Few-Shot Learning for Malicious Traffic Detection with Sample Relevance Guided Attention

Abstract

Malicious traffic detection in IoT environments faces dual challenges: limited labeled data and heterogeneous, complex traffic patterns. To address these limitations, we propose a malicious traffic detection framework, GADF-SRGA, which integrates Gram-angle-difference-field (GADF) imaging with meta-learning. The framework first encodes raw IoT traffic into images via GADF, preserving the spatiotemporal characteristics of malicious traffic. It then employs meta-learning on these encoded images to enable feature-space learning under scarce data. In the inner loop, Sample-Relation Guided Attention (SRGA) leverages class-label-guided supervision graphs to learn sample similarity, improving intra-class compactness and inter-class separability in the feature space. Comprehensive evaluations on public IoT intrusion datasets Malicious_TLS and ToN_IoT demonstrate the framework’s superiority and robustness, particularly under class-imbalanced conditions, over baseline methods.

1. Introduction

Malicious Traffic Detection (MTD) is a critical technology for security defense in the Internet of Things (IoT), identifying potential malicious activities by monitoring abnormal behavior in network traffic in real-time. In response to the unique characteristics of heterogeneous devices, limited resources, and diverse communication protocols in the IoT, malicious traffic detection requires dynamic traffic analysis and lightweight detection algorithms, striking a balance between accuracy, real-time performance, and low computational overhead. Traditional traffic detection methods face critical challenges, including the variability and concealment of malicious traffic in IoT environments.

Machine learning methods can automatically learn feature representations, reducing reliance on manual feature engineering, and are suitable for large-scale traffic data analysis and complex pattern extraction. Le et al. [1] proposed an XGBoost-based IoT intrusion detection method to mitigate multiclass sample imbalance in the Industrial Internet of Things (IIoT), enhancing attack detection performance in such scenarios. Thakkar et al. [2] proposed a feature selection technique based on statistical importance fusion, which integrates standard deviation, mean, and median statistics to select relevant features and reduce redundant features. Thakkar et al. [3] integrated Autoencoder (AE) and Principal Component Analysis (PCA) techniques for feature dimensionality reduction, using AE to capture nonlinear relationships and PCA to capture linear relationships. Traditional machine learning methods have limitations in extracting deep features from sequence data, resulting in insufficient generalization performance.

In contrast, detection systems based on deep learning [4] demonstrate better accuracy and adaptability in detecting malicious traffic in the Internet of Things through hierarchical feature learning. Djenouri et al. [5] proposed the D2E-ADN framework, which combines data decomposition, deep learning, and evolutionary computation. The authors employ five clustering algorithms to decompose the data, a new RNN model, and two evolutionary algorithms to optimize the hyperparameters. The framework outperforms the baseline algorithm in terms of runtime and accuracy. Yang et al. [6] proposed a Data Purification Algorithm (DPA) to reduce data redundancy, enhanced the CNN structure based on separable convolution, and designed a lightweight detection algorithm, LSCNN. Wang et al. [7] proposed an automated lightweight spatiotemporal decoupling Transformer framework called AutoLDT, which improves model performance while reducing model complexity. Deep learning-based methods can better extract deep features. However, most of these methods require a large amount of data for training, which poses challenges for practical network traffic scenarios. In practical network scenarios, a large amount of data is normal, and destructive data only accounts for a small portion, but it can bring incalculable losses. In IoT traffic detection tasks, there is still room for improvement in detecting a small number of samples.

Few-shot learning has made significant progress in fields such as image classification [8] and temporal classification [9], but its research in malicious traffic detection is still in the exploratory stage. Few-shot learning is significant in detecting network traffic with scarce abnormal data. In the early exploration of using Few-shot learning for malicious traffic detection, researchers mainly focused on introducing the basic concepts of Few-shot learning into this field. Olasehinde et al. [10] were the first to apply meta-learning to intrusion detection, proposing a novel IDS based on three meta-learning algorithms. Subsequently, Lu et al. [11] developed an IoT intrusion detection model by combining Model-Agnostic Meta-Learning (MAML) and Convolutional Neural Networks (CNN). They also constructed the FSIDS-IoT dataset (integrating five public datasets with multiple attack scenarios) to support few-shot learning. Leveraging MAML, the model quickly adapts to new attacks and achieves high few-shot detection accuracy; however, it lacks sample diversity and practical deployment testing. To further improve the performance of Few-shot learning in malicious traffic detection, Wu et al. [12] proposed MASiNet, a multistage attention Siamese network. This model utilizes a carefully designed attention mechanism to more effectively extract network traffic features, while introducing a contrastive loss function to enhance the model’s ability to compare sample pairs. Experiments on NSL_KDD and UNSW_NB15 show that it outperforms existing methods. Most existing methods have not fully considered the relationships between samples, resulting in the feature representations learned by the model being less robust and discriminative, which limits the performance of Few-shot classification.

Therefore, inspired by previous research, we propose GADF-SRGA, a novel IoT malicious traffic detection framework. This framework combines temporal imaging techniques, few-shot meta-learning methods, and inter-sample class similarity relationships. First, the Gramian Angular Difference Field (GADF) imaging method encodes IoT network traffic data into two-dimensional images, preserving the temporal dependencies and pattern features of the traffic sequences. Convolutional networks are then used to extract features and generate a pre-trained model. Then, we propose the GADF-SRGA model, which enhances meta learning by incorporating a display-guided attention mechanism to capture inter-sample relationships. To verify the effectiveness of the proposed method, we validated the publicly available real IoT intrusion detection datasets ToN_IoT and Malicious_TLS. The contributions of this paper are as follows:

• We propose a detection framework based on GADF-SRGA, which solves the problem of insufficient malicious traffic recognition performance in public IoT traffic detection datasets Malicious_TLS and ToN_IoT.
• We utilize GADF image encoding to transform network traffic data into 2D images, thereby enhancing the representation of temporal and semantic features.
• We introduce few-shot learning methods to solve the problems of insufficient learnable samples and low recognition accuracy of newly emerging attack types in the Internet of Things environment.
• We propose a sample relevance guidance attention module, which addresses the issue of insufficient feature discriminability in existing few-shot classification methods by considering inter-image association relationships. This module significantly improves the model’s intra-class compactness and inter-class separability in the feature space.

