Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1109/tifs.2020.2991876

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Conventional intrusion detection systems based on supervised learning techniques require a large number of samples for training, while in some scenarios, such as zero-day attacks, security agencies can only intercept a limited number of shots of malicious samples. Therefore, there is a need for few-shot detection. In this paper, a detection method based on a meta-learning framework is proposed for this purpose. The proposed method can be used to distinguish and compare a pair of network traffic samples as a basic task of learning, including a normal unaffected sample and a malicious one. To accomplish this task, we design a deep neural network (DNN) named FC-Net, which mainly comprises two parts: feature extraction network and comparison network. FC-Net learns a pair of feature maps for classification from a pair of network traffic samples, then compares the obtained feature maps, and finally determines whether the pair of samples belongs to the same type. To evaluate the proposed detection method, we construct two datasets for few-shot network intrusion detection based on real network traffic data sources, using a specifically developed approach. The experimental results indicate that the proposed detection method is universal and is not limited to specific datasets or attack types. Training and testing on the same datasets demonstrate that the proposed method can achieve the average detection rate up to 98.88%. The outcome of training on one dataset and testing on the other one confirms that the proposed method can achieve better performance. In a few-shot scenario, malicious samples in an untrained dataset can be detected successfully, and the average detection rate is up to 99.62%.

Thin Tharaphe THEIN,Yoshiaki SHIRAISHI,Masakatu MORII

DOI: https://doi.org/10.1587/transinf.2022ofp0004

2023-09-01

IEICE Transactions on Information and Systems

Abstract:With a rapidly escalating number of sophisticated cyber-attacks, protecting Internet of Things (IoT) networks against unauthorized activity is a major concern. The detection of malicious attack traffic is thus crucial for IoT security to prevent unwanted traffic. However, existing traditional malicious traffic detection systems which relied on supervised machine learning approach need a considerable number of benign and malware traffic samples to train the machine learning models. Moreover, in the cases of zero-day attacks, only a few labeled traffic samples are accessible for analysis. To deal with this, we propose a few-shot malicious IoT traffic detection system with a prototypical graph neural network. The proposed approach does not require prior knowledge of network payload binaries or network traffic signatures. The model is trained on labeled traffic data and tested to evaluate its ability to detect new types of attacks when only a few labeled traffic samples are available. The proposed detection system first categorizes the network traffic as a bidirectional flow and visualizes the binary traffic flow as a color image. A neural network is then applied to the visualized traffic to extract important features. After that, using the proposed few-shot graph neural network approach, the model is trained on different few-shot tasks to generalize it to new unseen attacks. The proposed model is evaluated on a network traffic dataset consisting of benign traffic and traffic corresponding to six types of attacks. The results revealed that our proposed model achieved an F1 score of 0.91 and 0.94 in 5-shot and 10-shot classification, respectively, and outperformed the baseline models.

computer science, information systems, software engineering

Bohan Li,Renjun Ye,Gao Gu,Ruochen Liang,Wei Liu,Ken Cai

DOI: https://doi.org/10.1016/j.comcom.2019.12.037

IF: 5.047

2020-01-01

Computer Communications

Abstract:The increasing scale of the Internet of Things (IoT) makes systems vulnerable to serious security threats, especially when the attacks of malicious nodes exist in these networks. Different malicious nodes will launch different attacks, but most of them are based on tampering, re-transmission, and discarding methods. For such attacks, an effective method to detect malicious nodes focuses on the received and sent messages of each node. However, gathering messages about each node in the network is time-consuming, as well as collecting all the message in the network would consume the limited resources in the IoT. In this paper, we propose a novel method to detect malicious nodes based on an online learning algorithm. We first calculate the credibility of each path in the network based on the collected packets., then modeled the got path reputation by the online learning algorithm, finally, calculated the trust of each node in the IoT environment and detected the malicious node by a clustering algorithm. To make the model have a good performance when the network scale is small, we perform some processing on the network topology based on the general online learning detection algorithm and get an enhanced online learning detection algorithm. The result of the experiment proves that the methods we proposed can detect malicious nodes with high accuracy and work well with good stability.

