<p>This study aims to mitigate the challenges posed by the rising rate of cyber attacks and the generalization degradation of traditional anomalous traffic detection approaches under strict data-scarcity constraints. To address these issues, we propose Siam-BLA, a Siamese Network architecture integrating Bidirectional Long Short-Term Memory (BiLSTM) and Local Attention. To overcome the reliance on payload inspection in modern encrypted environments, Siam-BLA extracts side-channel chronological sequences and macro-statistical features without payload decryption. The architecture employs a One-Dimensional Convolutional Block Attention Module (1D-CBAM) to isolate micro-temporal patterns and a BiLSTM network to model deep state evolution. Crucially, we introduce an Adaptive Metric Fusion (AMF) mechanism with strict directional unification and monotonicity constraints, mathematically resolving the instability of aggregating opposing distance and similarity metrics. Evaluated on the public CICIoT2023 benchmark via episodic meta-training, Siam-BLA achieves a high Area Under the Receiver Operating Characteristic Curve (ROC-AUC) of 0.994 and a Macro F1 score of 94.15%, significantly outperforming contemporary 2025 state-of-the-art baselines. Furthermore, under a strict cross-domain zero-adaptation evaluation protocol, the model demonstrates robust generalization on unseen private networks, achieving a rigorous ROC-AUC of 0.988 on the public encrypted ISCX-VPN-NonVPN benchmark, alongside 0.985 in a private Industrial IoT scenario and 0.991 in a financial communication topology. Furthermore, comprehensive adversarial evaluations confirm the model's structural resilience against payload padding and successfully validate a protocol-aware data augmentation strategy to mitigate extreme MTU fragmentation. A rigorous latency decoupling analysis reveals that the core algorithmic inference requires less than 1&#xa0;ms, while the ~ 40&#xa0;ms system latency is entirely attributable to the Python data-plane ingestion. Consequently, Siam-BLA serves as a robust and efficient "second-stage deep inspection engine" for hierarchical defense architectures.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Cybersecurity classification using Siam-BLA and small-sample data

  • Huiqin Cheng

摘要

This study aims to mitigate the challenges posed by the rising rate of cyber attacks and the generalization degradation of traditional anomalous traffic detection approaches under strict data-scarcity constraints. To address these issues, we propose Siam-BLA, a Siamese Network architecture integrating Bidirectional Long Short-Term Memory (BiLSTM) and Local Attention. To overcome the reliance on payload inspection in modern encrypted environments, Siam-BLA extracts side-channel chronological sequences and macro-statistical features without payload decryption. The architecture employs a One-Dimensional Convolutional Block Attention Module (1D-CBAM) to isolate micro-temporal patterns and a BiLSTM network to model deep state evolution. Crucially, we introduce an Adaptive Metric Fusion (AMF) mechanism with strict directional unification and monotonicity constraints, mathematically resolving the instability of aggregating opposing distance and similarity metrics. Evaluated on the public CICIoT2023 benchmark via episodic meta-training, Siam-BLA achieves a high Area Under the Receiver Operating Characteristic Curve (ROC-AUC) of 0.994 and a Macro F1 score of 94.15%, significantly outperforming contemporary 2025 state-of-the-art baselines. Furthermore, under a strict cross-domain zero-adaptation evaluation protocol, the model demonstrates robust generalization on unseen private networks, achieving a rigorous ROC-AUC of 0.988 on the public encrypted ISCX-VPN-NonVPN benchmark, alongside 0.985 in a private Industrial IoT scenario and 0.991 in a financial communication topology. Furthermore, comprehensive adversarial evaluations confirm the model's structural resilience against payload padding and successfully validate a protocol-aware data augmentation strategy to mitigate extreme MTU fragmentation. A rigorous latency decoupling analysis reveals that the core algorithmic inference requires less than 1 ms, while the ~ 40 ms system latency is entirely attributable to the Python data-plane ingestion. Consequently, Siam-BLA serves as a robust and efficient "second-stage deep inspection engine" for hierarchical defense architectures.