163027 20251009133841.0 doi 10.3390/electronics14193792 sideral 145480 ART-2025-145480 eng García, Pablo Foundation Models for Cybersecurity: A Comprehensive Multi-Modal Evaluation of TabPFN and TabICL for Tabular Intrusion Detection 2025 Access copy available to the general public Unrestricted While traditional ensemble methods have dominated tabular intrusion detection systems (IDSs), recent advances in foundation models present new opportunities for enhanced cybersecurity applications. This paper presents a comprehensive multi-modal evaluation of foundation models—specifically TabPFN (Tabular Prior-Data Fitted Network), TabICL (Tabular In-Context Learning), and large language models—against traditional machine learning approaches across three cybersecurity datasets: CIC-IDS2017, N-BaIoT, and CIC-UNSW. Our rigorous experimental framework addresses critical methodological challenges through model-appropriate evaluation protocols and comprehensive assessment across multiple data variants. Results demonstrate that foundation models achieve superior and more consistent performance compared with traditional approaches, with TabPFN and TabICL establishing new state-of-the-art results across all datasets. Most significantly, these models uniquely achieve non-zero recall across all classes, including rare threats like Heartbleed and Infiltration, while traditional ensemble methods—despite achieving >99% overall accuracy—completely fail on several minority classes. TabICL demonstrates particularly strong performance on CIC-IDS2017 (99.59% accuracy), while TabPFN maintains consistent performance across all datasets, suggesting robust generalization capabilities. Both foundation models achieve these results using only fractions of the available training data and requiring no hyperparameter tuning, representing a paradigm shift toward training-light, hyperparameter-free adaptive IDS architectures, where TabPFN requires no task-specific fitting and TabICL leverages efficient in-context adaptation without retraining. Cross-dataset validation reveals that foundation models maintain performance advantages across diverse threat landscapes, while traditional methods exhibit significant dataset-specific variations. These findings challenge the cybersecurity community’s reliance on tree-based ensembles and demonstrate that foundation models offer superior capabilities for next-generation intrusion detection systems in IoT environments. info:eu-repo/semantics/openAccess by https://creativecommons.org/licenses/by/4.0/deed.es info:eu-repo/semantics/article info:eu-repo/semantics/publishedVersion de Curtò, J. de Zarzà, I. Universidad de Zaragoza (orcid)0000-0002-5844-7871 Cano, Juan Carlos Calafate, Carlos T. 5007 570 Universidad de Zaragoza Dpto. Informát.Ingenie.Sistms. Área Lenguajes y Sistemas Inf. 14, 19 (2025), 3792 [29 pp.] Electronics (Basel) Electronics (Basel) 2079-9292 AI for Intrusion Detection Systems https://github.com/pablogarciaamolina/AI-for-IDS 1006914 http://zaguan.unizar.es/record/163027/files/texto_completo.pdf Versión publicada 2539903 http://zaguan.unizar.es/record/163027/files/texto_completo.jpg?subformat=icon icon Versión publicada oai:zaguan.unizar.es:163027 articulos driver 2025-10-09-13:25:56 ARTICLE