Lightweight Intrusion Detection in the Edge Internet of Things with Dual-Teacher Distillation

HAN Gang; CHANG Xuan; WANG Yaotian; WANG Yunli; ZHANG Zhongliang

doi:10.12263/DZXB.20251022

您当前的位置：

首页 >

文章列表页 >

Lightweight Intrusion Detection in the Edge Internet of Things with Dual-Teacher Distillation

Cutting\-edge Technologies for Encrypted Network Security | 更新时间：2026-06-17

- Lightweight Intrusion Detection in the Edge Internet of Things with Dual-Teacher Distillation
- ACTA ELECTRONICA SINICA Vol. 54, Issue 4, Pages: 1497-1512(2026)
- 作者机构：
  
  1.西安邮电大学，陕西西安 710000
  2.杭州电子科技大学，浙江杭州 310000
- 作者简介：
- 基金信息：
  
  National Natural Science Foundation of China(62102312);Fund of the State Key Laboratory of Integrated Services Networks(ISN24-13);General Program of the National Natural Science Foundation of China(72571079);Shaanxi Provincial Key Research and Development Program(2024GX-YBXM-079);Youth Talent Fund of the Shaanxi Association for Science and Technology in Universities(20210119);Young Innovation Team of Shaanxi Universities(23JP160);Young Innovation Team of Shaanxi Universities(23JP162)
- DOI：10.12263/DZXB.20251022
  CLC： TP393.0;TP183
- Received：10 January 2026，
  
  Accepted：07 March 2026，
  
  Published：25 April 2026
- 稿件说明：
移动端阅览
韩刚, 常轩, 王耀天, 等. 面向边缘物联网的双教师蒸馏式轻量化入侵检测[J]. 电子学报, 2026, 54(04): 1497-1512.

HAN Gang, CHANG Xuan, WANG Yaotian, et al. Lightweight Intrusion Detection in the Edge Internet of Things with Dual-Teacher Distillation[J]. Acta Electronica Sinica, 2026, 54(04): 1497-1512.
韩刚, 常轩, 王耀天, 等. 面向边缘物联网的双教师蒸馏式轻量化入侵检测[J]. 电子学报, 2026, 54(04): 1497-1512. DOI：10.12263/DZXB.20251022

HAN Gang, CHANG Xuan, WANG Yaotian, et al. Lightweight Intrusion Detection in the Edge Internet of Things with Dual-Teacher Distillation[J]. Acta Electronica Sinica, 2026, 54(04): 1497-1512. DOI：10.12263/DZXB.20251022

摘要

面向动态性强、协议多样且算力受限的边缘/物联网（Internet of Things，IoT）环境，本文提出一种轻量级深度学习入侵检测框架，以端到端方式统一“特征-模型-蒸馏”三层设计，在保证检测性能的同时降低计算与部署开销。针对边缘侧网络流量异构性强、攻击类别分布不均衡以及少数类样本难以充分学习等问题，框架在数据层引入自适应特征工程与动态类别均衡机制，提取流量方向不对称度、协议一致性、会话交互模式等领域相关特征，以增强对复杂攻击行为的表征能力，并缓解长尾分布对模型训练的影响。在表示学习层，构建双教师协同架构：时间分支采用增强型双向长短期记忆（Bidirectional Long Short-Term Memory，BiLSTM）网络结合多头注意力机制，用于捕获流量序列中的周期性变化、突发依赖及上下文关联；空间分支采用多尺度残差一维卷积与轻量门控模块，用于学习跨字段的局部模式与共现结构，从而提升对复杂协议语义和攻击模式的识别能力。在决策层，采用以拼接集成为主的自适应集成策略，对两路教师输出进行互补融合，并通过温度缩放软标签与真实标签联合构成蒸馏损失，将教师模型知识迁移至超轻量学生模型，在压缩模型规模的同时尽可能保持判别能力。基于场景适配的CICIDS-2017数据集实验结果表明：教师集成模型准确率达到96.5%，宏平均

（macro-

）达到95.0%；学生模型在参数量减少超过70%的条件下，仍取得93.91%的准确率和90.34%的macro-

，并在Patator、PortScan、Heartbleed等类别上实现超过98%的准确率，在类分布不均衡的测试条件下仍保持稳定识别。不同集成策略对比结果显示，拼接集成的macro-

