Towards Novel Malicious Packet Recognition: A Few-Shot Learning Approach

Kyle Stein, Andrew A. Mahyari, Guillermo Francia III, Eman El-Sheikh
{"title":"Towards Novel Malicious Packet Recognition: A Few-Shot Learning Approach","authors":"Kyle Stein, Andrew A. Mahyari, Guillermo Francia III, Eman El-Sheikh","doi":"arxiv-2409.11254","DOIUrl":null,"url":null,"abstract":"As the complexity and connectivity of networks increase, the need for novel\nmalware detection approaches becomes imperative. Traditional security defenses\nare becoming less effective against the advanced tactics of today's\ncyberattacks. Deep Packet Inspection (DPI) has emerged as a key technology in\nstrengthening network security, offering detailed analysis of network traffic\nthat goes beyond simple metadata analysis. DPI examines not only the packet\nheaders but also the payload content within, offering a thorough insight into\nthe data traversing the network. This study proposes a novel approach that\nleverages a large language model (LLM) and few-shot learning to accurately\nrecognizes novel, unseen malware types with few labels samples. Our proposed\napproach uses a pretrained LLM on known malware types to extract the embeddings\nfrom packets. The embeddings are then used alongside few labeled samples of an\nunseen malware type. This technique is designed to acclimate the model to\ndifferent malware representations, further enabling it to generate robust\nembeddings for each trained and unseen classes. Following the extraction of\nembeddings from the LLM, few-shot learning is utilized to enhance performance\nwith minimal labeled data. Our evaluation, which utilized two renowned\ndatasets, focused on identifying malware types within network traffic and\nInternet of Things (IoT) environments. Our approach shows promising results\nwith an average accuracy of 86.35% and F1-Score of 86.40% on different malware\ntypes across the two datasets.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"1 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Cryptography and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.11254","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

As the complexity and connectivity of networks increase, the need for novel malware detection approaches becomes imperative. Traditional security defenses are becoming less effective against the advanced tactics of today's cyberattacks. Deep Packet Inspection (DPI) has emerged as a key technology in strengthening network security, offering detailed analysis of network traffic that goes beyond simple metadata analysis. DPI examines not only the packet headers but also the payload content within, offering a thorough insight into the data traversing the network. This study proposes a novel approach that leverages a large language model (LLM) and few-shot learning to accurately recognizes novel, unseen malware types with few labels samples. Our proposed approach uses a pretrained LLM on known malware types to extract the embeddings from packets. The embeddings are then used alongside few labeled samples of an unseen malware type. This technique is designed to acclimate the model to different malware representations, further enabling it to generate robust embeddings for each trained and unseen classes. Following the extraction of embeddings from the LLM, few-shot learning is utilized to enhance performance with minimal labeled data. Our evaluation, which utilized two renowned datasets, focused on identifying malware types within network traffic and Internet of Things (IoT) environments. Our approach shows promising results with an average accuracy of 86.35% and F1-Score of 86.40% on different malware types across the two datasets.
新型恶意数据包识别:少量学习方法
随着网络复杂性和连通性的增加,对新型恶意软件检测方法的需求变得势在必行。面对当今网络攻击的先进战术,传统的安全防御措施变得越来越无效。深度包检测(DPI)已成为加强网络安全的一项关键技术,它能对网络流量进行详细分析,而不仅仅是简单的元数据分析。DPI 不仅能检查包头,还能检查其中的有效载荷内容,从而对穿越网络的数据进行全面深入的分析。本研究提出了一种新方法,即利用大型语言模型(LLM)和少量学习来准确识别新型、未见过的恶意软件类型。我们提出的方法使用对已知恶意软件类型进行预训练的 LLM 从数据包中提取嵌入。然后将这些嵌入信息与未见恶意软件类型的少量标记样本一起使用。这种技术旨在使模型适应不同的恶意软件表征,进一步使其能够为每个训练有素的和未见过的类别生成稳健的嵌入。从 LLM 中提取前缀后,利用少量学习来提高使用最少标记数据的性能。我们的评估利用了两个著名的数据集,重点是识别网络流量和物联网(IoT)环境中的恶意软件类型。我们的方法在两个数据集的不同恶意软件类型上取得了很好的结果,平均准确率为 86.35%,F1-Score 为 86.40%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信