Congqi Shen,Geyang Xiao,Shaofeng Yao,Boyang Zhou,Zhongxia Pan,Hong Zhang

DOI: https://doi.org/10.1109/spac53836.2021.9539933

2021-01-01

Abstract:Current Industrial Internet faces serious threats where attackers propagate malicious flows, resulting in communication failures in the Industrial Internet. In this work, we propose a practical and novel method to detect malicious traffic attack in real time with high accuracy. Our primary idea is to capture network flow, extract adequate network flow features, construct a long short-term memory (LSTM) based deep learning model, and identify the property of the corresponding network flow. Whether the network suffers attack or not is then determined according to the detection results. The corresponding prototype is also implemented in the Industrial Internet which is equipped with Software Defined Networking (SDN). Experimental results validate that the proposed method is effective in defending against malicious traffic attack in real-world network.

Subhash Mondal,Subinoy Mukherjee,Suharta Banerjee

DOI: https://doi.org/10.1007/978-981-16-4435-1_30

2021-08-03

Abstract:Internet of Things is the most promising technology that is trying to transform the way in which we live and is expected to seamlessly get integrated into our environment. However, securing the IoT devices from attacks is the prime concern for researchers today. Securing IoT systems from malicious attacks is the most challenging task as attacks like DoS or DDoS are distributed in nature. In this paper we have proposed an architecture based on ML that will identify the malicious nodes which in turn will provide pre-authentication and access control, thus preventing unauthorized access of IoT resources. We have mainly emphasized on the trade-off between time, memory, and accuracy of ML algorithms for achieving better performance.

Yi Shen,Yuhan Zhang,Yuwei Li,Wanmeng Ding,Miao Hu,Yang Li,Cheng Huang,Jie Wang

DOI: https://doi.org/10.1007/978-3-031-56580-9_15

2024-01-01

Abstract:Nowadays, a large number of IoT devices are manufactured and used in daily life. However, the lack of uniform protocols and standards for IoT devices brings many security risks. Malicious attacks on IoT devices such as Mirai are on the rise, leading to more IoT devices joining botnets and launching DDoS attacks. Therefore, it is necessary to detect malicious traffic of IoT devices. To solve this problem, we propose FLIMT, a federated learning based malicious traffic detection framework for IoT devices. We motivated by the fact that it is not practical to centralize and detect the traffic data sent by IoT devices. Besides, considering the data security and confidentiality standards, it is improper to aggregate data from individual IoT devices into a central computing cluster. FLIMT consists of several GRU-based local detection clients and a central server, where local clients rely on local data for model training and testing, and the central server for model aggregation. The experimental results show that FlIMT achieves high detection accuracy on real data collected from IoT devices, and significantly lessens communication rounds.

Yantian Luo,Hancun Sun,Xu Chen,Ning Ge,Wei Feng,Jianhua Lu

DOI: https://doi.org/10.23919/jcc.fa.2022-0783.202304

2023-01-01

China Communications

Abstract:In the upcoming large-scale Internet of Things (IoT), it is increasingly challenging to defend against malicious traffic, due to the heterogeneity of IoT devices and the diversity of IoT communication protocols. In this paper, we propose a semi-supervised learning-based approach to detect malicious traffic at the access side. It overcomes the resource-bottleneck problem of traditional malicious traffic defenders which are deployed at the victim side, and also is free of labeled traffic data in model training. Specifically, we design a coarse-grained behavior model of IoT devices by self-supervised learning with unlabeled traffic data. Then, we fine-tune this model to improve its accuracy in malicious traffic detection by adopting a transfer learning method using a small amount of labeled data. Experimental results show that our method can achieve the accuracy of 99.52% and the F1-score of 99.52% with only 1% of the labeled training data based on the CICDDoS2019 dataset. Moreover, our method outperforms the state-of-the-art supervised learning-based methods in terms of accuracy, precision, recall and F1-score with 1% of the training data.

Yantian Luo,Hancun Sun,Xu Chen,Ning Ge,Wei Feng,Jianhua Lu

DOI: https://doi.org/10.23919/JCC.fa.2022-0783.202304

2023-04-01

China Communications

Abstract:In the upcoming large-scale Internet of Things (IoT), it is increasingly challenging to defend against malicious traffic, due to the heterogeneity of IoT devices and the diversity of IoT communication protocols. In this paper, we propose a semi-supervised learning-based approach to detect malicious traffic at the access side. It overcomes the resource-bottleneck problem of traditional malicious traffic defenders which are deployed at the victim side, and also is free of labeled traffic data in model training. Specifically, we design a coarse-grained behavior model of IoT devices by self-supervised learning with unlabeled traffic data. Then, we fine-tune this model to improve its accuracy in malicious traffic detection by adopting a transfer learning method using a small amount of labeled data. Experimental results show that our method can achieve the accuracy of 99.52% and the F1-score of 99.52% with only 1% of the labeled training data based on the CICDDoS2019 dataset. Moreover, our method outperforms the state-of-the-art supervised learning-based methods in terms of accuracy, precision, recall and F1-score with 1% of the training data.

