Encrypted Traffic Detection Method Based on Knowledge Distillation

Journal of Information Security Reserach ›› 2025, Vol. 11 ›› Issue (8): 702-.

Previous Articles Next Articles

Encrypted Traffic Detection Method Based on Knowledge Distillation

Dai Xilai, Tang Yanjun, Qiu Yudie, and Wang Zi’ang

(School of Public Security Information Technology and Intelligence, Criminal Investigation Police University of China, Shenyang 110854)

Online:2025-08-28 Published:2025-08-28

基于知识蒸馏的加密流量检测方法

戴熙来汤艳君邱雨蝶王子昂

(中国刑事警察学院公安信息技术与情报学院沈阳110854)

通讯作者: 汤艳君教授，硕士生导师.主要研究方向为电子数据取证. tyj6631@sina.com
作者简介:戴熙来硕士研究生.主要研究方向为网络空间安全与电子数据取证. 939722097@qq.com 汤艳君教授，硕士生导师.主要研究方向为电子数据取证. tyj6631@sina.com 邱雨蝶硕士研究生.主要研究方向为网络空间安全与电子数据取证. 2094267903@qq.com 王子昂硕士.主要研究方向为网络空间安全与电子数据取证. 497710073@qq.com

Abstract

Abstract: In recent years, with the rapid growth of Internet traffic, especially the popularity of encrypted communication, malicious traffic detection is facing a huge challenge, due to the limited resources and performance of mobile devices, which makes it more difficult to identify malicious behaviors in encrypted traffic on mobile. Therefore this paper proposes a knowledge distillation based encrypted traffic detection method. First, the traffic is transformed into images through visualization techniques; second, based on the ConvNeXt network architecture, the SK_SwiGLU_ConvNeXt network is constructed as the teacher network by introducing the SKNet attention mechanism and replacing the activation function GELU with SwiGLU; finally, the lightweight MobileNetV2 is selected as the student network and the use the teacher network to guide the student network training. The experimental results of this paper’s detection method on the publicly available dataset ISCX VPNNonVPN show that even in the resourceconstrained mobile device environment, the student network can improve the detection effect of the teacher model while reducing the model complexity, which proves that this method has efficient deployment potential on mobile devices.

Key words: encrypted traffic identification, knowledge distillation, ConvNeXt, SKNet, MobileNetV2, deep learning

摘要： 近年来，随着互联网流量的迅速增长，尤其是加密通信的普及，恶意流量检测面临巨大挑战，由于移动设备资源和性能有限，使得在移动端加密流量中识别恶意行为更加困难.因此提出了一种基于知识蒸馏的加密流量检测方法.首先，通过可视化技术将流量转化为图像；其次，在ConvNeXt网络架构的基础上，通过引入SKNet注意力机制，替换激活函数GELU为SwiGLU，构建了SK_SwiGLU_ConvNeXt网络作为教师网络；最后，选用轻量级的MobileNetV2为学生网络，并使用教师网络指导学生网络训练.该检测方法在公开数据集ISCX VPNNonVPN上的实验结果表明，即使在资源受限的移动设备环境中，学生网络也能在降低模型复杂度的同时提高教师模型的检测效果，证明了该方法在移动设备上具有高效的部署潜力.

关键词: 加密流量识别, 知识蒸馏, ConvNeXt, SKNet, MobileNetV2, 深度学习

CLC Number:

TP393.08

戴熙来, 汤艳君, 邱雨蝶, 王子昂, . 基于知识蒸馏的加密流量检测方法[J]. 信息安全研究, 2025, 11(8): 702-.

