Supervised learning in cybersecurity suffers from heavy reliance on large-scale labeled data and poor generalization. Method: We propose the first general-purpose foundation model tailored for cybersecurity deployment, introducing a novel protocol-aware tokenization mechanism, integrating multimodal network flow representations, and designing a hierarchical Transformer architecture to enable self-supervised pretraining on massive unlabeled network traffic data. Contributions/Results: Our model outperforms four state-of-the-art methods across five representative security tasks; demonstrates significantly improved robustness against noisy labels and spurious correlations (i.e., learning shortcuts); and effectively captures real-world network contextual semantics. This work establishes a new paradigm for building AI infrastructure in cybersecurity that minimizes labeling dependency while maximizing generalization capability.

Developing generalizable ML-based solutions for disparate learning problems in network security is highly desired. However, despite a rich history of applying ML to network security, most existing solutions lack generalizability. This lack of progress can be attributed to an overreliance on supervised learning techniques and the associated challenges of curating well-specified labeled training data. This paper addresses a fundamental gap by introducing a novel transformer-based network foundation model, netFound. We employ self-supervised learning techniques on abundant, unlabeled network telemetry data for pre-training. This pretrained model can subsequently be fine-tuned to create generalizable learning artifacts for disparate learning tasks, even when using commonly available but challenging labeled datasets that are sparse, noisy, and skewed. To realize this goal, netFound leverages various domain-specific attributes and constraints unique to network data (packet traces) by developing multi-modal embeddings, protocol-aware tokenization, data-driven token composition, and hierarchical transformers. Our results demonstrate that netFound's domain-specific design choices ensure that it (1) effectively captures the hidden networking context in production settings, (2) outperforms four different SOTA methods on five different learning tasks, and (3) is robust to both noisy labels and learning shortcuts -- critical for developing generalizable ML models in practical settings.