2. Fundamental Technologies

This section sorts out the key technologies used and introduces the core principles of three key technologies: attention mechanism, model-agnostic meta-learning, and prototype classification.

2.1. Attention Mechanism

The attention mechanism [13] is a computational paradigm in deep learning that simulates how human attention is allocated. Its core is to improve the model’s ability to capture key information by dynamically adjusting its degree of attention to different input parts. The entire attention mechanism process can be divided into three parts: correlation measurement, weight normalization, and weighted feature output. In the correlation measurement stage, suppose the input features generate a query vector $\mathbf{Q}\in {\mathbb{R}}^{d_q\times L}$, a key vector $\mathbf{K}\in {\mathbb{R}}^{d_k\times L}$, and a value vector $\mathbf{V}\in {\mathbb{R}}^{d_v\times L}$ through linear transformation, where L is the length of the feature sequence, and $d_q=d_k$ must be satisfied. The correlation between $\mathbf{Q}$ and $\mathbf{K}$ is quantified by the dot product operation, and the formula is as follows:

$$\mathbf{S}={\displaystyle \frac{{\mathbf{Q}}^T\mathbf{K}}{\sqrt{d_k}}},$$

(1)

where $\sqrt{d_k}$ is a scaling factor, used to avoid numerical overflow caused by the dot product of high-dimensional vectors and ensure the stability of gradient backpropagation. In the weight normalization stage, the Softmax function is used to convert the correlation score $\mathbf{S}$ into a probability distribution with a sum of 1, and the attention weight matrix $\mathbf{A}\in {\mathbb{R}}^{L\times L}$ is obtained to realize the probabilistic highlighting of key features:

$$\mathbf{A}=\mathrm{Softmax}\left(\mathbf{S}\right)={\displaystyle \frac{exp\left({\mathbf{S}}_{ij}\right)}{{\sum }_{m=1}^{L}exp\left({\mathbf{S}}_{im}\right)}}.$$

(2)

where the larger the weight ${\mathbf{A}}_{ij}$, the higher the contribution of the j-th feature to the i-th query target. In the weighted feature output stage, through the weighted summation of the attention weight matrix $\mathbf{A}$ and the value vector $\mathbf{V}$, key information is aggregated, and the attention-enhanced feature is output:

$$\mathrm{Attention}(\mathbf{Q},\mathbf{K},\mathbf{V})=\mathbf{A}{\mathbf{V}}^T.$$

(3)

In summary, the core of the attention mechanism is to adaptively assign weights to input features, so that the model can specifically capture the differentiated features of samples.

2.2. Model-Agnostic Meta-Learning

Model-Agnostic Meta-Learning (MAML) [14] is a general framework in meta-learning suitable for few-shot scenarios. Its core goal is to optimize a set of initialized model parameters with strong generalization ability, enabling the model to quickly adapt to new tasks with only a few gradient updates. MAML is mainly divided into the meta-training phase and the meta-testing phase. The meta-training phase extracts general initialized parameters from many known malicious traffic tasks through task sampling and continuous iteration of inner and outer loop optimization to quickly adapt to new tasks in the meta-testing phase.

In the meta-training phase, first, N-way K-shot tasks are generated according to the task distribution $p\left(\mathcal{T}\right)$. Each task ${\mathcal{T}}_i$ consists of a support set $D_{\mathrm{Support},i}$ and a query set $D_{\mathrm{Query},i}$, where N is the number of categories and K is the number of samples per category. In the meta-training phase, N known categories are selected to maintain the consistency of task distribution. Each category extracts K labeled samples to form $D_{\mathrm{Support},i}$, and then extracts $n_q$ samples to form $D_{\mathrm{Query},i}$, where the sample categories are the same, but there are no overlapping samples between the support set and the query set. Then, for each generated task ${\mathcal{T}}_i$, the inner loop starts with the initial meta-parameter $\theta$, calculates the loss ${\mathcal{L}}_{{\mathcal{T}}_i}\left(f_{\theta }\right)$ on the support set $D_{\mathrm{Support},i}$, and updates the parameters in the direction opposite to the loss gradient, thereby performing task-level rapid fine-tuning. The update formula for the meta-parameter $\theta$ is

$${\theta }^{\prime }=\theta -\alpha {\nabla }_{\theta }{\mathcal{L}}_{{\mathcal{T}}_i}\left(f_{\theta }\right),$$

(4)

where $\alpha$ is the inner loop learning rate.

After completing the inner loop fine-tuning of each task ${\mathcal{T}}_i$, outer loop parameter optimization is performed. The initial meta-parameter $\theta$ is updated by aggregating the loss of the query set $D_{\mathrm{Query},i}$, and the meta-loss is

$${\mathcal{L}}_{\mathrm{meta}}=\sum _{{\mathcal{T}}_i}{\mathcal{L}}_{{\mathcal{T}}_i}\left(f_{{\theta }^{\prime }}\right).$$

(5)

Subsequently, the initial parameter $\theta$ is updated along the gradient direction of the meta-loss as follows:

$$\theta \leftarrow \theta -\beta {\nabla }_{\theta }{\mathcal{L}}_{\mathrm{meta}}$$

(6)

where $\beta$ is the outer loop learning rate.

In the meta-testing phase, the model’s ability to quickly adapt to new samples is verified through three links: constructing new tasks, parameter fine-tuning, and performance evaluation. First, select an N-way K-shot task ${\mathcal{T}}_{\mathrm{test}}$ containing new-type samples from the test set $D_{\mathrm{test}}$. Among them, the support set $D_{\mathrm{Support},\mathrm{test}}$ is K labeled samples of this new-type malicious traffic category, and the query set $D_{\mathrm{Query},\mathrm{test}}$ is unlabeled samples of the same type, to simulate the detection scenario when encountering new-type malicious traffic. For ${\mathcal{T}}_{\mathrm{test}}$, using the optimal initial parameter ${\theta }^{*}$ obtained from meta-training, gradient fine-tuning is performed through the inner loop to generate a parameter ${\theta }_{\mathrm{test}}$ adapted to new-type malicious traffic. The fine-tuning formula is

$${\theta }_{\mathrm{test}}={\theta }^{*}-\alpha {\nabla }_{{\theta }^{*}}{\mathcal{L}}_{{\mathcal{T}}_{\mathrm{test}}}\left(f_{{\theta }^{*}}\right)$$

(7)

In the meta-testing phase, the model does not require retraining, and adaptation can be completed with only a small number of gradient updates.

