As malicious cyber threats become more sophisticated in breaching computer networks, the need for effective intrusion detection systems (IDSs) becomes crucial. Techniques such as Deep Packet Inspection (DPI) have been introduced to allow IDSs analyze the content of network packets, providing more context for identifying potential threats. IDSs traditionally rely on using anomaly-based and signature-based detection techniques to detect unrecognized and suspicious activity. Deep learning techniques have shown great potential in DPI for IDSs due to their efficiency in learning intricate patterns from the packet content being transmitted through the network. In this paper, we propose a revolutionary DPI algorithm based on transformers adapted for the purpose of detecting malicious traffic with a classifier head. Transformers learn the complex content of sequence data and generalize them well to similar scenarios thanks to their self-attention mechanism. Our proposed method uses the raw payload bytes that represent the packet contents and is deployed as man-in-the-middle. The payload bytes are used to detect malicious packets and classify their types. Experimental results on the UNSW-NB15 and CIC-IOT23 datasets demonstrate that our transformer-based model is effective in distinguishing malicious from benign traffic in the test dataset, attaining an average accuracy of 79\% using binary classification and 72\% on the multi-classification experiment, both using solely payload bytes.

翻译：随着恶意网络威胁在攻破计算机网络方面变得日益复杂，对高效入侵检测系统（IDS）的需求变得至关重要。深度包检测（DPI）等技术已被引入，使IDS能够分析网络数据包的内容，从而为识别潜在威胁提供更多上下文。传统上，IDS依赖基于异常和基于签名的检测技术来识别未知和可疑活动。深度学习方法在IDS的DPI中展现出巨大潜力，因为它们能够高效地从网络传输的数据包内容中学习复杂模式。本文提出了一种革命性的基于Transformer的DPI算法，通过添加分类头来检测恶意流量。Transformer凭借其自注意力机制，能够学习序列数据的复杂内容，并很好地泛化到相似场景。我们提出的方法使用表示数据包内容的原始载荷字节，并作为中间人部署。这些载荷字节用于检测恶意数据包并分类其类型。在UNSW-NB15和CIC-IOT23数据集上的实验结果表明，我们基于Transformer的模型在测试数据集中能有效区分恶意流量和良性流量，仅使用二进制分类的载荷字节即可达到79%的平均准确率，多分类实验的平均准确率为72%。