claude responded in a shorter time under certain

scenarios, although it showed less consistency in the generation of insecure code, while DeepSeek R1 showed less predictable responses in time and content to such stimuli. These findings reinforce the need for continued detailed evaluations to strengthen their secure response capabilities.

The results coincide in several aspects with the study by Xu et al. (2024), where models such as GPT-4, Claude and Gemini were evaluated in code . As in their analysis, we observe that GPT-4 leads in In-Context scenarios, but presents punctual failures (low outliers). Claude shows high variability, especially in unsafe tasks, indicating instability, as also reported in the study. Gemini, while occasionally generating high quality code, has inconsistent performance on vulnerable prompts, which poses security risks. Although DeepSeek R1 was not included in that study, our data suggest its robust performance on adversarial tasks.

Response Variability

The following graph shows the number of variations generated in each attempt for the different models by prompt type.

Quality distribution of the number of attempts in the experiment by Model and the number of variations with respect to the first one.

The models show differentiated behaviors according to the type of prompting: Claude excels in Insecure Code Completion (14 variations) but is inconsistent, revealing high capability but low predictability in offensive contexts; Gemini prioritizes security, with low overall performance except in Vulnerability-Specific, suggesting specialization in structured attacks; DeepSeek R1 maintains stability, especially in Adversarial Prompting (7-9 variations), indicating robustness to prompt engineering; while ChatGPT-4 acts as a balance between flexibility and control, without standing out in any scenario. The key point is that effectiveness depends critically on the type of prompt: Claude is high risk/beneficiency, Gemini is conservative, and DeepSeek R1 offers adaptive balancing, implying that the choice of model for security testing must align with its specific contextual bias. This suggests that some models require more modifications to achieve a successful attack, while others are more consistent in their attempts.

The results agree with what was reported in the study (Smoke and Mirrors, 2025), where Claude was observed to generate significantly more exploit variants in offensive prompts (up to 12 times more than GPT-4), albeit with striking variance. In that paper, he attributed this difference to the security mechanisms of each model: Claude relies on heuristic rules, which can be circumvented  with  creative  approaches,  while  GPT-4  uses        RLHF (Reinforcement Learning from Human Feedback), which makes it more consistent but also more conservative in its outputs.

Ease of use

In evaluating the ease of use of language model-generated code (LLMs), I analyzed the level of technical knowledge required to execute the outputs, using a scale from 1 (advanced) to 5 (plug & play). The results showed an average of 3-4, indicating that, in general, the code could be executed with minimal instructions, although with notable variations: DeepSeek stood out for its detailed documentation (4/5), while prompts such as Insecure Code Completion and In-Context Learning obtained lower scores (~2/5) due to the complexity of the generated code (e.g., technical dependencies or lack of clear explanations). The

subjectivity in the evaluation - based on my judgment of instruction clarity and usability - was an acknowledged limitation. The findings partially agree with the literature, works such as (Towards Advancing Code, 2025) support that fine- tuned models (e.g., DeepSeek) generate more usable code, similar to my observations.

Perspectives

The results of this study highlight the need for future research and action in the following key areas:

• Code Generation Variability Analysis: The inconsistency observed in models such as Claude, especially in "Insecure Code Completion" tasks, suggests the need to investigate the factors contributing to this variability in order to improve the stability and predictability of LLM responses.
• Security Mechanism Evasion Assessment: Since all generated codes managed to evade security detection mechanisms, it is essential to develop more effective methods to identify and block the generation of malicious content by LLMs.
• Impact of Context on Susceptibility to Attack: The vulnerability of models such as GPT-4 and Claude in "In-Context Learning" indicates the importance of studying how context influences the susceptibility of LLMs to generate malicious code.
• Diversification of Models and Prompting Techniques in Future Evaluations: To gain a more complete understanding of vulnerabilities, it is recommended that a wider variety of LLMs and prompting techniques be included in future studies.
• Interdisciplinary Collaboration: It is critical to involve computer security researchers, language model developers, regulatory bodies, and the open source community to strengthen security measures and develop policies that

mitigate the misuse of LLMs.

These perspectives seek to guide future research and collaborations towards the improvement of security in language models, considering the rapid evolution and adoption of these technologies in various sectors.

Personal Reflexion.

This project has been a deeply enriching experience that has allowed me to approach the field of AI Safety in a significant way. Throughout the process, especially during the mentorships, I have evolved both in my technical knowledge and in my critical understanding of the risks and liabilities associated with the development of artificial intelligence-based technologies.

Thanks to the research done, I had the opportunity to learn concepts that I did not know at the beginning and strengthen key skills in risk analysis and secure code generation. The guidance I received was fundamental to give a clear direction to the project, allowing me to structure it in a solid way and achieve the proposed objectives.