2.3. Prototypical Networks

Prototypical Networks [15] is a core framework based on the metric learning paradigm, suitable for handling fast adaptation problems under limited data conditions. A prototype is a typical feature representative of each category, composed of the mean value of the feature vectors of samples of that category in the support set. Prototypical Networks realize the rapid recognition of new categories through category prototype representation learning and feature distance metric. Prototypical Networks transform the classification problem into a distance calculation problem through four steps: feature embedding, prototype construction, distance metric, and classification decision. In the feature embedding stage, the original data is mapped to a high-dimensional feature space through a differentiable model to achieve effective feature extraction.

In the feature embedding stage, the original data is mapped to a high-dimensional feature space through a differentiable model to achieve effective feature extraction. When $\forall x\in D$, its feature vector is $e=f_{\varphi }\left(x\right)\in {\mathbb{R}}^d$, where d is the embedding dimension.

In the prototype calculation stage, for the k-th category in the N-way K-shot task $T_i$, where $k=1,2,\dots ,N,$ its support set is $D_{\mathrm{Support},i}^k=\{x_{i1}^k,x_{i2}^k,\dots ,x_{iK}^k\}$, and the corresponding feature vectors are $\{e_{i1}^k,e_{i2}^k,\dots ,e_{iK}^k\}$. The calculation formula for the prototype vector of this category is $c_k={\displaystyle \frac{1}{K}}{\sum }_{x\in D_{\mathrm{Support},i}^k}{f}_{\varphi }\left(x\right)$. As shown in Figure 1, the prototypes of each category are represented as blue squares.

In the distance metric stage, Prototypical Networks realizes classification by measuring the distance between the query sample and the prototypes of each category. The smaller the distance, the higher the feature similarity between the sample and the category. The Euclidean distance is used to measure the distance between the feature $e_q=f_{\varphi }\left(x_q\right)$ of the query sample and each prototype $c_k$, as shown below:

$$d(e_q,c_k)=\left|\right|e_q-c_k{\left|\right|}_2^2$$

(8)

In the classification decision stage, the distance is converted into a classification probability, and the Softmax function is used to normalize the negative distance. The probability that the query sample $x_q$ belongs to the k-th category is

$$p(y=k|x_q)={\displaystyle \frac{exp(-\lambda d(e_q,c_k))}{{\sum }_{m=1}^{N}exp(-\lambda d(e_q,c_m))}}$$

(9)

where $\lambda$ is a distance scaling factor, used to adjust the weight of the distance’s influence on the probability. The model is trained with cross-entropy loss as the optimization objective, and the classification error of the query set is minimized as follows:

$$\mathcal{L}\left(\varphi \right)=-{\displaystyle \frac{1}{|D_{\mathrm{Query},i}|}}\sum _{x_q\in D_{\mathrm{Query},i}}logp\left(y_{\mathrm{true}}\right|x_q)$$

(10)

3. Proposed Approach

The overall framework of GADF-SRGA is shown in Figure 2, which includes three parts: the traffic data visualization module, the Sample Relevance Guided Attention module, and the Nearest Prototype Classifier (NPC) module. The traffic data visualization module effectively extracts global spatial features and correlation information between features by converting traffic data into image data, thereby enhancing the spatial representation ability in network malicious traffic detection. It also uses a ResNet-based backbone to obtain pre-trained models. Then, in the Few-shot learning framework based on meta-learning, a sample association-guided attention mechanism is introduced, and the support set labels are used to explicitly guide the model to enhance the extraction of same-class relationships and expand the distance between different classes, thereby improving inter-class discrimination. Finally, based on the variable nature of task-learning categories, a nearest neighbor prototype classifier is used to classify the query set samples.

3.1. GADF Encoder

Raw traffic data exists only in a one-dimensional form composed of discrete time points, which makes it difficult to reflect temporal correlation characteristics—such as those of burst traffic. This limitation imposes constraints on traditional time-series analysis methods when capturing complex features. Specifically, traditional traffic processing methods face two key challenges: on one hand, they struggle to model the spatiotemporal correlation of multi-dimensional traffic features and fail to effectively capture dynamic collaborative patterns between different traffic dimensions; on the other hand, their ability to represent features of bursty and non-linear malicious traffic patterns is relatively limited, which often results in the loss of detailed information about key patterns during the feature extraction process. Furthermore, in few-shot scenarios, one-dimensional time-series data has an inherent attribute of sparse features, which cannot adequately support the model in quickly learning generalizable feature representations. This inadequacy further impacts the detection performance for new and unknown malicious traffic. To address this issue, we adopt the Gramian Angular Difference Field (GADF) [16] to perform spatiotemporal feature reconstruction and modal conversion on network traffic data, thereby facilitating the extraction of fine-grained features.

The GADF is an image encoding technology that maps one-dimensional time-series data to two-dimensional images via polar coordinate transformation and Gram matrix construction, while completely preserving the temporal dependence and spatial correlation of the data. Compared with GASF and MTF, GADF more effectively captures the dynamic patterns of time series and converts them into image-based visual representations, facilitating subsequent feature extraction and classification. The implementation process of this technology is as follows: first, the one-dimensional time-series data is normalized to the interval [−1, 1]; after normalization, the value of each time-series point corresponds to two elements of polar coordinates, namely the angle and the radius. Subsequently, a two-dimensional image is generated through the matrix operation of the GADF. During this process, two key conversions take place: first, the order of the time-series data is converted into the spatial positional relationship of the image; second, the magnitude and variation trend of the data values are converted into the texture and shape features of the image. Ultimately, the dynamic patterns of the time series are fully encoded into the visual structure of the image. For a detailed implementation of the GADF-based encoding workflow, refer to Algorithm 1.

