Table of Contents
Fetching ...

Improving Router Security using BERT

John Carter, Spiros Mancoridis, Pavlos Protopapas, Brian Mitchell, Benji Lilley

TL;DR

This work tackles router-level malware detection in IoT environments by combining high-fidelity, eBPF-based system-call sensing with a novel network packet abstraction language. It trains two calBERT models (one on system-call tokens via sys2vec and one on packet tokens via net2vec) using contrastive augmented learning and evaluates them with an Isolation Forest, including an online EMA-smoothed detector for PID-free deployments. The three key contributions are: (1) contrastive augmented learning that significantly improves low-FPR performance, (2) a network packet abstraction pipeline that yields strong network-focused malware detection, and (3) a production-ready online anomaly-detection framework validated in a realistic IoT router deployment. The results show substantial gains at low false-positive rates and demonstrate practicality for real-time router defense in home IoT networks.

Abstract

Previous work on home router security has shown that using system calls to train a transformer-based language model built on a BERT-style encoder using contrastive learning is effective in detecting several types of malware, but the performance remains limited at low false positive rates. In this work, we demonstrate that using a high-fidelity eBPF-based system call sensor, together with contrastive augmented learning (which introduces controlled mutations of negative samples), improves detection performance at a low false positive rate. In addition, we introduce a network packet abstraction language that enables the creation of a pipeline similar to network packet data, and we show that network behavior provides complementary detection signals-yielding improved performance for network-focused malware at low false positive rates. Lastly, we implement these methods in an online router anomaly detection framework to validate the approach in an Internet of Things (IoT) deployment environment.

Improving Router Security using BERT

TL;DR

This work tackles router-level malware detection in IoT environments by combining high-fidelity, eBPF-based system-call sensing with a novel network packet abstraction language. It trains two calBERT models (one on system-call tokens via sys2vec and one on packet tokens via net2vec) using contrastive augmented learning and evaluates them with an Isolation Forest, including an online EMA-smoothed detector for PID-free deployments. The three key contributions are: (1) contrastive augmented learning that significantly improves low-FPR performance, (2) a network packet abstraction pipeline that yields strong network-focused malware detection, and (3) a production-ready online anomaly-detection framework validated in a realistic IoT router deployment. The results show substantial gains at low false-positive rates and demonstrate practicality for real-time router defense in home IoT networks.

Abstract

Previous work on home router security has shown that using system calls to train a transformer-based language model built on a BERT-style encoder using contrastive learning is effective in detecting several types of malware, but the performance remains limited at low false positive rates. In this work, we demonstrate that using a high-fidelity eBPF-based system call sensor, together with contrastive augmented learning (which introduces controlled mutations of negative samples), improves detection performance at a low false positive rate. In addition, we introduce a network packet abstraction language that enables the creation of a pipeline similar to network packet data, and we show that network behavior provides complementary detection signals-yielding improved performance for network-focused malware at low false positive rates. Lastly, we implement these methods in an online router anomaly detection framework to validate the approach in an Internet of Things (IoT) deployment environment.
Paper Structure (25 sections, 2 equations, 3 figures, 4 tables)

This paper contains 25 sections, 2 equations, 3 figures, 4 tables.

Figures (3)

  • Figure 1: Example of how the negative window is selected from future windows relative to the current anchor and positive sample.
  • Figure 2: BERT architecture for both models. System calls use sys2vec embeddings; packets use the generalization layer plus net2vec embeddings.
  • Figure 3: Linux kernel eBPF attachment points for system call and network observability. We intercept data at both the Socket and TC layers to capture complete network context with process attribution.