🤖 AI Summary
To address the frequent occurrence of zero-day attacks and the limitations of existing machine learning–based intrusion detection systems (IDS)—namely, their reliance on labeled data and poor generalization—this paper proposes a self-supervised contrastive learning framework operating directly on raw packet byte sequences. Our method employs a Transformer encoder to model byte-level packet sequences end-to-end, eliminating handcrafted feature engineering. It introduces packet-level data augmentation and unsupervised representation learning to enable robust cross-dataset transfer and low-resource detection. Experiments demonstrate a 20% improvement in cross-dataset anomaly detection AUC and a 1.5% gain in same-dataset pretraining followed by supervised fine-tuning, outperforming baselines such as NetFlow-based approaches. The core contribution is the first self-supervised contrastive learning IDS paradigm tailored for raw packet sequences, effectively mitigating challenges posed by label scarcity and distributional shift.
📝 Abstract
As the digital landscape becomes more interconnected, the frequency and severity of zero-day attacks, have significantly increased, leading to an urgent need for innovative Intrusion Detection Systems (IDS). Machine Learning-based IDS that learn from the network traffic characteristics and can discern attack patterns from benign traffic offer an advanced solution to traditional signature-based IDS. However, they heavily rely on labeled datasets, and their ability to generalize when encountering unseen traffic patterns remains a challenge. This paper proposes a novel self-supervised contrastive learning approach based on transformer encoders, specifically tailored for generalizable intrusion detection on raw packet sequences. Our proposed learning scheme employs a packet-level data augmentation strategy combined with a transformer-based architecture to extract and generate meaningful representations of traffic flows. Unlike traditional methods reliant on handcrafted statistical features (NetFlow), our approach automatically learns comprehensive packet sequence representations, significantly enhancing performance in anomaly identification tasks and supervised learning for intrusion detection. Our transformer-based framework exhibits better performance in comparison to existing NetFlow self-supervised methods. Specifically, we achieve up to a 3% higher AUC in anomaly detection for intra-dataset evaluation and up to 20% higher AUC scores in inter-dataset evaluation. Moreover, our model provides a strong baseline for supervised intrusion detection with limited labeled data, exhibiting an improvement over self-supervised NetFlow models of up to 1.5% AUC when pretrained and evaluated on the same dataset. Additionally, we show the adaptability of our pretrained model when fine-tuned across different datasets, demonstrating strong performance even when lacking benign data from the target domain.