A Novel Byte-Level Flow-to-Image Encoding Method for Network Intrusion Detection Systems

TL;DR

This paper introduces a byte-level flow-to-image encoding method for network intrusion detection, transforming flow records into images to improve detection accuracy using convolutional models.

Contribution

The novel encoding technique converts network flow data into fixed-size images, enabling CNNs to better exploit feature correlations for intrusion detection.

Findings

Image-based models outperform flow-based models in accuracy.

Encoding preserves spatial layout and is reversible.

Significant accuracy improvements on benchmark datasets.

Abstract

Network-based Intrusion Detection Systems (IDS) are predominantly trained on tabular flow records, whose one-dimensional representations limit convolutional architectures from exploiting inter-feature spatial correlations. This paper presents a novel byte-level flow-to-image encoding method that converts each network-flow record into a fixed-size RGB image. Continuous features are serialised using IEEE-754 single-precision format and packed sequentially into pixels along an inverted-L shaped trajectory, while discrete features are mapped to byte values and placed contiguously in the middle image row's centre. The encoding is deterministic and reversible, preserving a fixed spatial layout across all samples. Four IDS models are evaluated on NSL-KDD and UNSW-NB15 datasets with both flow and image-based configurations. The image-based representation yields consistent accuracy gains of up to 15.6\% and 12.8\% for binary and multi-classification on UNSW-NB15, and up to 3.5\% and 3.2\% on NSL-KDD, highlighting the potential of byte-level visual encoding to strengthen AI-driven intrusion detection in local computer networks.