Giampaolo Bovenzi,Davide Di Monda,Antonio Montieri,Valerio Persico,Antonio Pescapè

DOI: https://doi.org/10.1016/j.jisa.2024.103762

IF: 4.96

2024-06-01

Journal of Information Security and Applications

Abstract:The Internet of Things (IoT) is a key enabler for critical systems, but IoT devices are increasingly targeted by cyberattacks due to their diffusion and hardware and software limitations. This calls for designing and evaluating new effective approaches for protecting IoT systems at the network level. While recent proposals based on machine- and deep-learning provide effective solutions to the problem of attack-traffic classification, their adoption is severely challenged by the amount of labeled traffic they require to train the classification models. In fact, this results in the need for collecting and labeling large amounts of malicious traffic, which may be hindered by the nature of the malware possibly generating little and hard-to-capture network activity. To tackle this challenge, we adopt few-shot learning approaches for attack-traffic classification, with the objective to improve detection performance for attack classes with few labeled samples. We leverage advanced deep-learning architectures to perform feature extraction and provide an extensive empirical study—using recent and publicly available datasets—comparing the performance of an ample variety of solutions based on different learning paradigms, and exploring a number of design choices in depth (impact of embedding function, number of classes of attacks, or number of attack samples). In comparison to non-few-shot baselines, we achieve a relative improvement in the F 1 -score ranging from 8% to 27%.

computer science, information systems

Ruonan Wang,Minhuan Huang,Jinjing Zhao,Hongzheng Zhang,Wenjing Zhong,Zhaowei Zhang,Liqiang He

DOI: https://doi.org/10.1038/s41598-024-73342-7

IF: 4.6

2024-10-23

Scientific Reports

Abstract:Classifying malicious traffic, which can trace the lineage of attackers' malicious families, is fundamental to safeguarding cybersecurity. However, the deep learning approaches currently employed require substantial volumes of data, conflicting with the challenges in acquiring and accurately labeling malicious traffic data. Additionally, edge network devices vulnerable to cyber-attacks often cannot meet the computational demands required to deploy deep learning models. The rapid mutation of malicious activities further underscores the need for models with strong generalization capabilities to adapt to evolving threats. This paper introduces an innovative few-shot malicious traffic classification method that is precise, lightweight, and exhibits enhanced generalization. By refining traditional transfer learning, the source model is segmented into public and private feature extractors for stepwise transfer, enhancing parameter alignment with specific target tasks. Neuron importance is then sorted based on the task of each feature extractor, enabling precise pruning to create an optimal lightweight model. An adversarial network guiding principle is adopted for retraining the public feature extractor parameters, thus strengthening the model's generalization power. This method achieves an accuracy of over 97% on few-shot datasets with no more than 15 samples per class, has fewer than 50 K model parameters, and exhibits superior generalization compared to baseline methods.

multidisciplinary sciences

Kanwal Rashid,Yousaf Saeed,Abid Ali,Faisal Jamil,Reem Alkanhel,Ammar Muthanna

DOI: https://doi.org/10.3390/s23052594

2023-02-26

Abstract:Modern vehicle communication development is a continuous process in which cutting-edge security systems are required. Security is a main problem in the Vehicular Ad Hoc Network (VANET). Malicious node detection is one of the critical issues found in the VANET environment, with the ability to communicate and enhance the mechanism to enlarge the field. The vehicles are attacked by malicious nodes, especially DDoS attack detection. Several solutions are presented to overcome the issue, but none are solved in a real-time scenario using machine learning. During DDoS attacks, multiple vehicles are used in the attack as a flood on the targeted vehicle, so communication packets are not received, and replies to requests do not correspond in this regard. In this research, we selected the problem of malicious node detection and proposed a real-time malicious node detection system using machine learning. We proposed a distributed multi-layer classifier and evaluated the results using OMNET++ and SUMO with machine learning classification using GBT, LR, MLPC, RF, and SVM models. The group of normal vehicles and attacking vehicles dataset is considered to apply the proposed model. The simulation results effectively enhance the attack classification with an accuracy of 99%. Under LR and SVM, the system achieved 94 and 97%, respectively. The RF and GBT achieved better performance with 98% and 97% accuracy values, respectively. Since we have adopted Amazon Web Services, the network's performance has improved because training and testing time do not increase when we include more nodes in the network.

