BERTector: Unified IDS Framework

• BERTector is a unified intrusion detection system that integrates BERT with domain-specific semantic tokenization tailored for network traffic.
• It employs joint-dataset supervised fine-tuning and low-rank adaptation to achieve state-of-the-art detection accuracy and cross-dataset generalization.
• Its design enhances resilience against adversarial traffic while reducing training complexity, setting a new benchmark for efficient IDS performance.

BERTector is a unified and scalable intrusion detection framework designed to address the core limitations of generalization, robustness, and adaptation in modern network security applications. Leveraging LLMs—specifically BERT—BERTector incorporates traffic-aware semantic tokenization (NSS-Tokenizer), joint-dataset supervised fine-tuning (SFT) with heterogeneous network traffic, and efficient low-rank adaptation (LoRA) to optimize training and deployment. The framework demonstrates state-of-the-art detection accuracy, pronounced cross-dataset generalization, and notable resilience against adversarial traffic perturbations, thus constituting an efficient solution for intrusion detection systems in complex and dynamic environments (Hu et al., 14 Aug 2025).

1. Motivation and Objectives

Intrusion detection systems (IDS) have historically suffered from limited generalization due to dataset heterogeneity and inefficient adaptation across evolving attack patterns. Conventional neural and feature-engineered approaches struggle to harmonize diverse protocol formats and traffic patterns, often relying on natural language tokenizers ill-suited for structured data. The principal objectives of BERTector are:

• To capture global dependencies in network traffic streams by deploying LLMs with domain-adapted tokenization.
• To realize robust IDS behavior through supervised fine-tuning on a unified, hybrid dataset constructed from multiple established sources.
• To achieve scalable adaptation and resource-efficient training via low-rank matrix decomposition in the model’s fully connected layers.

This multi-pronged architecture enables resilient and accurate intrusion detection over heterogeneous and adversarial traffic landscapes.

2. NSS-Tokenizer: Traffic-Aware Semantic Tokenization

BERTector's NSS-Tokenizer replaces generic natural language tokenizers with a protocol- and feature-aware mechanism tailored for network traffic. Its distinguishing properties include:

• Domain-Specific Segmentation: The tokenizer uses protocol knowledge and feature boundaries—designated by special symbols such as commas and exclamation marks—to separate fields.
• Dynamic Windowing: Input sequences are dynamically windowed so that the optimal token length for each sample $f$ in the training dataset $D_{\text{train}}$ is determined, with a hard cap at 512 tokens. This process is formally described by:

$$\text{window} = \min \left( \max \left( \{ \text{len}(f) \} \mid f \in D_{\text{train}} \right),\ 512 \right)$$

• Feature Representation: Each token aims to correspond to one feature or protocol field, minimizing redundancy and providing the deep model with maximally informative representations.

This specialized tokenization mitigates the loss of semantic and protocol structure common with vanilla NLP tokenizers and establishes consistent input for joint training.

3. Joint-Dataset Supervised Fine-Tuning (SFT)

To address generalization and robustness across traffic sources, BERTector introduces a joint-dataset SFT paradigm:

• Hybrid Dataset Construction ("MIX"): Multiple network traffic datasets—NSL-KDD, KDD-99, UNSW-NB15, X-IIoTID—are unified by feature alignment and special symbol-based separation. The MIX dataset reflects a broad spectrum of network behaviors and attack techniques.
• Consistent Tokenization: The NSS-Tokenizer processes all input samples from the MIX dataset identically, ensuring homogeneity in token space across diverse sources.
• Supervised Training: The framework is fine-tuned using a label-sensitive cross-entropy objective, enabling discrimination between benign and malicious traffic patterns across dataset boundaries.

This methodology provides strong cross-domain feature learning, equipping BERTector to generalize effectively in unseen or mixed-network environments.

