Zero-Day Attack Detection in IoT Networks Using a Residual Vision Transformer-Based Approach With Zero-Shot Learning

Abstract

The widespread adoption of Internet of Things (IoT) devices across domains ranging from domestic to industrial applications has increasingly made them attractive targets for sophisticated malware attacks. Due to their reliance on existing attack signatures, conventional Network-based Intrusion Detection Systems (NIDS), which are used by many IoT devices with low computational resources, have difficulties detecting zero-day malware. Therefore, this research proposed a hybrid Deep Learning (DL)-based model, named Contour Zero-day – Residual Vision Transformer (CZ-ResViT), which addresses the limitations of conventional detection techniques by transforming network traffic into contour images derived from correlation matrices, thereby facilitating an effective visual representation of malware behavior suitable for DL models. The hybrid architecture integrates local spatial features of the deep Residual Network (ResNet) with global context understanding of the Vision Transformer (ViT). To simulate zero-day attack scenarios, the CZ-ResViT model is tested using a zero-shot learning strategy on the CIC IoT 2023 and IoTID20 datasets after having been trained on the IoT-23 dataset. Contour images achieved over 90% accuracy in malware classification compared to binary representations. In zero-day scenarios, CZ-ResViT achieved 82% accuracy on CIC IoT 2023 and 81% on IoTID20, outperforming other DL models and demonstrating greater resilience and generalization.