Algorithm 1 GADF encoding for converting traffic data to images

Input: Traffic data $T=\{T_1,T_2,\dots ,T_N\}$, where N denotes the batch size, the  k-th time-series data $T_k=\{t_{k1},t_{k2},\dots ,t_{kL}\}L\ge \omega$, the normalized scaling limit $[-1,1]$, sliding window size $\omega$ used to truncate the length of the time-series data.

Output: The set of GADF image matrices $G=\{G_1,G_2,\dots ,G_N\}$ corresponding to the traffic data sequence $T=\{T_1,T_2,\dots ,T_N\}$ is constructed as follows, where each $G_k\in {\mathbb{R}}^{\omega \times \omega }$ uniquely corresponds to the timeseries data $T_k$ in a one-to-one manner.

1. For each $T_k\in T$, $k=1,...,N$: $G_k\leftarrow 0_{\omega \times \omega }$ // Initialize the GADF Matrix $G_k$ of the k-th sample

// Data standardization

2. For $i=1$ to $\omega$:

3.        ${\tilde{t}}_{ki}={\displaystyle \frac{2(t_{ki}-min\left(T_k\right))}{max\left(T_k\right)-min\left(T_k\right)}}-1\in [-1,1]$ // Normalize within a single traffic flow  $T_k$

4.        ${\tilde{t}}_{ki}\leftarrow \mathrm{CLIP}({\tilde{t}}_{ki},-1,1)$, where ${\tilde{T}}_k=[{\tilde{t}}_{k1},{\tilde{t}}_{k2},\dots ,{\tilde{t}}_{k\omega }]$ //Truncate individual elements

5. End for

// Polar coordinate transformation

6. For $i=1$ to $\omega$:

7.         ${\varphi }_{ki}=arccos\left({\tilde{t}}_i\right)\in [0,\pi ]$ // Angle corresponding to ${\tilde{t}}_{ki}$

8.      ${\gamma }_{ki}={\displaystyle \frac{i}{\omega }}\in [0,1]$ // Radius

9. End For

// Gram Matrix Calculation

10. For $i=1$ to $\omega$:

11.        For $j=1$ to $\omega$:

12.              $G_{k,ij}=sin({\varphi }_{ki}-{\varphi }_{kj})={\sqrt{1-{\tilde{t}}_{ki}^2}}^T·{\tilde{t}}_{kj}-{\tilde{t}}_{ki}·\sqrt{1-{\tilde{t}}_{kj}^2}$

13.       End for

14. End for

15. $G_k\leftarrow 255·{\displaystyle \frac{G_k+1}{2}}$ // Image Scaling for $G_k$

16. Return $G=\{G_1,G_2,\dots ,G_N\}$

Based on Algorithm 1, the traffic image dataset G can be obtained. The image data set is partitioned into mini-batches with a batch size of M, resulting in input images ${\left\{g_i\right\}}_{i=1}^M$ for each batch. Subsequently, the d-dimensional feature vectors $b_i\in {\mathbb{R}}^{1\times d}$ are extracted from each batch of images using a backbone feature extractor. Finally, the feature vectors $b_i\in {\mathbb{R}}^{1\times d}$ from each batch are concatenated along the sample dimension, yielding the basic feature $G_B\in {\mathbb{R}}^{N\times d}$.

The image encoding technology of the GADF mainly lies in three aspects: first, it converts the temporal dependence and numerical relationships of the one-dimensional time series into the spatial structure of two-Zdimensional images, facilitating the capture of multiscale local and global patterns; second, two-dimensional images can directly reuse mature image processing technologies, enabling efficient extraction of high-level visual features; third, the image-based dense feature representation can provide richer pattern information for meta-learning frameworks in few shot scenarios, thereby accelerating the model’s adaptation process to new types of malicious traffic.

3.2. Class-Sparse Attention Module

Malicious traffic classification frequently confronts novel traffic family attacks, such as zero-day vulnerabilities and variant ransomware samples, where the labeled samples of such novel malicious traffic are incredibly scarce, rendering it a typical few-shot classification scenario. Traditional methods rely solely on implicit feature similarity, which is prone to missing detections due to the one-sidedness of single-sample features; meanwhile, the full-attention mechanism tends to introduce noise. To address these issues, this paper proposes a class-sparse attention mechanism, which filters out noise via top-K sparsification and employs a guided map for explicit supervision to align with true categories. It aggregates the standard features of samples within the same class to compress intra-class differences and enlarge inter-class distances. Ultimately, it re-weights via the inter-sample class similarity graph $SR$ to generate the class-sparse attention feature $G_S$ with explicit category association information. The detailed specifics are presented as follows.

The base feature undergoes three linear transformations $Q,K,V={\mathrm{Linear}}_{q,k,v}\left(G_B\right)$ to obtain query, key, and value vectors $Q,K,V\in {\mathbb{R}}^{N\times d}$. Only the top K high-similarity associations are retained to construct the inter-class similarity graph $SR$ of samples. The raw inter-class similarity score of samples is given by $S_{\mathrm{raw}}={\displaystyle \frac{Q{K}^T}{\sqrt{h}}}$, where h is the scaling factor in the attention mechanism. The top-K sparsification strategy is defined as follows: for each class i, the top K associations with the highest similarity scores to other classes are retained, and the rest are set to 0, yielding the sparsified inter-class similarity score $S_{sparse,i}=\mathrm{Top}K(S_{raw,i},k=K)$.