Junpeng He,Lingfeng Yao,Xiong Li,Muhammad Khurram Khan,Weina Niu,Xiaosong Zhang,Fagen Li

DOI: https://doi.org/10.1007/s10489-024-05290-8

IF: 5.3

2024-02-27

Applied Intelligence

Abstract:Malicious traffic on the Internet has become an increasingly serious problem, and several artificial intelligence (AI)-based malicious traffic detection methods have been proposed. Generally, AI-based methods need numerous benign and specific types of malicious traffic training instances to achieve better detection results. However, for attacks with only a few instances, known as the few-shot attacks, these methods often perform poorly, and how to train a model for detecting few-shot attacks is a huge challenge. For this problem, we propose a novel intrusion detection system based on generative adversarial networks and model-agnostic meta-learning. The system adopts a hybrid detection mechanism where an anomaly-based classifier determines whether incoming traffic is malicious and a signature-based classifier identifies the class of malicious traffic. In the system, the samples of few-shot attacks are augmented by maximizing the use of meta-knowledge and then applied to assist the detection of few-shot attacks to obtain better detection results. The experiments show that for CSE-CIC-IDS2018 and Bot-IoT datasets, this system can detect malicious traffic with 94.3%/1.8% TPR/FPR and 99.8%/0.1% TPR/FPR, respectively, and also can identify the class of the few-shot attacks with 95.2% and 91.9% accuracy, respectively. Compared with other related methods, the system improves the accuracy of identifying few-shot attacks on these two datasets by at least 2.2% and 1.5%, respectively. Additionally, a parameter visualization process is designed, which shows the fast-adaptive property and better generalization capability of the system.

computer science, artificial intelligence

Safa Ben Atitallah,Maha Driss,Wadii Boulila,Anis Koubaa

2024-06-04

Abstract:The Internet of Things (IoT) has been introduced as a breakthrough technology that integrates intelligence into everyday objects, enabling high levels of connectivity between them. As the IoT networks grow and expand, they become more susceptible to cybersecurity attacks. A significant challenge in current intrusion detection systems for IoT includes handling imbalanced datasets where labeled data are scarce, particularly for new and rare types of cyber attacks. Existing literature often fails to detect such underrepresented attack classes. This paper introduces a novel intrusion detection approach designed to address these challenges. By integrating Self Supervised Learning (SSL), Few Shot Learning (FSL), and Random Forest (RF), our approach excels in learning from limited and imbalanced data and enhancing detection capabilities. The approach starts with a Deep Infomax model trained to extract key features from the dataset. These features are then fed into a prototypical network to generate discriminate embedding. Subsequently, an RF classifier is employed to detect and classify potential malware, including a range of attacks that are frequently observed in IoT networks. The proposed approach was evaluated through two different datasets, MaleVis and WSN-DS, which demonstrate its superior performance with accuracies of 98.60% and 99.56%, precisions of 98.79% and 99.56%, recalls of 98.60% and 99.56%, and F1-scores of 98.63% and 99.56%, respectively.

Cryptography and Security,Artificial Intelligence

Yiming Wu,Gaoyun Lin,Lisong Liu,Zhen Hong,Yangyang Wang,Xing Yang,Zoe L. Jiang,Shouling Ji,Zhenyu Wen