为90.34%，优于注意力集成的90.19%、温度加权软投票的89.79%和无集成方案的88.67%，验证了该融合方式的有效性。模型端侧单次推理时延约为68 ms，满足边缘环境实时检测需求。研究结果表明：所提方法能够较好地兼顾检测精度、模型轻量化与推理效率，为边缘/IoT入侵检测提供了一种兼顾准确性与实用性的技术路径。

Abstract

For dynamic

protocol-diverse

and resource-constrained edge/internet of things (IoT) environments

this paper proposes a lightweight deep learning intrusion detection framework that unifies feature engineering

model construction

and knowledge distillation in an end-to-end manner

aiming to achieve an effective balance between detection accuracy

computational efficiency

and deployment feasibility. To address the strong heterogeneity of edge traffic

the severe class imbalance of attack categories

and the limited learnability of minority classes

the framework introduces adaptive feature engineering and dynamic class balancing at the data level

extracting domain-relevant features such as traffic directional asymmetry

protocol consistency

and session interaction characteristics to strengthen the representation of complex malicious behaviors while alleviating the adverse impact of long-tail distributions on model training. At the representation level

a dual-teacher architecture is designed to jointly model temporal and spatial dependencies in network traffic. The temporal branch employs an enhanced bidirectional long short-term memory (BiLSTM) network combined with multi-head attention to capture periodic patterns

bursty dependencies

and contextual correlations in traffic sequences

enabling the model to better characterize the dynamic evolution of attack behaviors over time. The spatial branch adopts multi-scale residual one-dimensional convolutions together with a lightweight gating mechanism to learn local feature

interactions and cross-field co-occurrence structures

thereby improving the modeling of protocol semantics and hidden attack patterns across heterogeneous traffic attributes. At the decision level

an adaptive ensemble strategy is introduced

with concatenation-based fusion serving as the primary integration mechanism to combine the complementary outputs of the two teacher branches and enhance final classification performance. On this basis

the knowledge learned by the teacher ensemble is transferred to an ultra-lightweight student model through a joint distillation objective composed of temperature-scaled soft labels and ground-truth hard labels

so that the student model can preserve strong discriminative capability while substantially reducing parameter size and computational burden. Experiments conducted on a scenario-adapted CICIDS-2017 dataset demonstrate that the teacher ensemble achieves an accuracy of 96.5% and a macro-

score of 95.0%

while the student model still attains 93.91% accuracy and 90.34% macro-

with more than 70% parameter reduction. In addition

the student model yields over 98% accuracy on attack categories such as Patator

PortScan

and Heartbleed

and maintains stable recognition performance under imbalanced testing conditions

indicating strong robustness to class skew. The comparison results of different integration strategies show that concatenation integration achieves a macro-

score of 90.34%

which outperforms attention integration at 90.19%

temperature-weighted soft voting at 89.79% and the non-integrated scheme at 88.67%

verifying the effectiveness of this fusion method. Moreover

the model exhibits an edge-side single-inference latency of approximately 68 ms

satisfying the real-time requirements of practical edge deployment. Overall

the proposed framework reduces computational and deployment costs while maintaining high detection quality

and provides a practical technical solution fo

r intrusion detection in edge/IoT scenarios where both accuracy and efficiency are critical.

关键词

Keywords

references

Hossein Motlagh N , Taleb T , Arouk O . Low-altitude unmanned aerial vehicles-based Internet of Things services: Comprehensive survey and future perspectives [J ] . IEEE Internet of Things Journal , 2016 , 3 ( 6 ): 899 - 922 . DOI: 10.1109/jiot.2016.2612119 http://dx.doi.org/10.1109/jiot.2016.2612119

Huang C Q , Fang S F , Wu H , et al . Low-altitude intelligent transportation: System architecture, infrastructure, and key technologies [J ] . Journal of Industrial Information Integration , 2024 , 42 : 100694 .

