As networks continue to expand and become more interconnected, the need for novel malware detection methods becomes more pronounced. Traditional security measures are increasingly inadequate against the sophistication of modern cyber attacks. Deep Packet Inspection (DPI) has been pivotal in enhancing network security, offering an in-depth analysis of network traffic that surpasses conventional monitoring techniques. DPI not only examines the metadata of network packets, but also dives into the actual content being carried within the packet payloads, providing a comprehensive view of the data flowing through networks. The integration of advanced deep learning techniques with DPI has introduced modern methodologies into malware detection. However, the challenge with the state-of-the-art supervised learning approaches is that they prevent the generalization to unseen attacks embedded in the payloads, prohibiting them from accurately detecting new attacks and transferring knowledge learned from previous attacks to the new attacks with small labeled sample sizes. This paper leverages the recent advancements in self-supervised learning and few-shot learning. Our proposed self-supervised approach trains a transformer to learn the embedding of the payloads from a vast amount of unlabeled datasets by masking portions of payloads, leading to a learnt representation that well generalizes to various downstream tasks. Once the representation is extracted from payloads, they are used to train a malware detection algorithm. The representation obtained from the transformer is then used to adapt the malware detector to novel types of attacks using few-shot learning approaches. Our experimental results across several datasets show the great success and generalization of the proposed approach to novel scenarios.

翻译：随着网络持续扩张且互联性不断增强，对新型恶意软件检测方法的需求日益凸显。传统安全措施在面对现代网络攻击的复杂性时愈发显得力不从心。深度包检测（DPI）通过提供超越传统监控技术的网络流量深度分析，在增强网络安全方面发挥着关键作用。DPI不仅检查网络数据包的元数据，还深入探查数据包负载中承载的实际内容，从而全面掌握流经网络的数据状态。将先进深度学习技术与DPI相结合，为恶意软件检测引入了现代化方法论。然而，当前最先进的监督学习方法存在固有局限：它们难以泛化至负载中未见过的新型攻击模式，导致无法准确检测新型攻击，也无法将已学知识迁移至标注样本稀缺的新攻击场景。本文利用自监督学习与小样本学习的最新进展，提出一种自监督方法：通过掩蔽部分负载内容，训练Transformer模型从海量无标注数据集中学习负载的嵌入表示，从而获得能够良好泛化至多种下游任务的学习表征。在从负载中提取表征后，将其用于训练恶意软件检测算法。随后利用小样本学习方法，将基于Transformer获得的表征适配至新型攻击类别的检测。我们在多个数据集上的实验结果表明，该方法在新场景中取得了显著成功并展现出优异的泛化能力。