Towards Novel Malicious Packet Recognition: A Few-Shot Learning Approach

TL;DR

This paper introduces a novel malware detection method using a large language model and few-shot learning to recognize unseen malware types with minimal labeled data, improving accuracy in network security.

Contribution

It presents a new approach combining pretrained LLM embeddings and few-shot learning for effective detection of novel malware with limited samples.

Findings

Achieved an average accuracy of 86.35% in malware recognition.

F1-Score of 86.40% demonstrates robust performance.

Effective in IoT and network traffic environments.

Abstract

As the complexity and connectivity of networks increase, the need for novel malware detection approaches becomes imperative. Traditional security defenses are becoming less effective against the advanced tactics of today's cyberattacks. Deep Packet Inspection (DPI) has emerged as a key technology in strengthening network security, offering detailed analysis of network traffic that goes beyond simple metadata analysis. DPI examines not only the packet headers but also the payload content within, offering a thorough insight into the data traversing the network. This study proposes a novel approach that leverages a large language model (LLM) and few-shot learning to accurately recognizes novel, unseen malware types with few labels samples. Our proposed approach uses a pretrained LLM on known malware types to extract the embeddings from packets. The embeddings are then used alongside few labeled samples of an unseen malware type. This technique is designed to acclimate the model to different malware representations, further enabling it to generate robust embeddings for each trained and unseen classes. Following the extraction of embeddings from the LLM, few-shot learning is utilized to enhance performance with minimal labeled data. Our evaluation, which utilized two renowned datasets, focused on identifying malware types within network traffic and Internet of Things (IoT) environments. Our approach shows promising results with an average accuracy of 86.35% and F1-Score of 86.40% on different malware types across the two datasets.