Anagnostis I , Kotzanikolaou P , Douligeris C . Understanding and securing unmanned aerial vehicle (UAV) services: a comprehensive tutorial [EB/OL ] . ( 2024-03-06 )[ 2026-03-13 ] . https://www.techrxiv.org/users/750957/articles/722052 https://www.techrxiv.org/users/750957/articles/722052 .

Cai L Y , Wang J C , Zhang R C , et al . Secure physical layer communications for low-altitude economy networking: A survey [J ] . IEEE Communications Surveys & Tutorials , 2026 , 28 : 2497 - 2530 .

Shen M , Ye K , Liu X T , et al . Machine learning-powered encrypted network traffic analysis: A comprehensive survey [J ] . IEEE Communications Surveys & Tutorials , 2023 , 25 ( 1 ): 791 - 824 . DOI: 10.1109/comst.2022.3208196 http://dx.doi.org/10.1109/comst.2022.3208196

Azaria A , Richardson A , Kraus S , et al . Behavioral analysis of insider threat: A survey and bootstrapped prediction in imbalanced data [J ] . IEEE Transactions on Computational Social Systems , 2014 , 1 ( 2 ): 135 - 155 . DOI: 10.1109/tcss.2014.2377811 http://dx.doi.org/10.1109/tcss.2014.2377811

Gupta I , Lycklama H , Opel E , et al . Fragile giants: understanding the susceptibility of models to subpopulation attacks [EB/OL ] . ( 2024-10-11 )[ 2026-03-13 ] . https://arxiv.org/pdf/2410.08872 https://arxiv.org/pdf/2410.08872 .

Hong Y P , Li Q , Yang Y Q , et al . Graph based encrypted malicious traffic detection with hybrid analysis of multi-view features [J ] . Information Sciences , 2023 , 644 : 119229 . DOI: 10.1016/j.ins.2023.119229 http://dx.doi.org/10.1016/j.ins.2023.119229

Shen M , Zhang J P , Zhu L H , et al . Accurate decentralized application identification via encrypted traffic analysis using graph neural networks [J ] . IEEE Transactions on Information Forensics and Security , 2021 , 16 : 2367 - 2380 . DOI: 10.1109/tifs.2021.3050608 http://dx.doi.org/10.1109/tifs.2021.3050608

Sinha P , Sahu D , Prakash S , et al . A high performance hybrid LSTM CNN secure architecture for IoT environments using deep learning [J ] . Scientific Reports , 2025 , 15 : 9684 .

Xie Y B , Gardi A , Sabatini R . Cybersecurity trends in low-altitude air traffic management [C ] // 2022 IEEE/AIAA 41st Digital Avionics Systems Conference . Piscataway : IEEE , 2022 : 1 - 9 . DOI: 10.1109/dasc55683.2022.9925840 http://dx.doi.org/10.1109/dasc55683.2022.9925840

Wilson A N , Kumar A , Jha A , et al . Embedded sensors, communication technologies, computing platforms and machine learning for UAVs: A review [J ] . IEEE Sensors Journal , 2022 , 22 ( 3 ): 1807 - 1826 . DOI: 10.1109/jsen.2021.3139124 http://dx.doi.org/10.1109/jsen.2021.3139124

Shen M , Yu H , Zhu L H , et al . Effective and robust physical-world attacks on deep learning face recognition systems [J ] . IEEE Transactions on Information Forensics and Security , 2021 , 16 : 4063 - 4077 .

Aslan Ö , Aktuğ S S , Ozkan-Okay M , et al . A comprehensive review of cyber security vulnerabilities, threats, attacks, and solutions [J ] . Electronics , 2023 , 12 ( 6 ): 1333 .

Sarker I H . Multi-aspectsAI-based modeling and adversarial learning for cybersecurity intelligence and robustness: A comprehensive overview [J ] . Security and Privacy , 2023 , 6 ( 5 ): e295 . DOI: 10.1002/spy2.295 http://dx.doi.org/10.1002/spy2.295

Xu H T , Han S Y , Li X H , et al . Anomaly traffic detection based on communication-efficient federated learning in space-air-ground integration network [J ] . IEEE Transactions on Wireless Communications , 2023 , 22 ( 12 ): 9346 - 9360 . DOI: 10.1109/twc.2023.3270179 http://dx.doi.org/10.1109/twc.2023.3270179

薛胤 , 魏松杰 . 基于深度监督离散哈希神经网络的网络入侵检测方法 [J ] . 信息安全学报 , 2025 , 10 ( 4 ): 66 - 76 .