DOI: https://doi.org/10.1109/jiot.2024.3395629

IF: 10.6

2024-07-10

IEEE Internet of Things Journal

Abstract:The rapid proliferation of Internet of Things (IoT) devices has led to an increased need for robust and efficient intrusion detection systems capable of identifying and mitigating novel threats. Traditional methods often struggle with the scarcity of labeled anomaly data, which is highly consequential, particularly in the context of IoT. In this study, we propose a novel few-shot learning (FSL) approach by leveraging a multistage attention Siamese network (MASiNet) for network traffic intrusion detection based on meta-learning framework. Unlike traditional methods, the proposed MASiNet model is capable of detecting intrusions with minimal labeled samples, addressing the challenge of scarce anomaly data. The model is trained using various attack samples and evaluates unknown samples by comparing similarities with a small set of known attack types. A well-structured cost function design, incorporating two specific losses, is introduced to optimize the effectiveness of the training process. Tested on the NSL_KDD and UNSW-NB15 data sets in a simulated FSL environment, the MASiNet model demonstrates superior performance in terms of accuracy, precision, and false alarm rate (FAR), outperforming existing methods. Furthermore, we have validated our approach through real-world evaluations. The proposed method provides an effective solution for intrusion detection in the context of FSL, offering a proficient solution that aligns with the dynamic nature of IoT networks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Andy Reed,Laurence Dooley,Soraya Kouadri Mostefaoui

DOI: https://doi.org/10.3390/s24175581

IF: 3.9

2024-08-31

Sensors

Abstract:The pernicious impact of malicious Slow DoS (Denial of Service) attacks on the application layer and web-based Open Systems Interconnection model services like Hypertext Transfer Protocol (HTTP) has given impetus to a range of novel detection strategies, many of which use machine learning (ML) for computationally intensive full packet capture and post-event processing. In contrast, existing detection mechanisms, such as those found in various approaches including ML, artificial intelligence, and neural networks neither facilitate real-time detection nor consider the computational overhead within resource-constrained Internet of Things (IoT) networks. Slow DoS attacks are notoriously difficult to reliably identify, as they masquerade as legitimate application layer traffic, often resembling nodes with slow or intermittent connectivity. This means they often evade detection mechanisms because they appear as genuine node activity, which increases the likelihood of mistakenly being granted access by intrusion-detection systems. The original contribution of this paper is an innovative Guardian Node (GN) Slow DoS detection model, which analyses the two key network attributes of packet length and packet delta time in real time within a live IoT network. By designing the GN to operate within a narrow window of packet length and delta time values, accurate detection of all three main Slow DoS variants is achieved, even under the stealthiest malicious attack conditions. A unique feature of the GN model is its ability to reliably discriminate Slow DoS attack traffic from both genuine and slow nodes experiencing high latency or poor connectivity. A rigorous critical evaluation has consistently validated high, real-time detection accuracies of more than 98% for the GN model across a range of demanding traffic profiles. This performance is analogous to existing ML approaches, whilst being significantly more resource efficient, with computational and storage overheads being over 96% lower than full packet capture techniques, so it represents a very attractive alternative for deployment in resource-scarce IoT environments.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Tong Niu,Yaqiu Liu,Qingfeng Li,Qichi Bao

DOI: https://doi.org/10.1109/access.2024.3481496

IF: 3.9

2024-01-01

IEEE Access

Abstract:As the Internet of Things (IoT) continues to evolve, its inherent diversity and rapid iteration pose challenges for the development and deployment of malicious traffic detection systems. This study aims to develop a scalable detection architecture that can accurately identify malicious traffic in IoT environments, while protecting user privacy. We propose a deep-learning-based model that is capable of training and updating within an IoT setting. The payload of the data packets is encoded to enhance the feature extraction capability of the model. The model is then trained using federated learning/edge computing to ensure data privacy. The final model parameters are stored in an IPFS file storage system with the corresponding hash value stored in the blockchain, ensuring the correctness of the model parameters during expansion. Experiments were conducted in a Docker environment using the CIC IoT Dataset 2022 and CIC IoT Dataset 2023. The results demonstrate that the proposed architecture achieves a pre-training accuracy of 98.6% for known abnormal traffic and 79% for unknown malicious traffic. After a few rounds of training, the accuracies improved to 99.5% and 89.4%. The model also exhibited robust performance during expansion.

