This work addresses the challenge of effectively detecting diverse malware on home routers under stringent false positive constraints, where existing system-call-based approaches exhibit limited performance. The authors propose a novel detection framework that integrates system and network behavioral signals: high-fidelity eBPF sensors capture system calls, while a structured network data pipeline is constructed using packet abstraction language. A contrastive augmentation learning mechanism combined with a BERT-based Transformer encoder enables joint modeling of these heterogeneous signals. This approach achieves, for the first time, deep fusion of system-call and network-behavior features directly on router devices. Evaluated in real-world IoT environments, the method significantly improves detection accuracy against network-oriented malware while maintaining an extremely low false positive rate.

Previous work on home router security has shown that using system calls to train a transformer-based language model built on a BERT-style encoder using contrastive learning is effective in detecting several types of malware, but the performance remains limited at low false positive rates. In this work, we demonstrate that using a high-fidelity eBPF-based system call sensor, together with contrastive augmented learning (which introduces controlled mutations of negative samples), improves detection performance at a low false positive rate. In addition, we introduce a network packet abstraction language that enables the creation of a pipeline similar to network packet data, and we show that network behavior provides complementary detection signals-yielding improved performance for network-focused malware at low false positive rates. Lastly, we implement these methods in an online router anomaly detection framework to validate the approach in an Internet of Things (IoT) deployment environment.