Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ThreatFormer-IDS: Robust Transformer Intrusion Detection with Zero-Day Generalization and Explainable Attribution

Srikumar Nayak

TL;DR

ThreatFormer- IDS is proposed, a Transformer-based sequence modeling framework that converts flow records into time-ordered windows and learns contextual representations for robust intrusion screening and provides a unified, deployment-oriented IDS pipeline that balances detection quality, zero-day behavior, robustness, and explainability.

Abstract

Intrusion detection in IoT and industrial networks requires models that can detect rare attacks at low false-positive rates while remaining reliable under evolving traffic and limited labels. Existing IDS solutions often report strong in-distribution accuracy, but they may degrade when evaluated on future traffic, unseen (zero-day) attack families, or adversarial feature manipulations, and many systems provide limited evidence to support analyst triage. To address these gaps, we propose ThreatFormer- IDS, a Transformer-based sequence modeling framework that converts flow records into time-ordered windows and learns contextual representations for robust intrusion screening. The method combines (i) weighted supervised learning for imbalanced detection, (ii) masked self-supervised learning to improve representation stability under drift and sparse labels, (iii) PGDbased adversarial training with scale-normalized perturbations to strengthen resilience against feature-level evasion, and (iv) Integrated Gradients attribution to highlight influential time steps and features for each alert. On the ToN IoT benchmark with chronological evaluation, ThreatFormer-IDS achieves AUCROC 0.994, AUC-PR 0.956, and Recall@1%FPR 0.910, outperforming strong tree-based and sequence baselines. Under a zero-day protocol with held-out attack families, it maintains superior generalization (AUC-PR 0.721, Recall@1%FPR 0.783). Robustness tests further show slower degradation in AUCPR as the adversarial budget increases, confirming improved stability under bounded perturbations. Overall, ThreatFormer- IDS provides a unified, deployment-oriented IDS pipeline that balances detection quality, zero-day behavior, robustness, and explainability.

ThreatFormer-IDS: Robust Transformer Intrusion Detection with Zero-Day Generalization and Explainable Attribution

TL;DR

ThreatFormer- IDS is proposed, a Transformer-based sequence modeling framework that converts flow records into time-ordered windows and learns contextual representations for robust intrusion screening and provides a unified, deployment-oriented IDS pipeline that balances detection quality, zero-day behavior, robustness, and explainability.

Abstract

Intrusion detection in IoT and industrial networks requires models that can detect rare attacks at low false-positive rates while remaining reliable under evolving traffic and limited labels. Existing IDS solutions often report strong in-distribution accuracy, but they may degrade when evaluated on future traffic, unseen (zero-day) attack families, or adversarial feature manipulations, and many systems provide limited evidence to support analyst triage. To address these gaps, we propose ThreatFormer- IDS, a Transformer-based sequence modeling framework that converts flow records into time-ordered windows and learns contextual representations for robust intrusion screening. The method combines (i) weighted supervised learning for imbalanced detection, (ii) masked self-supervised learning to improve representation stability under drift and sparse labels, (iii) PGDbased adversarial training with scale-normalized perturbations to strengthen resilience against feature-level evasion, and (iv) Integrated Gradients attribution to highlight influential time steps and features for each alert. On the ToN IoT benchmark with chronological evaluation, ThreatFormer-IDS achieves AUCROC 0.994, AUC-PR 0.956, and Recall@1%FPR 0.910, outperforming strong tree-based and sequence baselines. Under a zero-day protocol with held-out attack families, it maintains superior generalization (AUC-PR 0.721, Recall@1%FPR 0.783). Robustness tests further show slower degradation in AUCPR as the adversarial budget increases, confirming improved stability under bounded perturbations. Overall, ThreatFormer- IDS provides a unified, deployment-oriented IDS pipeline that balances detection quality, zero-day behavior, robustness, and explainability.
Paper Structure (17 sections, 13 equations, 6 figures, 4 tables, 1 algorithm)

This paper contains 17 sections, 13 equations, 6 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Dataset
  5. Preprocessing
  6. Missing values and robust scaling.
  7. Categorical encoding.
  8. Sequence construction for Transformer inputs.
  9. Class-imbalance weights (training only).
  10. Proposed Method (ThreatFormer-IDS)
  11. Results
  12. Zero-Day Generalization (Held-Out Attack Families)
  13. Adversarial Robustness (Scale-Normalized Perturbations)
  14. Ablation Study
  15. Conclusion
  16. ...and 2 more sections

Figures (6)

  • Figure 1: ThreatFormer-IDS pipeline: IoT flows are preprocessed and converted into time-ordered sequences, encoded by a Transformer, and scored for low-FPR intrusion screening; training is strengthened using masked self-supervision, PGD-based adversarial defense, and zero-day evaluation, while Integrated Gradients provides attribution for analyst review.
  • Figure 2: AUC-PR comparison (chronological test) consistent with Table \ref{['tab:ids_main']}.
  • Figure 3: Recall@1%FPR comparison (chronological test) consistent with Table \ref{['tab:ids_main']}.
  • Figure 4: AUC-PR over later chronological test blocks (drift trend).
  • Figure 5: Adversarial robustness curve (AUC-PR vs. $\epsilon$) matching Table \ref{['tab:ids_robust']}.
  • ...and 1 more figures