Xue Yin , Wei Songjie . Network intrusion detection with deep neural network for supervised learning of discrete hash [J ] . Journal of Cyber Security , 2025 , 10 ( 4 ): 66 - 76 . (in Chinese)

Li X Q , Liu Q C . A hybrid sampling algorithm for imbalanced and class-overlap data based on natural neighbors and density estimation [J ] . Knowledge and Information Systems , 2025 , 67 ( 3 ): 2259 - 2290 . DOI: 10.1007/s10115-024-02281-6 http://dx.doi.org/10.1007/s10115-024-02281-6

Wang L H , Dai Q , Du T , et al . Lightweight intrusion detection model based on CNN and knowledge distillation [J ] . Applied Soft Computing , 2024 , 165 : 112118 .

曹磊 , 温蜜 , 何蔚 . 基于深度学习的车联网的路网监测系统的DoS和DDoS攻击的入侵检测方法 [J ] . 计算机应用与软件 , 2025 , 42 ( 1 ): 303 - 311 .

Cao Lei , Wen Mi , He Wei . Deep learning based dos and ddos attack detection method in the highway monitoring system of iov [J ] . Computer Applications and Software , 2025 , 42 ( 1 ): 303 - 311 . (in Chinese)

Cao Z , Liu X H , Zhou Z , et al . KD-BERT: A lightweight knowledge distillation bidirectional encoder representations from transformers for IoT network intrusion detection [J ] . IEEE Transactions on Industrial Informatics , 2025 , 21 ( 11 ): 8475 - 8483 .

Xie B , Wang Z D , Zeng Z Y , et al . DTKD-IDS: A dual-teacher knowledge distillation intrusion detection model for the industrial Internet of Things [J ] . Ad Hoc Networks , 2025 , 174 : 103869 . DOI: 10.1016/j.adhoc.2025.103869 http://dx.doi.org/10.1016/j.adhoc.2025.103869

李波 , 李泽超 , 邢鹏 , 等 . 基于双向约束蒸馏的无监督图像异常检测 [J ] . 电子学报 , 2025 , 53 ( 3 ): 895 - 909 .

Li Bo , Li Zechao , Xing Peng , et al . Unsupervised image anomaly detection based on constrained BidiRectional distillation [J ] . Acta Electronica Sinica , 2025 , 53 ( 3 ): 895 - 909 . (in Chinese)

Chai Y E , Liu M Q , Li M . Navigation spoofing and jamming signals identification of UAV based on federated learning [J ] . IEEE Internet of Things Journal , 2025 , 12 ( 21 ): 44177 - 44188 .

Ahmad T , Hadi M U , Vassiliou V , et al . Real-time anomaly detection in smart vehicle-to-UAV networks for disaster management [J ] . Transactions on Emerging Telecommunications Technologies , 2025 , 36 ( 5 ): e70162 .

Medhi J , Liu R , Wang Q , et al . A lightweight and efficient intrusion detection system (IDS) for unmanned aerial vehicles [J ] . Neural Computing and Applications , 2025 , 37 ( 20 ): 15819 - 15836 .

Wang Y Z , Yu Z Y , Wu J H , et al . Adaptive knowledge distillation-based lightweight intelligent fault diagnosis framework in IoT edge computing [J ] . IEEE Internet of Things Journal , 2024 , 11 ( 13 ): 23156 - 23169 . DOI: 10.1109/jiot.2024.3387328 http://dx.doi.org/10.1109/jiot.2024.3387328

Quyen N H , Duy P T , Nguyen N T , et al . FedKD-IDS: A robust intrusion detection system using knowledge distillation-based semi-supervised federated learning and anti-poisoning attack mechanism [J ] . Information Fusion , 2025 , 117 : 102807 . DOI: 10.1016/j.inffus.2024.102807 http://dx.doi.org/10.1016/j.inffus.2024.102807

Wang F , Diao B Y , Sun T , et al . Data security and privacy challenges of computing offloading in FINs [J ] . IEEE Network , 2020 , 34 ( 2 ): 14 - 20 . DOI: 10.1109/mnet.001.1900140 http://dx.doi.org/10.1109/mnet.001.1900140

周品希 , 沈岳 , 李伟 . 基于深度学习的物联网入侵检测系统综述 [J ] . 网络安全与数据治理 , 2025 , 44 ( 6 ): 1 - 10 .

