# ModernBERT-IDS A fine-tuned ModernBERT-based multi-class classifier for detecting DDoS and related attack categories directly from raw network log strings. This model is part of the ModernBERT-DoS/IDS project, focused on high-accuracy intrusion detection using transformer-based architectures. --- ## Model Summary - **Model Type:** Transformer-based multi-class text classifier - **Base Model:** answerdotai/ModernBERT-base - **Task:** Intrusion Detection / Log Classification - **Input:** Raw network log text (e.g., packet captures converted to text format) - **Output:** Predicted attack class label - **Training Objective:** Weighted cross-entropy (handles class imbalance) This model was trained to identify several traffic types present in datasets such as CIC-DDoS2019 and custom SSL logs. --- ## Intended Use ### Primary Use Cases - Intrusion Detection Systems (IDS) - DDoS and attack pattern classification - Network monitoring and security research - Automated analysis of raw pcap-derived logs - Multi-class traffic categorization in SOC workflows ### Not Intended For - Real-time blocking without further validation - Use on unprocessed binary packet captures (requires conversion to text logs) - Detection of malware not represented in the training data --- ## Training Details ### Training Pipeline The model was trained using: - ModernBERT fine-tuning with mean pooling - 3× dropout layers for regularization - Two fully-connected layers with GELU activation - LayerNorm for stable optimization - Tokenization up to 512 tokens to support large logs ### Data Handling - Strict train/validation/test split with no data leakage - No manual feature removal required; model learns directly from raw logs - Stratified sampling to preserve class distribution ### Baselines (for comparison) The training repository includes benchmarks against: - Random Forest - Linear SVM - Logistic Regression - CNN - BiLSTM with Attention ModernBERT-IDS consistently outperformed all baselines in macro-F1 scoring. --- ## Evaluation Metrics The following metrics were computed on the test split (unseen logs): - Accuracy - Macro F1 - Weighted F1 - Per-class F1 - Precision/Recall - Confusion matrix This model achieved macro-F1 performance in the 0.95–0.97 range depending on dataset variation. --- ## Supported Attack Classes The model dynamically adapts to classes found in the training dataset, typically including: - DDoS - BENIGN - LDAP - NetBIOS - MSSQL - Portmap - UDP - SSL Additional classes may be present depending on the uploaded dataset. --- ## Example Usage ```python from transformers import AutoTokenizer, AutoModelForSequenceClassification import torch model_name = "ccaug/modernbert-IDS" tokenizer = AutoTokenizer.from_pretrained(model_name) model = AutoModelForSequenceClassification.from_pretrained(model_name) log_line = "Frame 144: 98 bytes on wire (784 bits), 98 bytes captured ..." inputs = tokenizer(log_line, return_tensors="pt", truncation=True, max_length=512) with torch.no_grad(): outputs = model(**inputs) predicted_class = outputs.logits.argmax(dim=1).item() print("Predicted class:", predicted_class)