Finally, the sigmoid function is used for activation to generate the final inter-class similarity graph of samples as follows:

$$SR=\mathrm{sigmoid}\left(S_{sparse}\right)={\displaystyle \frac{1}{1+e^{-S_{sparse}}}}, s_{ij}\in (0,1)$$

(11)

Unlike traditional few-shot learning methods that only indirectly optimize features via classification loss and tend to learn spurious similarities due to the lack of explicit constraints on class associations, this paper adopts a guided map (GM) to supervise SR explicitly. It constrains SR to align with true class relationships through a loss function. For a batch of input samples containing N samples and L classes, its one-hot encoding matrix is denoted as $onehot$. The guided map GM is obtained by multiplying the one-hot encoding matrix: $GM=onehot\times oneho{t}^T$, $GM\in {\mathbb{R}}^{N\times N}$. Its elements are defined as follows:

$$g_{ij}=\left\{\begin{array}{cc}1,\hfill & \mathrm{the} \mathrm{two} \mathrm{samples} \mathrm{belong} \mathrm{to} \mathrm{the} \mathrm{same} \mathrm{class}\hfill \\ 0,\hfill & \mathrm{the} \mathrm{two} \mathrm{samples} \mathrm{belong} \mathrm{to} \mathrm{different} \mathrm{classes}\hfill \end{array}\right.$$

(12)

GM provides label-level information to supervise the inter-class similarity graph SR of samples. GM enables the network to capture the true relationships between samples. Then, the value vector V is re-weighted by the inter-class similarity graph SR to obtain the class-sparse attention feature $G_S\in {\mathbb{R}}^{N\times d}$ for each sample:

$$G_S=\mathrm{softmax}\left(SR\right)\times V,$$

(13)

where × denotes matrix multiplication and the softmax function ensures that the weighted aggregated features are consistent in scale with the original features. This class-sparse attention mechanism can thus obtain the task-relevant similarity graph SR of similar samples and the class-sparse attention feature $G_S\in {\mathbb{R}}^{N\times d}$ for malicious traffic classification.

 Compared with the attention mechanism in Transformers [13], the SRGA module exhibits differences in attention modeling granularity. Standard self-attention calculates attention weights at the token level, focusing on temporal dependencies between individual tokens in the input sequence. In contrast, the SRGA module models attention directly at the sample level, prioritizing correlations among entire malicious traffic samples rather than local token features. This makes SRGA more suitable for few-shot traffic detection tasks that require mining global sample relationships. Cross-attention relies on bidirectional mapping between the query set and the key-value set, yet lacks explicit category supervision and is susceptible to noise interference from heterogeneous traffic features. The SRGA module introduces a class-label-guided supervision graph that imposes sparse constraints on attention weights, retaining only the top-K high-similarity sample associations to suppress invalid cross-class attention calculations. This approach effectively reduces computational redundancy while enhancing intra-class compactness. Standard self-attention employs a unified scaled dot-product computation for all attention weights, leading to non-targeted weight allocation. In contrast, the SRGA module employs a dynamic weight allocation mechanism based on sample class similarity, strengthening association weights within the same malicious traffic family while weakening those of heterogeneous samples. This design enhances the model’s ability to distinguish between similar attack types in few-shot scenarios.

For each corresponding element in the inter-class similarity graph $SR$ and the guided map $GM$, the relationship loss $L_u$ is computed using the following formula:

$$L_u=-{\displaystyle \frac{1}{N^2}}\sum _{i=1}^N\sum _{j=1}^N\left(g_{ij}log{s}_{ij}+(1-g_{ij})log(1-s_{ij})\right),$$

(14)

where $s_{ij}\in SR$ is denotes the inter-class similarity score between sample i and sample j, and $g_{ij}\in GM$ represents the true class association label for the two samples. By constructing this relationship loss $L_u$, the learning process of the inter-class similarity graph $SR$ is explicitly guided to align its elements with those of $GM$, thereby achieving more compact intra-class clustering of malicious traffic samples in the feature space from a global perspective and further enhancing the model’s generalization ability for few-shot novel malicious traffic.

3.3. Fusion Features

The base features extracted by the backbone network contain fine-grained information about samples, but they tend to lack class association, resulting in insufficient discriminability in few-shot scenarios. By contrast, the class-sparse attention features are generated under the supervision of the guided map; they can capture the correlation information of samples within the same class, yet may lose the fine-grained details of individual samples. To dynamically and adaptively fuse the base features extracted by the backbone network with the class-sparse attention features based on class information, this paper proposes an adaptive feature fusion strategy.

Given that base features and class-sparse attention features exhibit distinct focuses, each feature is incorporated with learnable feature weighting parameters. Accordingly, we define a weight parameter $\alpha \in {\mathbb{R}}^{1\times d}$ and a bias parameter $\beta \in {\mathbb{R}}^{1\times d}$ for the base features and class-sparse attention features of input samples. For each feature, the linear transformation function $\delta (·)$ parameterized by a and b is expressed as follows:

$$\delta \left(g\right)={\displaystyle \frac{g-E\left[g\right]}{\sqrt{Var\left[g\right]+\epsilon }}}\times \alpha +\beta , g\in {\mathbb{R}}^{1\times d},$$

(15)

where $E[·]$ represents the mean operation, $Var[·]$ describes the variance operation, and $\epsilon$ is a constant infinitely close to 0. The learnable parameter weights of the original and sparse features are independent. By linearly weighting the original features and the aggregated features, and then cascading the dimensions, the fusion feature $G_F\in {\mathbb{R}}^{N\times d}$ of the original features and sparse features is obtained, as shown below:

$$G_F=\delta \left(G_B\right)\oplus \delta \left(G_S\right), G_F\in {\mathbb{R}}^{N\times 2d}.$$

(16)

where ⊕ represents the connection operation.

3.4. Nearest Neighbor Prototype Classifier

The standard Few-Shot Classification (FSC) problem provides a training set $D_{Train}$ and a test set $D_{\mathrm{Test}}$. The FSC model is trained on a randomly sampled sequence of tasks from $D_{Train}$, and then evaluated on a randomly sampled sequence of tasks from $D_{Test}$. Each task consists of two disjoint sets: the support set $D_{Support}$ and the query set $D_{Query}$, arranged according to the N-way K-shot setting, defined as $D_{Support}={\left\{(g_i^{sp},l_i^{sp})\right\}}_{i=1}^{N\times K}$ where $n_p$ samples are organized. The query set is denoted as $D_{Query}={\left\{(g_i^{\mathrm{qy}},l_i^{\mathrm{qy}})\right\}}_{i=1}^{n_{qy}}$ and shares a common label space with the support set. During the training phase, the FSC model learns from the support set and then extracts from $D_{Train}$ to evaluate on the query set. This training strategy enables the model to effectively handle the behavior of processing a few samples, thereby enhancing the model’s robustness.

