Packet Inspection Transformer: A Self-Supervised Journey to Unseen Malware Detection with Few Samples

TL;DR

This paper introduces a self-supervised transformer-based method for malware detection in network traffic, capable of generalizing to unseen threats with minimal labeled data, outperforming traditional supervised approaches.

Contribution

It proposes a novel self-supervised transformer model trained on unlabeled network data, enabling effective few-shot malware detection and improved generalization to unseen attacks.

Findings

Achieves up to 94.76% accuracy on UNSW-NB15 dataset.

Attains 83.25% accuracy on CIC-IoT23 dataset.

Demonstrates strong generalization to unseen malware with limited labeled samples.

Abstract

As networks continue to expand and become more interconnected, the need for novel malware detection methods becomes more pronounced. Traditional security measures are increasingly inadequate against the sophistication of modern cyber attacks. Deep Packet Inspection (DPI) has been pivotal in enhancing network security, offering an in-depth analysis of network traffic that surpasses conventional monitoring techniques. DPI not only examines the metadata of network packets, but also dives into the actual content being carried within the packet payloads, providing a comprehensive view of the data flowing through networks. While the integration of advanced deep learning techniques with DPI has introduced modern methodologies into malware detection and network traffic classification, state-of-the-art supervised learning approaches are limited by their reliance on large amounts of annotated data and their inability to generalize to novel, unseen malware threats. To address these limitations, this paper leverages the recent advancements in self-supervised learning (SSL) and few-shot learning (FSL). Our proposed self-supervised approach trains a transformer via SSL to learn the embedding of packet content, including payload, from vast amounts of unlabeled data by masking portions of packets, leading to a learned representation that generalizes to various downstream tasks. Once the representation is extracted from the packets, they are used to train a malware detection algorithm. The representation obtained from the transformer is then used to adapt the malware detector to novel types of attacks using few-shot learning approaches. Our experimental results demonstrate that our method achieves classification accuracies of up to 94.76% on the UNSW-NB15 dataset and 83.25% on the CIC-IoT23 dataset.