Haosu Cheng,Jianwei Liu,Tongge Xu,Bohan Ren,Jian Mao,Wei Zhang

DOI: https://doi.org/10.1504/ijsnet.2020.109720

2020-01-01

International Journal of Sensor Networks

Abstract:The software-defined network (SDN) enabled internet of things (IoT) architecture is deployed in many industrial systems. The ability of SDN to intelligently route traffic and use underutilised network resources, enables IoT networks to cope with data onslaught smoothly. SDN also eliminates bottlenecks and helps to process IoT data efficiently without placing a larger strain on the network. The SDN-based IoT network is vulnerable to DDoS attack in a sophisticated usage environment. The SDN-based IoT network behaviours are different from traditional networks, which makes the detection of low-traffic DDoS attacks more difficult. In this paper, we propose a learning-based detection approach that deploys learning algorithms and utilizes stateful and stateless features from Openflow packages to identify attack traffics in SDN control and data planes. Our prototype approach and experiment results show that our system identified the low-rate DDoS attack traffic accurately with relatively low system performance overheads.

Kyle Stein,Andrew A. Mahyari,Guillermo Francia III,Eman El-Sheikh

2024-09-17

Abstract:As the complexity and connectivity of networks increase, the need for novel malware detection approaches becomes imperative. Traditional security defenses are becoming less effective against the advanced tactics of today's cyberattacks. Deep Packet Inspection (DPI) has emerged as a key technology in strengthening network security, offering detailed analysis of network traffic that goes beyond simple metadata analysis. DPI examines not only the packet headers but also the payload content within, offering a thorough insight into the data traversing the network. This study proposes a novel approach that leverages a large language model (LLM) and few-shot learning to accurately recognizes novel, unseen malware types with few labels samples. Our proposed approach uses a pretrained LLM on known malware types to extract the embeddings from packets. The embeddings are then used alongside few labeled samples of an unseen malware type. This technique is designed to acclimate the model to different malware representations, further enabling it to generate robust embeddings for each trained and unseen classes. Following the extraction of embeddings from the LLM, few-shot learning is utilized to enhance performance with minimal labeled data. Our evaluation, which utilized two renowned datasets, focused on identifying malware types within network traffic and Internet of Things (IoT) environments. Our approach shows promising results with an average accuracy of 86.35% and F1-Score of 86.40% on different malware types across the two datasets.

Cryptography and Security,Machine Learning

Yixuan Zhao,Jianming Cui,Ming Liu

DOI: https://doi.org/10.1007/978-981-97-0801-7_12

2024-01-01

Abstract:With the rapid development of vehicle networks technologies, cyber security threats in the Internet have gradually penetrated into the Internet of vehicles. In view of the risks and challenges, this paper proposed a hybrid Meta-Learning based intrusion detection method, which core task is to distinguish normal and network flow samples as its learning task. By constructing a feature extraction network based on 3D-CNN, the characteristic values of network flow classification are learned, and then the constructed feature comparison network is used for learning and discrimination. It should be emphasized that the model can obtain enough prior knowledge to realize lightweight intrusion detection by constructing few-shot sample task training. In the experimental section, we first selected Car-Hacking dataset to evaluate the performance of the proposed method and analyze the accuracy, detection rate, precision, false positive rate and F-Score, etc., and extended the testing to the ICSX2012 dataset. The experimental results show that, the method proposed can effectively implement network intrusion detection in few-shot sample scenarios, and has the expansibility in cyber security applications.

Yun Zhang,Guoqiang Li,Qianqian Duan,Jianzhen Wu

DOI: https://doi.org/10.1016/j.phycom.2022.101931

IF: 2.379

2022-01-01

Physical Communication

Abstract:An enterprise’s private cloud may be attacked by attackers when communicating with the public cloud. Although traffic detection methods based on deep learning have been widely used, these methods rely on a large amount of sample data and cannot quickly detect new attacks such as Zero-day Attacks. Moreover, deep learning has a black-box nature and cannot interpret the detection results, which has certain security risks. This paper proposes an interpretable abnormal traffic detection method, which can complete the detection task with only a few malicious traffic samples. Specifically, it uses the covariance matrix to characterize each traffic category and then calculates the similarity between the query traffic and each category according to the covariance metric function to realize the traffic detection based on few-shot learning. After that, the traffic images processed by the random masks are input into the model to obtain the predicted probability of the corresponding traffic category. Finally, the predicted probability is linearly summed with each mask to generate the final saliency map to interpret and analyze the model decision. In this paper, experiments are carried out by simulating only 15 and 25 malicious traffic samples. The results show that the proposed method can obtain good accuracy and recall, and the interpretation analysis shows that the model is reliable and interpretable.