Recently, based on meta-learning approaches, the model has shown superior performance in various tasks. The original network framework calculates the average probability for each class K as follows: ${\overline{c}}_k={\displaystyle \frac{1}{|D_{Support}^k|}}{\sum }_{(g_i^{sp},l_i^{sp})\sim S_k}{f}_{\theta }\left(g_i\right)$, where $D_{Support}^k$ represents samples of class K, and $f_{\theta }\left(g_i\right)$ denotes the feature extraction. Subsequently, the classification probabilities for each sample class are computed using the Softmax function to obtain the class probabilities.

$$p_{\theta }(l=k|g^q)={\displaystyle \frac{exp(-\parallel f_{\theta }\left(g^q\right)-p_k{\parallel }_2^2)}{{\sum }_{k=1}^{N}exp(-\parallel f_{\theta }\left(g^q\right)-p_k{\parallel }_2^2)}}$$

(17)

where $p_k$ is the class prototype. The distance between the sample feature $f_{\theta }\left(g^q\right)$ and the class prototype $p_k$ indicates the proximity of the sample to the respective class. The function $exp(-d_c)\in (0,1)$ is used for normalizing the Euclidean distance $d_c$, which represents the distance between samples. The higher the distance, the larger the influence on the classification. N represents the number of classes. The learning process minimizes the loss function $L=-{log}_{p_{\theta }}(l=k|g_i^{qy})$. In this paper, we employ the cross-entropy loss to minimize the prediction error of the query samples for each task, as follows:

$$L_{\mathrm{s}}=-{\displaystyle \frac{1}{n_q}}\sum _{q=1}^{n_q}\sum _{k=1}^N{x}_{q}log\left(p_{\theta }(l_i=k|g_q)\right)$$

(18)

where $n_q$ is the number of samples in the query set of a task, and N is the total number of classes in the dataset. $x_q$ is the ground truth label, which is 1 if the query sample q truly belongs to class k, and 0 otherwise. $p_{\theta }(l=k|g_i^{qv})$ is the sample classification probability obtained from Equation (17). Finally, based on the sample-based loss, the total loss $L_u$ for classification learning and cross-entropy defined in (3) is given by:

$$L_p={\lambda }_s{L}_{\mathrm{s}}+{\lambda }_u{L}_u$$

(19)

where ${\lambda }_s$ and ${\lambda }_u$ are hyperparameters that control the impact of each loss term on the overall loss.

4. Experimental Design and Results Analysis

This section describes the dataset, relevant experimental details, and experimental setup.

4.1. Datasets Description

To verify the effectiveness and detection performance of GADF-SRGA in real-world IoT environments, we conduct IoT intrusion detection using the private dataset Malicious_TLS and the public dataset ToN-IoT. The Malicious_TLS dataset is a malicious traffic dataset captured from real edge network devices, where all traffic is encrypted with TLS technology. This dataset contains 22 different types of traffic. The ToN-IoT dataset contains traffic captured from real IoT environments, including 10 different types of traffic. The training set and test set are partitioned in a ratio of 7:3. As shown in Figure 3, it illustrates the class distribution and categorization of the ToN-IoT dataset, where class 0 represents benign samples, and the remaining classes correspond to different malicious traffic families.

In the ToN-IoT dataset, benign samples account for approximately 68.1%. Among the malicious traffic families, except for Class 4 which represents 0.2%, each of the remaining classes accounts for about 4.3%, indicating a significant difference in the number of samples across malicious traffic families.

As shown in Figure 4, it presents the class distribution of the Malicious_TLS dataset, where Class 0 denotes benign samples and the rest correspond to different malicious traffic families.

In the Malicious_TLS dataset, benign samples account for 34.9%. There are significant differences in the occurrence counts and proportions among different malicious traffic families; for instance, Class 20 occurs 4798 times, while Class 16 only appears 1107 times, indicating a significant class imbalance.

4.2. Experimental Settings

Experimental environment: All experiments were conducted on the same device, equipped with an NVIDIA A100 80GB GPU. The experimental setup is configured with Python 3.12, PyTorch 2.5, and CUDA 12.1 to ensure an efficient, reproducible experimental environment.

To verify the effectiveness of the proposed method, this experiment utilizes four commonly used evaluation metrics in malicious traffic detection and classification: accuracy (Acc), precision (Pr), recall (Rc), and F1-score (F1). The specific calculation methods are shown in Equations (20)–(23). This section may be divided by subheadings. It should provide a concise and precise description of the experimental results, their interpretation, and the conclusions that can be drawn.

$$Accuracy={\displaystyle \frac{TP+TN}{TP+FP+TN+FN}}$$

(20)

$$Precision={\displaystyle \frac{TP}{TP+FP}}$$

(21)

$$Recall={\displaystyle \frac{TP}{TP+FN}}$$

(22)

$$F1-\mathrm{score}={\displaystyle \frac{2\times Precision\times Recall}{Precision+Recall}}$$

(23)

Model parameter settings: The configuration of important hyperparameters of the model is shown in

Table 1. Model hyperparameter combinations.

Hyperparameters	Values
Learning rate	0.001
Number of iterations	200
Num_episode	600
Guided classification loss weight	1.0, 1.5
Image size	28
Embedding dimension, integrating dimension	64, 64

.

As shown in Table 1, in the hyperparameter configuration, the learning rate is set to 0.001, which balances the convergence rate and stability of parameter updates in the meta-learning framework; the number of epochs is set to 200 to ensure the model entirely fits the meta-training data; the number of meta-learning task-based training episodes (Num_episode) is set to 600, and multi-task sampling in each meta-training phase enhances the model’s generalization ability in few-shot scenarios; the multi-source guided classification loss weights $\lambda ,\mu$ are set to 1.0 and 1.5 respectively, balancing the contributions of different classification losses; the image size $S_{\mathrm{img}}$ is 28, adopting lightweight encoding for malicious traffic features; both the embedding dimension $d_m$ and the fusion dimension $d_o$ are 64, ensuring the efficiency of feature embedding and feature interaction.

