Previous work on home router security has shown that using system calls to train a transformer-based language model built on a BERT-style encoder using contrastive learning is effective in detecting several types of malware, but the performance remains limited at low false positive rates. In this work, we demonstrate that using a high-fidelity eBPF-based system call sensor, together with contrastive augmented learning (which introduces controlled mutations of negative samples), improves detection performance at a low false positive rate. In addition, we introduce a network packet abstraction language that enables the creation of a pipeline similar to network packet data, and we show that network behavior provides complementary detection signals-yielding improved performance for network-focused malware at low false positive rates. Lastly, we implement these methods in an online router anomaly detection framework to validate the approach in an Internet of Things (IoT) deployment environment.

翻译：先前关于家用路由器安全的研究表明，利用系统调用训练基于Transformer的语言模型——该模型采用BERT风格编码器并通过对比学习构建——能有效检测多种恶意软件，但在低误报率下性能仍受限。本研究中，我们证明采用基于eBPF的高保真系统调用传感器，结合对比增强学习（通过引入负样本的受控变异），可在低误报率下提升检测性能。此外，我们提出一种网络数据包抽象语言，支持构建类似于网络数据包数据的处理流程，并证明网络行为能提供互补的检测信号——对于侧重网络的恶意软件，在低误报率下实现了更优性能。最后，我们将这些方法实现在线路由器异常检测框架中，以在物联网部署环境中验证该方案。