4. Low-Rank Adaptation (LoRA) for Efficient Training

Rather than fine-tuning all BERT parameters, which is resource-intensive, BERTector employs LoRA for parameter-efficient model adaptation:

• Low-Rank Decomposition: Updates to the fully connected layers’ weight matrices $W$ are restricted to the product of two low-rank matrices $A$ and $B$ (dimensions $r \times d$ and $d \times r$ respectively, $r \ll d$). During adaptation,

$$\mathbf{h} = W\mathbf{x} + \Delta W \mathbf{x} = W\mathbf{x} + B A \mathbf{x}$$

• Selective Training: Only $A$ and $B$ are trained during SFT, leaving the remainder of $W$ frozen.
• Computational Benefits: This approach sharply decreases the number of trainable parameters and vastly reduces computational requirements, while preserving or improving performance over full-parameter fine-tuning.

LoRA is central to enabling fast retraining and scaling BERTector across large or frequently evolving joint datasets.

5. Performance, Generalization, and Robustness

BERTector’s performance was validated through extensive experimentation:

• Detection Accuracy: On NSL-KDD, BERTector achieved an accuracy of 0.9928 and an F1-score of 0.9934. When trained with the MIX dataset, accuracy was 0.9887 (KDD99), 0.9610 (UNSW-NB15), and 0.9987 (X-IIoTID).
• Cross-Dataset Generalization: The joint training scheme allows BERTector to maintain high accuracy across all source datasets.
• Robustness to Adversarial Perturbations: Under simulated noise conditions (Poisson, Uniform, Gaussian, Laplace), BERTector retained high F1 scores (>0.78), outperforming classical ML and deep architectures under significant input disruption.

Empirical metrics confirmed that the NSS-Tokenizer and joint-SFT substantially improved detection balance and resilience to traffic diversity and adversarial attacks.

6. Technical Implementation Details

Key operational aspects of the framework include:

• Tokenization Window Sizing: Equation (1) governs the NSS-Tokenizer's maximum window length, adapting to the greatest observed flow length within the training data, but not exceeding 512 tokens.
• Feature Alignment and Dataset Merging: Feature fields from disparate datasets are harmonized with symbol-based separation, facilitating unified NSS tokenization.
• LoRA Training Regimen: Only the low-rank adaptation matrices are updated during SFT, yielding substantial hardware and runtime savings, and ensuring low inference overhead.
• Evaluation Metrics: Accuracy, Precision, Recall, F1-Score: these allow for nuanced assessment of detection and false positive/negative balance.

This tightly coupled technical pipeline underpins BERTector's empirical success and operational efficiency.

7. Implications for IDS and Future Directions

The conceptual and empirical advances of BERTector have several significant implications:

• Towards Unified IDS: By formalizing joint-dataset training and traffic-aware tokenization, BERTector provides a template for scalable IDS deployment in real-world, mixed-network environments.
• Enhanced Robustness: Integration of NSS-Tokenizer, unified SFT, and LoRA yields a framework highly resistant to adversarial traffic and shifting attack modalities.
• Future Work: The authors suggest expanding the paradigm to larger and more diverse cyber threat datasets and incorporating further model efficiency techniques. A plausible implication is the generalization of the framework to other structured or semi-structured data domains in cybersecurity, leveraging LLMs beyond intrusion detection.
• Adversarial Mitigation and Dynamic Adaptation: Exploration of proprietary resistance to increasingly sophisticated adversarial attacks and real-time model adaptation is identified as a future direction.

BERTector sets a technical precedent for efficient, robust, and generalizable intrusion detection, bridging LLM capabilities with the demands of modern security environments.

---

In summary, the BERTector framework stands out as an integrated solution that advances intrusion detection through traffic-aware semantic tokenization, joint-dataset supervised fine-tuning, and low-rank adaptation. Its empirical performance and architectural innovations provide a reference point for future IDS research and deployment in heterogeneous, adversarial, and large-scale network conditions (Hu et al., 14 Aug 2025).