{"id":"https://openalex.org/W7130556991","doi":"https://doi.org/10.1109/fllm67465.2025.11391169","title":"Foundation Models for Tabular Intrusion Detection: Evaluating TabPFN and LLM Few-Shot Classification on IoT Network Security","display_name":"Foundation Models for Tabular Intrusion Detection: Evaluating TabPFN and LLM Few-Shot Classification on IoT Network Security","publication_year":2025,"publication_date":"2025-11-25","ids":{"openalex":"https://openalex.org/W7130556991","doi":"https://doi.org/10.1109/fllm67465.2025.11391169"},"language":null,"primary_location":{"id":"doi:10.1109/fllm67465.2025.11391169","is_oa":false,"landing_page_url":"https://doi.org/10.1109/fllm67465.2025.11391169","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 3rd International Conference on Foundation and Large Language Models (FLLM)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101982119","display_name":"Pablo Garc\u00eda","orcid":"https://orcid.org/0000-0003-1098-1220"},"institutions":[{"id":"https://openalex.org/I96580804","display_name":"Universidad Pontificia Comillas","ror":"https://ror.org/017mdc710","country_code":"ES","type":"education","lineage":["https://openalex.org/I96580804"]}],"countries":["ES"],"is_corresponding":true,"raw_author_name":"Pablo Garc\u00eda","raw_affiliation_strings":["Universidad Pontificia Comillas,Escuela Técnica Superior de Ingeniería (ICAI),Madrid,Spain"],"affiliations":[{"raw_affiliation_string":"Universidad Pontificia Comillas,Escuela Técnica Superior de Ingeniería (ICAI),Madrid,Spain","institution_ids":["https://openalex.org/I96580804"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5045362954","display_name":"J. de Curt\u00f2","orcid":null},"institutions":[{"id":"https://openalex.org/I96580804","display_name":"Universidad Pontificia Comillas","ror":"https://ror.org/017mdc710","country_code":"ES","type":"education","lineage":["https://openalex.org/I96580804"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"J. de Curt\u00f2","raw_affiliation_strings":["Universidad Pontificia Comillas,Escuela Técnica Superior de Ingeniería (ICAI),Madrid,Spain"],"affiliations":[{"raw_affiliation_string":"Universidad Pontificia Comillas,Escuela Técnica Superior de Ingeniería (ICAI),Madrid,Spain","institution_ids":["https://openalex.org/I96580804"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5126367070","display_name":"I. de Zarz\u00e0","orcid":null},"institutions":[{"id":"https://openalex.org/I255234318","display_name":"Universidad de Zaragoza","ror":"https://ror.org/012a91z28","country_code":"ES","type":"education","lineage":["https://openalex.org/I255234318"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"I. de Zarz\u00e0","raw_affiliation_strings":["Universidad de Zaragoza,Departamento de Informática e Ingeniería de Sistemas,Zaragoza,Spain"],"affiliations":[{"raw_affiliation_string":"Universidad de Zaragoza,Departamento de Informática e Ingeniería de Sistemas,Zaragoza,Spain","institution_ids":["https://openalex.org/I255234318"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5101982119"],"corresponding_institution_ids":["https://openalex.org/I96580804"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.78205912,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"782","last_page":"789"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.8553000092506409,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.8553000092506409,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.015200000256299973,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.013199999928474426,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.6309999823570251},{"id":"https://openalex.org/keywords/ensemble-learning","display_name":"Ensemble learning","score":0.5199999809265137},{"id":"https://openalex.org/keywords/probabilistic-logic","display_name":"Probabilistic logic","score":0.4927999973297119},{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.47769999504089355},{"id":"https://openalex.org/keywords/deep-learning","display_name":"Deep