A Transformer-Based Framework for Payload Malware Detection and Classification

TL;DR

This paper introduces a transformer-based deep learning framework for payload malware detection and classification in network traffic, demonstrating promising accuracy on benchmark datasets.

Contribution

It presents a novel transformer-based DPI algorithm that uses raw payload bytes for malicious traffic detection and classification, enhancing IDS capabilities.

Findings

Achieved 79% accuracy in binary classification of malicious vs benign traffic.

Achieved 72% accuracy in multi-class classification of different malicious types.

Effective use of transformer self-attention mechanism on raw payload data.

Abstract

As malicious cyber threats become more sophisticated in breaching computer networks, the need for effective intrusion detection systems (IDSs) becomes crucial. Techniques such as Deep Packet Inspection (DPI) have been introduced to allow IDSs analyze the content of network packets, providing more context for identifying potential threats. IDSs traditionally rely on using anomaly-based and signature-based detection techniques to detect unrecognized and suspicious activity. Deep learning techniques have shown great potential in DPI for IDSs due to their efficiency in learning intricate patterns from the packet content being transmitted through the network. In this paper, we propose a revolutionary DPI algorithm based on transformers adapted for the purpose of detecting malicious traffic with a classifier head. Transformers learn the complex content of sequence data and generalize them well to similar scenarios thanks to their self-attention mechanism. Our proposed method uses the raw payload bytes that represent the packet contents and is deployed as man-in-the-middle. The payload bytes are used to detect malicious packets and classify their types. Experimental results on the UNSW-NB15 and CIC-IOT23 datasets demonstrate that our transformer-based model is effective in distinguishing malicious from benign traffic in the test dataset, attaining an average accuracy of 79\% using binary classification and 72\% on the multi-classification experiment, both using solely payload bytes.