According to the characteristics of meta-learning, the dataset needs to be divided into two parts: the meta-training set and the meta-validation set, each part containing a support set and a query set. Taking the Malicious_TLS dataset as an example, the initial dataset has 23 categories, including 22 attack categories and 1 benign category. Firstly, the 23 categories of the dataset were shuffled, and 18 categories were randomly selected as the meta-training set, while 5 categories were chosen as the meta-validation set. Randomly select 15 samples from each category as the query set and N = {1, 5, 10} samples as the support set. The tasks required for meta-learning are randomly combined from these categories, with each task containing a small number of training and testing samples.

4.3. Comparative Experiments with Meta-Learning Approaches

To evaluate the traffic classification performance of the proposed method under few-shot conditions, we established three scenarios: 5-way 10-shot, 5-way 5-shot, and 5-way 1-shot. We employed four metrics, namely Accuracy (Acc), Precision (Pr), Recall (Rc), and F1-score (F1), for assessment and mitigated randomness through cross-task validation. Firstly, comparative experiments were conducted on the Malicious_TLS dataset, contrasting the proposed method with four classic meta-learning models in the few-shot domain, including MAML, Reptile, MatchingNet, and ProtoNet. The comparison results are summarized in

Table 2. Performance Comparison on the Malicious_TLS Dataset (%).

Model	5way_1shot				5way_5shot				5way_10shot
	Acc	Pr	Rc	F1	Acc	Pr	Rc	F1	Acc	Pr	Rc	F1
MAML	88.94	87.42	88.94	88.05	87.70	85.35	87.70	86.35	90.81	88.75	90.81	89.65
Reptile	76.63	76.28	76.63	76.51	79.40	77.74	79.40	78.56	79.67	77.86	79.67	78.76
MatchingNet	96.69	96.74	96.69	96.72	97.28	97.19	97.28	97.22	97.45	97.40	97.45	97.41
ProtoNet	96.69	96.76	96.69	96.73	97.28	97.36	97.28	97.31	97.51	97.52	97.21	97.36
Ours	97.17	97.14	96.09	96.61	97.34	97.56	97.34	97.45	97.72	97.89	97.72	97.79

.

As shown in Table 2, the metrics represented in bold indicate the highest performance values, while the metrics represented in underlined text denote the second-highest performance values. In the various few-shot scenarios of the Malicious_TLS dataset, the proposed method consistently demonstrates performance advantages. Specifically, it achieves an accuracy metric of 97.17% in the 5-way 1-shot scenario, which increases to 97.34% in the 5-way 5-shot scenario, and further improves to 97.72% in the 5-way 10-shot scenario. In the 5-way 1-shot scenario, the method demonstrates superior performance in terms of accuracy and precision, reaching 97.17% and 97.14%, respectively, while the second-best methods, MatchingNet and ProtoNet, attain an accuracy of 96.69%. In the 5-way 5-shot scenario, the proposed method achieves the highest performance across all four metrics, with values of 97.34%, 97.56%, 97.34%, and 97.45%; the second-best method, ProtoNet, scores 97.28%, 97.36%, 97.28%, and 97.31%. In the 5-way 10-shot scenario, the proposed method maintains its superiority with an accuracy of 97.72%, which is 0.21 percentage points higher than the second-best method, ProtoNet, at 97.51%. In summary, the proposed method consistently surpasses the baseline models in all evaluation metrics across the few-shot scenarios of Malicious_TLS traffic.

Next, for the ToN_IoT dataset, we conducted comparative experiments between the proposed method and four classic few-shot models: MAML, Reptile, MatchingNet, and ProtoNet. The comparison results are shown in the

Table 3. Performance Comparison on the ToN_IoT Dataset (%).

Model	5way_1shot				5way_5shot				5way_10shot
	Acc	Pr	Rc	F1	Acc	Pr	Rc	F1	Acc	Pr	Rc	F1
MAML	84.45	85.76	84.45	85.00	90.12	91.28	90.12	90.67	91.45	92.58	91.45	92.00
Reptile	56.60	55.35	56.60	55.86	67.17	65.86	67.17	66.53	69.40	69.21	69.40	69.30
MatchingNet	76.71	74.90	76.71	75.62	92.72	92.45	92.72	92.54	92.95	93.63	92.95	93.26
ProtoNet	84.59	86.09	84.59	85.27	92.20	93.41	92.20	92.79	93.36	94.41	93.36	93.88
Ours	92.37	92.84	92.37	92.57	96.56	96.60	96.56	96.56	97.81	97.95	97.81	97.88

.

As shown in Table 3, the metrics represented in bold indicate the highest performance values, while the metrics represented in underlined text denote the second-highest performance values. In the various few-shot scenarios of the ToN_IoT dataset, specifically from 5-way 1-shot to 5-way 10-shot, the proposed method consistently demonstrates performance advantages. In the 5-way 1-shot scenario, the accuracy reaches 92.37%, while the accuracy for the 5-shot scenario is 96.56%, and it further increases to 97.81% in the 10-shot scenario. In the 5-way 1-shot scenario, the proposed method achieves the best performance, with accuracy and precision values of 92.37% and 92.84%, respectively. The following method, ProtoNet, has an accuracy of 84.59% and a precision of 86.09%. In the 5-way 5-shot scenario, the proposed method is optimal across all four evaluation metrics, achieving an accuracy of 96.56%, which is 3.84 percentage points higher than the next best method, MatchingNet, with an accuracy of 92.72%. In the 5-way 10-shot scenario, the proposed method maintains its superiority with an accuracy of 97.81%, surpassing the next best method, ProtoNet, by 4.45 percentage points, as ProtoNet’s accuracy is 93.36%.

The MAML method struggles to extract spatiotemporal patterns of malicious traffic because it lacks traffic-specific feature enhancement mechanisms. Meanwhile, Reptile is constrained by its simplistic gradient update strategy, which results in inadequate generalization and robustness when dealing with class imbalance. Additionally, MatchingNet employs a cosine similarity-based matching mechanism, making it challenging to differentiate between semantically similar variants of malicious traffic. ProtoNet’s approach to modeling class prototypes through mean calculations is susceptible to interference from outlier samples and dominant classes, resulting in significant bias in prototype representation under imbalanced conditions. In contrast, the GADF-SRGA proposed in this paper effectively preserves the spatiotemporal correlation features of malicious traffic. Its SRGA module explicitly models inter-sample class correlations, significantly improving classification robustness. Furthermore, it incorporates a meta-learning framework that enables rapid few-shot adaptation, maintaining high accuracy even in extreme 1-shot scenarios. In summary, the proposed method consistently outperforms all baseline comparison models across various evaluation metrics in few-shot scenarios for both Malicious_TLS and TON_IoT traffic datasets.

