Classic Network Intrusion Detection Systems (NIDS) often rely on manual feature engineering to extract meaningful patterns from network traffic data. However, this approach requires domain expertise and runs counter to the widely adopted principle of modern machine learning and neural networks: that models themselves should learn meaningful representations directly from data. We investigate whether tabular representation learning techniques can improve intrusion detection performance by automatically learning robust feature representations for NetFlow data. This paper presents a systematic evaluation of state-of-the-art representation learning methods on benchmark NetFlow datasets, comparing against traditional autoencoders and end-to-end transformer baselines. We evaluate learned representations using both supervised classifiers and unsupervised anomaly detectors, with comprehensive hyperparameter exploration for each combination. Our results reveal strong dataset-model dependency, with no single approach consistently dominating across all scenarios. For supervised classification, TabICL achieves the best performance on CIDDS, while autoencoders follow closely and tie with end-to-end transformer models for the best average rank across datasets. Supervised approaches substantially outperform unsupervised anomaly detection methods, where no single combination consistently dominates as optimal choices depend on the dataset. Cross-dataset transfer experiments demonstrate that learned representations can generalize across network environments with appropriate method and classifier selection. However, transfer performance varies substantially depending on the source-target dataset combination, indicating sensitivity to distributional differences between network environments.

翻译：经典网络入侵检测系统通常依赖手动特征工程从网络流量数据中提取有效模式。然而，该方法需要领域专业知识，且违背了现代机器学习与神经网络的核心理念：模型本身应从数据中直接学习有意义的表示。本研究探究表格表示学习技术能否通过自动学习NetFlow数据的鲁棒特征表示来提升入侵检测性能。本文系统评估了基准NetFlow数据集上最先进的表示学习方法，并与传统自编码器及端到端Transformer基线模型进行了对比。通过有监督分类器和无监督异常检测器对学习到的表示进行评估，同时对每种组合进行全面的超参数探索。结果表明存在显著的模型-数据集依赖关系，没有单一方法能在所有场景中持续占优。在有监督分类任务中，TabICL在CIDDS数据集上取得了最佳性能，而自编码器紧随其后，且与端到端Transformer模型在数据集上的平均排名并列最优。有监督方法显著优于无监督异常检测方法，后者中不存在持续占优的组合，最佳选择取决于具体数据集。跨数据集迁移实验表明，通过合理的方法与分类器选择，学习到的表示能够泛化至不同网络环境。然而，迁移性能因源-目标数据集组合的不同而存在显著差异，表明其对网络环境间的分布差异具有敏感性。