learning","score":0.4602999985218048},{"id":"https://openalex.org/keywords/hyperparameter","display_name":"Hyperparameter","score":0.44940000772476196},{"id":"https://openalex.org/keywords/random-forest","display_name":"Random forest","score":0.4140999913215637},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.40230000019073486}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7885000109672546},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.6467999815940857},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.6309999823570251},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.608299970626831},{"id":"https://openalex.org/C45942800","wikidata":"https://www.wikidata.org/wiki/Q245652","display_name":"Ensemble learning","level":2,"score":0.5199999809265137},{"id":"https://openalex.org/C49937458","wikidata":"https://www.wikidata.org/wiki/Q2599292","display_name":"Probabilistic logic","level":2,"score":0.4927999973297119},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.47769999504089355},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.4602999985218048},{"id":"https://openalex.org/C8642999","wikidata":"https://www.wikidata.org/wiki/Q4171168","display_name":"Hyperparameter","level":2,"score":0.44940000772476196},{"id":"https://openalex.org/C169258074","wikidata":"https://www.wikidata.org/wiki/Q245748","display_name":"Random forest","level":2,"score":0.4140999913215637},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.40230000019073486},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.39719998836517334},{"id":"https://openalex.org/C2777212361","wikidata":"https://www.wikidata.org/wiki/Q5127848","display_name":"Class (philosophy)","level":2,"score":0.39410001039505005},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.37279999256134033},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.3555000126361847},{"id":"https://openalex.org/C34736171","wikidata":"https://www.wikidata.org/wiki/Q918333","display_name":"Preprocessor","level":2,"score":0.3294999897480011},{"id":"https://openalex.org/C33724603","wikidata":"https://www.wikidata.org/wiki/Q812540","display_name":"Bayesian network","level":2,"score":0.31690001487731934},{"id":"https://openalex.org/C51632099","wikidata":"https://www.wikidata.org/wiki/Q3985153","display_name":"Training set","level":2,"score":0.30570000410079956},{"id":"https://openalex.org/C158251709","wikidata":"https://www.wikidata.org/wiki/Q354025","display_name":"Intrusion","level":2,"score":0.2985999882221222},{"id":"https://openalex.org/C119898033","wikidata":"https://www.wikidata.org/wiki/Q3433888","display_name":"Ensemble forecasting","level":2,"score":0.2775000035762787},{"id":"https://openalex.org/C10551718","wikidata":"https://www.wikidata.org/wiki/Q5227332","display_name":"Data pre-processing","level":2,"score":0.2597000002861023},{"id":"https://openalex.org/C66322947","wikidata":"https://www.wikidata.org/wiki/Q11658","display_name":"Transformer","level":3,"score":0.2535000145435333},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.25189998745918274}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/fllm67465.2025.11391169","is_oa":false,"landing_page_url":"https://doi.org/10.1109/fllm67465.2025.11391169","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 3rd International Conference on Foundation and Large Language Models (FLLM)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":18,"referenced_works":["https://openalex.org/W433644524","https://openalex.org/W2099940443","https://openalex.org/W2148143831","https://openalex.org/W2296509296","https://openalex.org/W2342408547","https://openalex.org/W2789828921","https://openalex.org/W2800788706","https://openalex.org/W2903294440","https://openalex.org/W2958285686","https://openalex.org/W2968774960","https://openalex.org/W2980576170","https://openalex.org/W3174086521","https://openalex.org/W3185244527","https://openalex.org/W4392388299","https://openalex.org/W4406891901","https://openalex.org/W4406892603","https://openalex.org/W4407163436","https://openalex.org/W4408080043"],"related_works":[],"abstract_inverted_index":{"While":[0],"ensemble":[1,166],"methods":[2,167],"have":[3],"dominated":[4],"tabular":[5,37,256],"intrusion":[6,58,274],"detection":[7,275],"systems":[8,276],"(IDS),":[9],"recent":[10],"advances":[11],"in":[12,219,282],"foundation":[13,30,262],"models":[14,42],"present":[15],"new":[16],"opportunities":[17],"for":[18,36,55,205,242,255],"enhanced":[19],"cybersecurity":[20,211],"applications.":[21],"This":[22],"paper":[23],"presents":[24],"the":[25,65,132,199,248],"first":[26],"comprehensive":[27,99],"evaluation":[28,73,100],"of":[29,136,201,278],"models\u2014specifically":[31],"TabPFN":[32,124],"(a":[33],"probabilistic":[34],"transformer":[35],"data)":[38],"and":[39,51,67,98,155,171,226,228,239,259],"large":[40],"language":[41],"(LLMs)":[43],"using":[44,70,147],"few-shot":[45,214],"in-context":[46],"learning\u2014against":[47],"traditional":[48,158,165],"machine":[49],"learning":[50,53,207],"deep":[52,206],"approaches":[54,208],"IoT":[56,283],"network":[57],"detection.":[59],"We":[60],"conduct":[61],"rigorous":[62],"experiments":[63],"on":[64,128,209],"CIC-IDS2017":[66],"N-BaIoT":[68],"datasets":[69],"a":[71,267],"unified":[72],"framework":[74],"that":[75,123,250,261],"addresses":[76],"critical":[77],"methodological":[78,80],"issues:":[79],"rigor":[81],"through":[82],"appropriate":[83],"train/test":[84],"splits,":[85],"severe":[86],"class":[87,154],"imbalance":[88],"via":[89],"stratified":[90],"sampling":[91],"up":[92,149],"to":[93,150,180],"20,000":[94],"instances":[95],"per":[96,153],"class,":[97],"across":[101],"four":[102],"data":[103,196,202],"variants":[104],"(raw":[105],"vs.":[106,115],"incremental":[107],"PCA-compressed":[108],"features":[109],"with":[110,193],"95%":[111],"variance":[112],"retention,":[113],"original":[114],"semantically":[116],"grouped":[117],"attack":[118,139,184,222],"classes).":[119],"Our":[120],"results":[121],"demonstrate":[122,216],"achieves":[125],"superior":[126],"performance":[127,189],"CIC-IDS2017,":[129],"by":[130,236],"being":[131],"only":[133,148,190],"model":[134],"capable":[135,277],"detecting":[137],"all":[138],"classes":[140,223],"including":[141],"rare":[142,221],"ones":[143],"like":[144,168,224],"Heartbleed,":[145],"while":[146,173],"3,000":[151],"examples":[152],"requiring":[156],"no":[157],"training":[159],"or":[160],"hyperparameter":[161],"tuning.":[162],"In":[163],"contrast,":[164],"Random":[169],"Forest":[170],"K-NN,":[172],"achieving":[174],"high":[175],"overall":[176],"accuracy":[177],"(>99%),":[178],"fail":[179],"detect":[181],"several":[182],"minority":[183],"classes.":[185],"TabNet":[186],"shows":[187],"competitive":[188],"when":[191],"augmented":[192],"SMOTE-based":[194],"synthetic":[195],"generation,":[197],"highlighting":[198],"importance":[200],"augmentation":[203],"strategies":[204],"imbalanced":[210],"datasets.":[212],"LLM-based":[213],"classifiers":[215],"surprising":[217],"effectiveness":[218],"identifying":[220],"Heartbleed":[225],"Infiltration":[227],"provide":[229],"inherent":[230],"explainability,":[231],"though":[232],"they":[233],"remain":[234],"limited":[235],"context":[237],"size":[238],"inference":[240],"latency":[241],"large-scale":[243],"deployment.":[244],"These":[245],"findings":[246],"challenge":[247],"assumption":[249],"tree-based":[251],"ensembles":[252],"are":[253],"optimal":[254],"IDS":[257],"applications":[258],"suggest":[260],"models,":[263],"particularly":[264],"TabPFN,":[265],"offer":[266],"promising":[268],"paradigm":[269],"shift":[270],"toward":[271],"training-free,":[272],"generalizable":[273],"handling":[279],"zero-day":[280],"threats":[281],"environments.":[284]},"counts_by_year":[],"updated_date":"2026-02-20T17:44:18.066148","created_date":"2026-02-20T00:00:00"}