Snort Meets Transformers: Accelerating Transformer-Based Network Traffic Classification for Real-Time Performance
Paper in proceeding, 2025
Transformer-based models have emerged as a powerful solution for network traffic classification, achieving high accuracy by au- tonomously learning patterns in raw traffic data. However, their high computational costs make real-time deployment impractical. In contrast, industry-proven tools like Snort and Suricata offer ef- ficient network analysis but rely on manually crafted signatures, resulting in slower updates and limited adaptability to emerging threats.
In this work, we propose a cascading model that leverages the strengths of both approaches. During training, a transformer-based model learns traffic patterns, which are then extracted using SHAP analysis to enhance the knowledge base of a signature-based IDS. In deployment, the IDS handles routine classifications, while only complex cases are escalated to the transformer model. Our experi- ments combining the analysis of ET-BERT with Snort demonstrate a four-fold performance improvement over running only ET-BERT without compromising false positive or false negative rates.
In this work, we propose a cascading model that leverages the strengths of both approaches. During training, a transformer-based model learns traffic patterns, which are then extracted using SHAP analysis to enhance the knowledge base of a signature-based IDS. In deployment, the IDS handles routine classifications, while only complex cases are escalated to the transformer model. Our experi- ments combining the analysis of ET-BERT with Snort demonstrate a four-fold performance improvement over running only ET-BERT without compromising false positive or false negative rates.
Network Pre-trained Models
Network Traffic Analysis
Intrusion Detection Systems (IDS)
Author
Mohamed Hashim Changrampadi
Network and Systems
Magnus Almgren
Network and Systems
Pablo Picazo-Sanchez
Chalmers, Computer Science and Engineering (Chalmers), Information Security
Ahmed Ali-Eldin Hassan
Network and Systems
EUROSEC 2025 - Proceedings of the 2025 European Workshop on System Security
18th European Workshop on Systems Security, EuroSec 2025
Rotterdam, Netherlands,
Rotterdam, Netherlands,
RICS2: Resilient Information and Control Systems
Swedish Civil Contingencies Agency, 2021-01-01 -- 2023-12-31.
Areas of Advance
Information and Communication Technology
Infrastructure
C3SE (-2020, Chalmers Centre for Computational Science and Engineering)
Subject Categories (SSIF 2025)
Computer Systems
DOI
10.1145/3722041.3723098