4.4. Comparison Experiment

To verify the performance of the proposed time series classification method under few-shot conditions, three scenarios were defined: 5-way 10-shot, 5-way 5-shot, and 5-way 1-shot. The evaluation metric uses classification accuracy and eliminates the influence of randomness through cross-task validation. The few-shot IoT malicious traffic detection model based on GADF-SRGA proposed in this paper can dynamically adjust the network and adapt to new tasks. In

Table 4. Results of Comparison Experiments (%).

Model	Dataset	Number of Categories	Feature Type	Number of Samples	Classification Setting	Acc%
Aggregation model [17]	CIC-DDoS2019	12	Statistic + Multiple DL models	30,480,823	2-way	98.58
FED-IDS [18]	ToN-IoT	9	Statistic + CNN	521,050	2-way	94.85
PB-DID [19]	UNSW-NB15 and BoT-IoT	3	Statistic + DNN + LSTM	6,654,000	3-way	96.3
MTH-IDS [20]	NSL-KDD	5	Statistic + DNN	184,603	2-way	96.2
	CIC-IDS2017	15		823,951	2-way	96.5
MAML + CNN [11]	FSIDS-IoT	78	CNN	1260 + 1	5-way 1-shot	73.81
				1260 + 5	5-way 5-shot	89.64
				1260 + 10	5-way 10-shot	92.19
Ours	Malicious_TLS	22	CNN	6433 + 2750	5-way 1-shot	97.17
					5-way 5-shot	97.34
					5-way 10-shot	97.72
Ours	ToN-IoT	9	CNN	32,267 + 13,828	5-way 1-shot	92.37
					5-way 5-shot	96.56
					5-way 10-shot	97.81

, we review the results of other researchers in terms of the dataset used, the number of model categories used, classification settings, feature types, and the amount of data used during the training process.

GADF-SRGA achieves 97.34% accuracy under the 5-way 5-shot configuration and reaches 97.72% on the Malicious_TLS dataset under 5-way 10-shot settings. This unequivocally validates its dual capability: effective multi-category classification and rapid feature learning from minimal samples, delivering distinct advantages for detecting novel attacks prevalent in IoT environments. Notably, GADF-SRGA attains near 98% accuracy with merely 9183 samples (5-way 10-shot), while the Aggregation model requires approximately 30 million samples to achieve comparable performance.

4.5. Ablation Experiments

To verify the effectiveness of the proposed image-based few-shot malicious traffic detection model, we conducted ablation experiments on the Malicious_TLS dataset to validate the effectiveness of each module: the traffic data visualization module (comparison of different visualization methods) and the Sample Relevance Guided Attention (SRGA) module. The results of the ablation experiment are shown in

Table 5. Results of Ablation Experiments (%).

No.	Different Methods				SRGA	Accuracy
	GASF	GADF	MTF	RP		5way_1shot	5way_5shot
1		✓				90.15	91.98
2	✓				✓	96.96	95.43
3		✓			✓	97.17	97.34
4			✓		✓	96.28	96.56
5				✓	✓	95.7	91.98

.

As shown in Table 5, bold font denotes the best result, and underlined font denotes the suboptimal result. When the GADF method is used to convert traffic data into images for few-shot experiments, the improvement in model performance is significant when combined with the SRGA module. In the 5-way 1-shot setting, the proposed method achieves an accuracy 7.02% higher than that of the model without the SRGA module. Experiment 1 demonstrates that the SRGA module can effectively improve the accuracy of few-shot classification. Comparative experiments were further conducted in Experiments 2–5 by combining the SRGA module with different traffic visualization methods. When the GADF method is adopted in this study, the accuracies in the 5-way 1-shot and 5-way 5-shot settings both achieve the highest values, which are 97.17% and 97.34% respectively. Specifically, in the 5-way 1-shot setting, the accuracy is 0.21%, 0.89%, and 1.47% higher than those of the GASF, MTF, and RP methods; in the 5-way 5-shot setting, the accuracy is 1.91%, 0.78%, and 5.36% higher than those of the GASF, MTF, and RP methods. Different traffic data visualization methods have different impacts on model performance. In the ablation experiment on the Malicious_TLS dataset, the accuracy of GADF-SRGA on task 5way_1shot and 5way_5shot was 97.17% and 97.34%, respectively, achieving the best performance among all ablation experiments. The visualization of the results is shown in Figure 5.

Experimental results demonstrate that the combination of the GADF method adopted in this study and the SRGA module achieves the highest accuracy and exhibits the best performance.

5. Conclusions

This paper proposes a few-shot malicious traffic detection method based on a sample similarity-guided attention mechanism. This method integrates a sample relevance-guided attention module into the meta-learning framework to explore the application potential of few-shot learning in this task. Experiments verify that the method can address label scarcity in IoT network anomaly detection with a small amount of labeled data, and it exhibits excellent feature extraction performance on the Malicious_TLS and ToN-IoT datasets, with detection performance significantly outperforming existing methods.

Although GADF-SRGA achieves good performance in few-shot malicious traffic detection, it still has two limitations: first, for malicious traffic types not observed during training, the model can only identify them by relying on the general spatiotemporal features extracted by GADF image encoding and the sample relationship generalization ability of the SRGA module. In few-shot scenarios, it is unable to learn exclusive feature patterns for new attacks, which tends to weaken the discriminative ability due to feature distribution shift; second, the computational cost of the method and its deployment feasibility on resource-constrained IoT devices remain unclear, and the real-time deployment adaptability on edge IoT devices is yet to be verified.

To address the above limitations, future research will focus on the pruning and network design of lightweight multimodal models, aiming to improve the efficiency of model training and design, while solving the deployment challenges of it on resource-constrained devices.