References

［1］Zscaler ThreatLabz. ThreatLabz 2023 enterprise IoTOT threat report［EBOL］. 2023 ［20250102］. https:www.zscaler.comresourcesindustryreportsthreatlabz2023ent erpriseioTotthreatreport.pdf［2］袁钦献. 加密网络流量分析关键技术研究与开发［D］. 西安: 西安电子科技大学, 2020［3］王洋, 陈紫儿, 柳瑞春, 等. 基于决策树算法的网络加密流量识别方法［J］. 长江信息通信, 2021, 34(11): 1517［4］Wang Y, Xiang Y, Zhang J, et al. A novel semisupervised approach for network traffic clustering［C］ Proc of the 5th Int Conf on Network and System Security. Piscataway, NJ: IEEE, 2011: 169175［5］Wang W, Zhu M, Wang J, et al. Endtoend encrypted traffic classification with onedimensional convolution neural networks［C］ Proc of the 2017 IEEE Int Conf on Intelligence and Security Informatics (ISI). Piscataway, NJ: IEEE, 2017: 4348［6］Liu C, He L, Xiong G, et al. FSNet: A flow sequence network for encrypted traffic classification［C］ Proc of the IEEE Conf on Computer Communications. Piscataway, NJ: IEEE, 2019: 11711179［7］邓昕, 刘朝晖, 欧阳燕, 等. 基于CNN CBAMBiGRU Attention的加密恶意流量识别［J］.计算机工程, 2023, 49(11): 178186［8］Hinton G. Distilling the knowledge in a neural network［J］. arXiv preprint, arXiv:1503.02531, 2015［9］Liu Z, Mao H, Wu C Y, et al. A convnet for the 2020s［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2022: 1197611986［10］Li X, Wang W, Hu X, et al. Selective kernel networks［C］ Proc of the IEEECVF Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2019: 510519［11］Shazeer N. Glu variants improve transformer［J］. arXiv preprint, arXiv:2002.05202, 2020［12］Sandler M, Howard A, Zhu M, et al. Mobilenetv2: Inverted residuals and linear bottlenecks［C］ Proc of the IEEE Conf on Computer Vision and Pattern Recognition. Piscataway, NJ: IEEE, 2018: 45104520［13］Gil G D, Lashkari A H, Mamun M, et al. Characterization of encrypted and VPN traffic using timerelated features［C］ Proc of the 2nd Int Conf on Information Systems Security and Privacy. Setúbal, Portugal: SciTePress, 2016: 407414［14］王伟. 基于深度学习的网络流量分类及异常检测方法研究［D］. 合肥: 中国科学技术大学, 2018［15］Longadge R, Dongre S. Class imbalance problem in data mining review［J］. arXiv preprint, arXiv:1305.1707,

[1]	. Fake News Detection Model Based on Crossmodal Attention Mechanism and#br# Weaksupervised Contrastive Learning#br# [J]. Journal of Information Security Reserach, 2025, 11(8): 693-.
[2]	. Deep Learningbased Method for Encrypted Website Fingerprinting [J]. Journal of Information Security Reserach, 2025, 11(4): 304-.
[3]	. Research on Dataenhanced Multimodal False Information #br# Detection Framework#br# [J]. Journal of Information Security Reserach, 2025, 11(4): 377-.
[4]	. Privacypreserving Federated Learning Research Based on #br# Confused Modulo Projection Homomorphic Encryption#br# [J]. Journal of Information Security Reserach, 2025, 11(3): 198-.
[5]	. Design of Adversarial Attack Scheme Based on YOLOv8 Object Detector [J]. Journal of Information Security Reserach, 2025, 11(3): 221-.
[6]	. Fake Face Detection Method Based on ConvNeXt [J]. Journal of Information Security Reserach, 2025, 11(3): 231-.
[7]	. Research on Deep Learningbased Spatiotemporal Feature Fusion Network Intrusion Detection Model [J]. Journal of Information Security Reserach, 2025, 11(2): 122-.
[8]	. A Malicious TLS Traffic Detection Method with Multimodal Features [J]. Journal of Information Security Reserach, 2025, 11(2): 130-.
[9]	. Research of Invisible Backdoor Attack Based on Interpretability [J]. Journal of Information Security Reserach, 2025, 11(1): 21-.
[10]	. Container Anomaly Detection Based on Attention Mechanism and Multiscale Convolutional Neural Network [J]. Journal of Information Security Reserach, 2025, 11(1): 35-.
[11]	. Encrypted Traffic Detection Technology for Multisession Coordinated #br# Attack Based on Deep Learning#br# [J]. Journal of Information Security Reserach, 2025, 11(1): 66-.
[12]	. Image Processing Model Watermarking Method Based on #br# Attention Mechanism and Passport Layer Embedding#br# [J]. Journal of Information Security Reserach, 2024, 10(9): 849-.
[13]	. A Review of GPU Acceleration Technology for Deep Learning in Plaintext and Private Computing Environments [J]. Journal of Information Security Reserach, 2024, 10(7): 586-.
[14]	. Model of Intrusion Detection Based on Federated Learning and Convolutional Neural Network [J]. Journal of Information Security Reserach, 2024, 10(7): 642-.
[15]	. An Automatic Vulnerability Classification Framework Based on BiGRU TextCNN [J]. Journal of Information Security Reserach, 2024, 10(5): 446-.

Encrypted Traffic Detection Method Based on Knowledge Distillation

基于知识蒸馏的加密流量检测方法

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics