Take Package as Language: Anomaly Detection Using Transformer

TL;DR

This paper introduces NIDS-GPT, a GPT-based model that treats network packet data as sequences of independent tokens, significantly improving anomaly detection accuracy and interpretability in imbalanced and resource-limited scenarios.

Contribution

It proposes a novel approach of representing network data as token sequences for GPT models, enhancing detection performance and interpretability over traditional methods.

Findings

Achieves 100% accuracy on CICIDS2017 dataset under extreme imbalance

Over 90% accuracy in one-shot learning scenarios

Demonstrates scalability and interpretability of the model

Abstract

Network data packet anomaly detection faces numerous challenges, including exploring new anomaly supervision signals, researching weakly supervised anomaly detection, and improving model interpretability. This paper proposes NIDS-GPT, a GPT-based causal language model for network intrusion detection. Unlike previous work, NIDS-GPT innovatively treats each number in the packet as an independent "word" rather than packet fields, enabling a more fine-grained data representation. We adopt an improved GPT-2 model and design special tokenizers and embedding layers to better capture the structure and semantics of network data. NIDS-GPT has good scalability, supports unsupervised pre-training, and enhances model interpretability through attention weight visualization. Experiments on the CICIDS2017 and car-hacking datasets show that NIDS-GPT achieves 100\% accuracy under extreme imbalance conditions, far surpassing traditional methods; it also achieves over 90\% accuracy in one-shot learning. These results demonstrate NIDS-GPT's excellent performance and potential in handling complex network anomaly detection tasks, especially in data-imbalanced and resource-constrained scenarios. The code is available at \url{https://github.com/woshixiaobai2019/nids-gpt.gi