Improving Router Security using BERT

TL;DR

This paper enhances router malware detection by integrating high-fidelity system call sensors, contrastive augmented learning, and network behavior analysis, achieving improved low false positive rate detection in IoT environments.

Contribution

It introduces a novel combination of eBPF-based system call sensing, contrastive augmented learning, and network packet abstraction for improved router malware detection.

Findings

Improved detection performance at low false positive rates.

Effective use of eBPF sensors for high-fidelity system call data.

Enhanced malware detection through network behavior analysis.

Abstract

Previous work on home router security has shown that using system calls to train a transformer-based language model built on a BERT-style encoder using contrastive learning is effective in detecting several types of malware, but the performance remains limited at low false positive rates. In this work, we demonstrate that using a high-fidelity eBPF-based system call sensor, together with contrastive augmented learning (which introduces controlled mutations of negative samples), improves detection performance at a low false positive rate. In addition, we introduce a network packet abstraction language that enables the creation of a pipeline similar to network packet data, and we show that network behavior provides complementary detection signals-yielding improved performance for network-focused malware at low false positive rates. Lastly, we implement these methods in an online router anomaly detection framework to validate the approach in an Internet of Things (IoT) deployment environment.