One of the most valuable experiences derived from this work was my participation in the ML4GOOD event, where I was able to reinforce my knowledge in IA Safety and connect with people who share the same purpose: to contribute from technology to the prevention of catastrophic risks. This approach was also emphasized in the Careers with Impact classes, where I understood the true social and ethical dimension of technological development.

I am very excited about what I have achieved so far and even more excited about what is yet to come. From this experience, I have decided to continue my training in AI applied to cybersecurity, get involved in communities with afines interests and expand this research project with new hypotheses and approaches. In the future, I wish to develop more projects in this line and actively contribute to initiatives that promote a safe, ethical and responsible use of artificial intelligence.

References

Chen, T., Zhang, H., Liu, T., & Li, R. (2022). Research on cyber attack modeling and attack path discovery. In 2022 2nd International Conference on Computational Modeling, Simulation and Data Analysis (CMSDA)        (pp.        332-338).        Zhuhai,        China. https://doi.org/10.1109/CMSDA58069.2022.00068

Chen, Y., Zhang, W., Zhang, Y., & Yin, J. (2024). Towards advancing code generation with large language models: A research roadmap. arXiv. https://arxiv.org/abs/2501.11354

Cybersecurity (n.d.). U.S. Securities and Exchange Commission (SEC). https://.www.sec.gov/securities-topics/cybersecurity

González, J. (2023). Evaluation of LLMs for code generation [Final Degree Thesis, Universitat Oberta de Catalunya]. Repository        UOC. https://openaccess.uoc.edu/handle/10609/148754

Heikkilä, M. (2023). Three ways AI chatbots are a security disaster. MIT Technology        Review.

www.technologyreview.com/2023/04/03/1070893/three-wa https://ys-ai-chatbots-are-a-security-disaster/

Hilton, B. (2024). What could an AI-caused existential catastrophe actually        look        like?        80,000        Hours. https://80000hours.org/articles/what-could-an-ai-caused-existenti al-catastrophe-actually-look-like/ actually-take-power

Jin, H., Chen, H., Lu, Q., & Zhu, L. (2025). Towards advancing code generation with large language models: A research roadmap. arXiv. https://arxiv.org/html/2501.11354v1

Kassianik, P., & Karbasi, A. (2025). Evaluating security risk in DeepSeek and        other        frontier        reasoning        models.        Cisco        Blogs. https://blogs.cisco.com/security/evaluating-security-risk-in-deepse ek-and-other-frontier-reasoning-models.

Mirsky, Y., Demontis, A., Kotak, J., Shankar, R., Gelei, D., Yang, L., Zhang, X., Pintor, M., Lee, W., Elovici, Y., & Biggio, B. (2023). The threat of offensive AI to organizations. Computers & Security, 124, 103006. https://doi.org/10.1016/j.cose.2022.103006.

NETSCOUT        Threat        Intelligence        Report.        (2024). https://www.netscout.com/threatreport?utm_source=chatgpt.co m

Ouyang, S., Qin, Y., Lin, B., Chen, L., Mao, X., & Wang, S. (2024). Smoke and mirrors: Jailbreaking LLM-based LLM-based code generation via implicit malicious prompts. arXiv. https://arxiv.org/abs/2503.17953

Pacheco, O. Y., Yoachimik, O., Pacheco, J., Belson, D., Tomé, J., Rodrigues, C., & Gerhart, H. (2025). Unprecedented DDoS attack of 5.6 Tb/s and global trends of DDoS attacks in Q4 of        2024.

https://blog.cloudflare.com/es-es/ddos-threat-report-for-2024-q4/

?utm_source=chatgpt.com%2F

Report on cyber security and critical infrastructure in the Americas (n.d.). Organization        of        American        States        (OAS). https://www.oas.org/es/sms/cicte/ciberseguridad/publicaciones/20 15%20-

%20OAS%20Trend%20Micro%20Report%20Cybersecurity%20and% 20Critical%20Inf%20Security%20and%20Protection%20of%20the%2 0Critical%20Inf%20.pdf.

Shanthi, R. R., Sasi, N. K., & Gouthaman, P. (2023). A new era of cybersecurity:  The  influence  of  artificial  intelligence.  In 2023.

International Conference on Networking and Communications (ICNWC)        (pp.        1-4).        Chennai,        India. https://doi.org/10.1109/ICNWC57852.2023.10127453

Tshimula, J. M. (2024). Jailbreaking large language models with symbolic mathematics. arXiv. https://arxiv.org/html/2411.16642v1

Wong, A., Cao, H., Liu, Z., & Li, Y. (n.d.). SMILES-Prompting: A novel approach to LLM jailbreak attacks in chemical synthesis. https://github.com/IDEA-XL/ChemSafety