000163027 001__ 163027
000163027 005__ 20251009133841.0
000163027 0247_ $$2doi$$a10.3390/electronics14193792
000163027 0248_ $$2sideral$$a145480
000163027 037__ $$aART-2025-145480
000163027 041__ $$aeng
000163027 100__ $$aGarcía, Pablo
000163027 245__ $$aFoundation Models for Cybersecurity: A Comprehensive Multi-Modal Evaluation of TabPFN and TabICL for Tabular Intrusion Detection
000163027 260__ $$c2025
000163027 5060_ $$aAccess copy available to the general public$$fUnrestricted
000163027 5203_ $$aWhile traditional ensemble methods have dominated tabular intrusion detection systems (IDSs), recent advances in foundation models present new opportunities for enhanced cybersecurity applications. This paper presents a comprehensive multi-modal evaluation of foundation models—specifically TabPFN (Tabular Prior-Data Fitted Network), TabICL (Tabular In-Context Learning), and large language models—against traditional machine learning approaches across three cybersecurity datasets: CIC-IDS2017, N-BaIoT, and CIC-UNSW. Our rigorous experimental framework addresses critical methodological challenges through model-appropriate evaluation protocols and comprehensive assessment across multiple data variants. Results demonstrate that foundation models achieve superior and more consistent performance compared with traditional approaches, with TabPFN and TabICL establishing new state-of-the-art results across all datasets. Most significantly, these models uniquely achieve non-zero recall across all classes, including rare threats like Heartbleed and Infiltration, while traditional ensemble methods—despite achieving >99% overall accuracy—completely fail on several minority classes. TabICL demonstrates particularly strong performance on CIC-IDS2017 (99.59% accuracy), while TabPFN maintains consistent performance across all datasets, suggesting robust generalization capabilities. Both foundation models achieve these results using only fractions of the available training data and requiring no hyperparameter tuning, representing a paradigm shift toward training-light, hyperparameter-free adaptive IDS architectures, where TabPFN requires no task-specific fitting and TabICL leverages efficient in-context adaptation without retraining. Cross-dataset validation reveals that foundation models maintain performance advantages across diverse threat landscapes, while traditional methods exhibit significant dataset-specific variations. These findings challenge the cybersecurity community’s reliance on tree-based ensembles and demonstrate that foundation models offer superior capabilities for next-generation intrusion detection systems in IoT environments.
000163027 540__ $$9info:eu-repo/semantics/openAccess$$aby$$uhttps://creativecommons.org/licenses/by/4.0/deed.es
000163027 655_4 $$ainfo:eu-repo/semantics/article$$vinfo:eu-repo/semantics/publishedVersion
000163027 700__ $$ade Curtò, J.
000163027 700__ $$0(orcid)0000-0002-5844-7871$$ade Zarzà, I.$$uUniversidad de Zaragoza
000163027 700__ $$aCano, Juan Carlos
000163027 700__ $$aCalafate, Carlos T.
000163027 7102_ $$15007$$2570$$aUniversidad de Zaragoza$$bDpto. Informát.Ingenie.Sistms.$$cÁrea Lenguajes y Sistemas Inf.
000163027 773__ $$g14, 19 (2025), 3792 [29 pp.]$$pElectronics (Basel)$$tElectronics (Basel)$$x2079-9292
000163027 787__ $$tAI for Intrusion Detection Systems$$whttps://github.com/pablogarciaamolina/AI-for-IDS
000163027 8564_ $$s1006914$$uhttps://zaguan.unizar.es/record/163027/files/texto_completo.pdf$$yVersión publicada
000163027 8564_ $$s2539903$$uhttps://zaguan.unizar.es/record/163027/files/texto_completo.jpg?subformat=icon$$xicon$$yVersión publicada
000163027 909CO $$ooai:zaguan.unizar.es:163027$$particulos$$pdriver
000163027 951__ $$a2025-10-09-13:25:56
000163027 980__ $$aARTICLE