Utilizing BERT for Feature Extraction of Packet Payload

Abstract

Tampering with just one byte of traffic payloads used in industrial control systems (ICS) can cause serious physical accidents. Therefore, it is necessary to analyze the payload in a cyber attack detection system targeting ICS. However, since various protocols are used in ICS, a high level of expertise is required to manually extract the features from the payload. Therefore, in this paper, we propose a method for automatic payload analysis using Bidirectional Encoder Representations for Transformers (BERT). By treating each byte as a word and using BERT, we can obtain one fixed-length feature vector from the payload. The vector contains information such as the position of each byte and its relation to to nearby bytes. We experimentally show the effectiveness of the proposed method on several ICS datasets in the anomaly detection task.