Unknown Attack Detection in IoT Networks using Large Language Models: A Robust, Data-efficient Approach

TL;DR

This paper introduces SiamXBERT, a transformer-based meta-learning framework that effectively detects unknown cyberattacks in IoT networks with minimal labeled data, outperforming existing methods in accuracy and adaptability.

Contribution

The paper presents SiamXBERT, a novel, data-efficient, transformer-based meta-learning approach for unknown attack detection in IoT networks, capable of rapid adaptation with limited labeled samples.

Findings

Outperforms state-of-the-art baselines in unknown attack detection

Achieves up to 78.8% improvement in F1-score

Requires significantly less training data for effective detection

Abstract

The rapid evolution of cyberattacks continues to drive the emergence of unknown (zero-day) threats, posing significant challenges for network intrusion detection systems in Internet of Things (IoT) networks. Existing machine learning and deep learning approaches typically rely on large labeled datasets, payload inspection, or closed-set classification, limiting their effectiveness under data scarcity, encrypted traffic, and distribution shifts. Consequently, detecting unknown attacks in realistic IoT deployments remains difficult. To address these limitations, we propose SiamXBERT, a robust and data-efficient Siamese meta-learning framework empowered by a transformer-based language model for unknown attack detection. The proposed approach constructs a dual-modality feature representation by integrating flow-level and packet-level information, enabling richer behavioral modeling while remaining compatible with encrypted traffic. Through meta-learning, the model rapidly adapts to new attack types using only a small number of labeled samples and generalizes to previously unseen behaviors. Extensive experiments on representative IoT intrusion datasets demonstrate that SiamXBERT consistently outperforms state-of-the-art baselines under both within-dataset and cross-dataset settings while requiring significantly less training data, achieving up to \num{78.8}\% improvement in unknown F1-score. These results highlight the practicality of SiamXBERT for robust unknown attack detection in real-world IoT environments.