Snort Meets Transformers: Accelerating Transformer-Based Network Traffic Classification for Real-Time Performance
Paper in proceeding, 2025
Transformer-based models have emerged as a powerful solution for network traffic classification, achieving high accuracy by au- tonomously learning patterns in raw traffic data. However, their high computational costs make real-time deployment impractical. In contrast, industry-proven tools like Snort and Suricata offer ef- ficient network analysis but rely on manually crafted signatures, resulting in slower updates and limited adaptability to emerging threats.
In this work, we propose a cascading model that leverages the strengths of both approaches. During training, a transformer-based model learns traffic patterns, which are then extracted using SHAP analysis to enhance the knowledge base of a signature-based IDS. In deployment, the IDS handles routine classifications, while only complex cases are escalated to the transformer model. Our experi- ments combining the analysis of ET-BERT with Snort demonstrate a four-fold performance improvement over running only ET-BERT without compromising false positive or false negative rates.
In this work, we propose a cascading model that leverages the strengths of both approaches. During training, a transformer-based model learns traffic patterns, which are then extracted using SHAP analysis to enhance the knowledge base of a signature-based IDS. In deployment, the IDS handles routine classifications, while only complex cases are escalated to the transformer model. Our experi- ments combining the analysis of ET-BERT with Snort demonstrate a four-fold performance improvement over running only ET-BERT without compromising false positive or false negative rates.
Network Traffic Analysis
Network Pre-trained Models
Intrusion Detection Systems (IDS)
Author
Mohamed Hashim Changrampadi
University of Gothenburg
Chalmers, Computer Science and Engineering (Chalmers), Computer and Network Systems
Magnus Almgren
University of Gothenburg
Chalmers, Computer Science and Engineering (Chalmers), Computer and Network Systems
Pablo Picazo-Sanchez
University of Gothenburg
Chalmers, Computer Science and Engineering (Chalmers), Information Security
Ahmed Ali-Eldin Hassan
University of Gothenburg
Chalmers, Computer Science and Engineering (Chalmers), Computer and Network Systems
EUROSEC 2025 - Proceedings of the 2025 European Workshop on System Security
979-8-4007-1563-1 (ISBN)
18th European Workshop on Systems Security, EuroSec 2025
Rotterdam, Netherlands,
Rotterdam, Netherlands,
RICS2: Resilient Information and Control Systems
Swedish Civil Contingencies Agency, 2021-01-01 -- 2023-12-31.
Areas of Advance
Information and Communication Technology
Infrastructure
C3SE (-2020, Chalmers Centre for Computational Science and Engineering)
Subject Categories (SSIF 2025)
Security, Privacy and Cryptography
Computer Systems
DOI
10.1145/3722041.3723098