This study addresses the limitations of traditional network intrusion detection systems that rely on manual feature engineering by systematically evaluating state-of-the-art tabular representation learning methods—including TabICL, autoencoders, and end-to-end Transformers—for intrusion detection on NetFlow data. The evaluation encompasses both supervised classification and unsupervised anomaly detection settings, supported by extensive hyperparameter tuning. Experimental results demonstrate that TabICL achieves the best performance on the CIDDS dataset, while autoencoders and Transformers generally outperform other approaches on average. Supervised methods significantly surpass unsupervised ones in detection efficacy. However, model performance is highly dataset-dependent, and cross-dataset generalization is substantially hindered by distributional discrepancies. These findings illuminate both the promise and the inherent limitations of representation learning techniques for intrusion detection tasks.

Classic Network Intrusion Detection Systems (NIDS) often rely on manual feature engineering to extract meaningful patterns from network traffic data. However, this approach requires domain expertise and runs counter to the widely adopted principle of modern machine learning and neural networks: that models themselves should learn meaningful representations directly from data. We investigate whether tabular representation learning techniques can improve intrusion detection performance by automatically learning robust feature representations for NetFlow data. This paper presents a systematic evaluation of state-of-the-art representation learning methods on benchmark NetFlow datasets, comparing against traditional autoencoders and end-to-end transformer baselines. We evaluate learned representations using both supervised classifiers and unsupervised anomaly detectors, with comprehensive hyperparameter exploration for each combination. Our results reveal strong dataset-model dependency, with no single approach consistently dominating across all scenarios. For supervised classification, TabICL achieves the best performance on CIDDS, while autoencoders follow closely and tie with end-to-end transformer models for the best average rank across datasets. Supervised approaches substantially outperform unsupervised anomaly detection methods, where no single combination consistently dominates as optimal choices depend on the dataset. Cross-dataset transfer experiments demonstrate that learned representations can generalize across network environments with appropriate method and classifier selection. However, transfer performance varies substantially depending on the source-target dataset combination, indicating sensitivity to distributional differences between network environments.