The rapid evolution of cyberattacks continues to drive the emergence of unknown (zero-day) threats, posing significant challenges for network intrusion detection systems in Internet of Things (IoT) networks. Existing machine learning and deep learning approaches typically rely on large labeled datasets, payload inspection, or closed-set classification, limiting their effectiveness under data scarcity, encrypted traffic, and distribution shifts. Consequently, detecting unknown attacks in realistic IoT deployments remains difficult. To address these limitations, we propose SiamXBERT, a robust and data-efficient Siamese meta-learning framework empowered by a transformer-based language model for unknown attack detection. The proposed approach constructs a dual-modality feature representation by integrating flow-level and packet-level information, enabling richer behavioral modeling while remaining compatible with encrypted traffic. Through meta-learning, the model rapidly adapts to new attack types using only a small number of labeled samples and generalizes to previously unseen behaviors. Extensive experiments on representative IoT intrusion datasets demonstrate that SiamXBERT consistently outperforms state-of-the-art baselines under both within-dataset and cross-dataset settings while requiring significantly less training data, achieving up to \num{78.8}\% improvement in unknown F1-score. These results highlight the practicality of SiamXBERT for robust unknown attack detection in real-world IoT environments.

翻译：网络攻击的快速演进持续驱动着未知（零日）威胁的出现，这对物联网（IoT）网络中的网络入侵检测系统构成了重大挑战。现有的机器学习和深度学习方法通常依赖于大型标注数据集、载荷检查或闭集分类，限制了其在数据稀缺、加密流量和分布偏移情况下的有效性。因此，在现实的物联网部署中检测未知攻击仍然十分困难。为了应对这些局限性，我们提出了SiamXBERT，这是一个鲁棒且数据高效的孪生元学习框架，由基于Transformer的语言模型驱动，用于未知攻击检测。所提出的方法通过集成流级和包级信息构建了双模态特征表示，从而实现了更丰富的行为建模，同时保持与加密流量的兼容性。通过元学习，该模型仅需少量标注样本即可快速适应新的攻击类型，并能泛化到先前未见的行为。在代表性物联网入侵数据集上进行的大量实验表明，SiamXBERT在数据集内和跨数据集设置下均持续优于最先进的基线方法，同时所需训练数据显著减少，在未知攻击F1分数上实现了高达78.8%的提升。这些结果凸显了SiamXBERT在实际物联网环境中进行鲁棒未知攻击检测的实用性。