Existing IoT botnet detection methods struggle to jointly model the temporal and spatial patterns inherent in network flows, limiting the applicability of Vision Transformers (ViTs) to non-image security data. To address this, we propose a novel preprocessing paradigm that maps raw PCAP network flows into single-channel 2D images—enabling, for the first time, direct ViT modeling of non-image sequential security data. Furthermore, we extend the ViT architecture to support diverse classification heads—including DNN, LSTM, and BiLSTM—overcoming the limitation of its native MLP head. Extensive experiments on two IoT attack datasets demonstrate state-of-the-art performance across Precision, Recall, and F1-score. Our results validate the effectiveness of ViTs in learning traffic representations via image-based encoding and capturing multi-granularity temporal dependencies. This work establishes a new paradigm for applying ViTs beyond traditional computer vision domains, particularly to network traffic analysis.

Despite the demonstrated effectiveness of transformer models in NLP, and image and video classification, the available tools for extracting features from captured IoT network flow packets fail to capture sequential patterns in addition to the absence of spatial patterns consequently limiting transformer model application. This work introduces a novel preprocessing method to adapt transformer models, the vision transformer (ViT) in particular, for IoT botnet attack detection using network flow packets. The approach involves feature extraction from .pcap files and transforming each instance into a 1-channel 2D image shape, enabling ViT-based classification. Also, the ViT model was enhanced to allow use any classifier besides Multilayer Perceptron (MLP) that was deployed in the initial ViT paper. Models including the conventional feed forward Deep Neural Network (DNN), LSTM and Bidirectional-LSTM (BLSTM) demonstrated competitive performance in terms of precision, recall, and F1-score for multiclass-based attack detection when evaluated on two IoT attack datasets.