Title: A Protocol-Language Model for Network Intrusion (Without Deep Packet Inspection)

Abstract:

Contemporary Network Intrusion Detection Systems (NIDS) face a fundamental paradox: the protocols that harbor the most significant threat intelligence are increasingly shielded by encryption standards like TLS 1.3 and QUIC, rendering traditional payload inspection ineffective. This study explores an alternative hypothesis: rather than searching for attack signatures within data bytes, what if they are embedded in the temporal rhythm of the traffic? By conceptualizing network flows as a language defined entirely by Layer 3 and Layer 4 metadata—such as packet length, inter-arrival times, Time To Live (TTL), TCP flags, and hashed port numbers—we introduce PLM-NIDS. This approach validates three key assertions. First, the underlying "grammar" of network traffic is both existent and learnable. A RWKV-4 state-space model, trained on 344,232 unlabelled flows from a single Monday, achieved a causal language model validation loss of 0.204, indicating that legitimate traffic possesses a statistically consistent and predictable structure. Second, malicious activity disrupts this established grammar. Using zero attack labels during the training phase, the model’s per-flow perplexity score effectively distinguished between benign and malicious flows, yielding a PR-AUC of 0.93. Third, this separation capability is architecturally significant. When an LSTM was trained on the same token sequences, it failed to generalize, collapsing into a majority-class predictor (achieving an ROC-AUC of approximately 0.50 and an F1 score of 0.91 solely by constantly predicting "attack"). This contrast highlights the unique inductive bias provided by RWKV’s causal pre-training, which direct classifiers lack. Further supervised fine-tuning improved performance, raising the PR-AUC to 0.94 and ROC-AUC to 0.75, with precision reaching 97.7% at the calibrated operating threshold. Crucially, the RWKV backbone supports O(T) recurrent inference, allowing for per-packet streaming without the need for flow buffering, thus ensuring operational viability at line rate. Since the system relies exclusively on IP/TCP/UDP headers, it remains inherently encryption-agnostic, handling TLS 1.3, QUIC, and emerging encrypted protocols transparently.

Source: arXiv Generated at: 2026-06-02 00:00:00 UTC