Zhou Pinxi , Shen Yue , Li Wei . A review of IoT intrusion detection systems based on deep learning [J ] . Cyber Security and Data Governance , 2025 , 44 ( 6 ): 1 - 10 . (in Chinese)

Kurniabudi , Stiawan D , Darmawijoyo , et al . CICIDS-2017 dataset feature analysis with information gain for anomaly detection [J ] . IEEE Access , 2020 , 8 : 132911 - 132921 .

Panwar S S , Raiwani Y P , Panwar L S . An intrusion detection model for CICIDS-2017 dataset using machine learning algorithms [C ] // 2022 International Conference on Advances in Computing, Communication and Materials . Piscataway : IEEE , 2022 : 1 - 10 .

Zuech R , Hancock J , Khoshgoftaar T M . Detecting web attacks in severely imbalanced network traffic data [C ] // 2021 IEEE 22nd International Conference on Information Reuse and Integration for Data Science . Piscataway : IEEE , 2021 : 267 - 273 .

Wang Y X , Sun G , Sun Z M , et al . Toward realization of low-altitude economy networks: Core architecture, integrated technologies, and future directions [J ] . IEEE Transactions on Cognitive Communications and Networking , 2025 , 11 ( 5 ): 2788 - 2820 . DOI: 10.1109/tccn.2025.3601015 http://dx.doi.org/10.1109/tccn.2025.3601015

俞宁宁 , 毛盛健 , 周成伟 , 等 . DroneRFa: 用于侦测低空无人机的大规模无人机射频信号数据集 [J ] . 电子与信息学报 , 2024 , 46 ( 4 ): 1147 - 1156 .

Yu Ningning , Mao Shengjian , Zhou Chengwei , et al . DroneRFa: A large-scale dataset of drone radio frequency signals for detecting low-altitude drones [J ] . Journal of Electronics & Information Technology , 2024 , 46 ( 4 ): 1147 - 1156 . (in Chinese)

Vu L , Bui C T , Nguyen Q U . A deep learning based method for handling imbalanced problem in network traffic classification [C ] // Proceedings of the 8th International Symposium on Information and Communication Technology . New York : ACM , 2017 : 333 - 339 . DOI: 10.1145/3155133.3155175 http://dx.doi.org/10.1145/3155133.3155175

Marlisa H , Satyahadewi N , Imro’ah N , et al . Application of adasyn oversampling technique on k-nearest neighbor algorithm [J ] . BAREKENG: Jurnal Ilmu Matematika dan Terapan , 2024 , 18 ( 3 ): 1829 - 1838 .

Dey I , Pratap V . A comparative study of SMOTE, borderline-SMOTE, and ADASYN oversampling techniques using different classifiers [C ] // 2023 3rd International Conference on Smart Data Intelligence . Piscataway : IEEE , 2023 : 294 - 302 . DOI: 10.1109/icsmdi57622.2023.00060 http://dx.doi.org/10.1109/icsmdi57622.2023.00060

Wang J J , Xu M T , Wang H , et al . Classification of imbalanced data by using the SMOTE algorithm and locally linear embedding [C ] // 2006 8th international Conference on Signal Processing . Piscataway : IEEE , 2006

Ayad A G , Sakr N A , Hikal N A . Fog-empowered anomaly detection in IoT networks using one-class asymmetric stacked autoencoder [J ] . Cluster Computing , 2025 , 28 ( 8 ): 550 . DOI: 10.1007/s10586-025-05234-y http://dx.doi.org/10.1007/s10586-025-05234-y

Waghmode P , Kanumuri M , El-Ocla H , et al . Intrusion detection system based on machine learning using least square support vector machine [J ] . Scientific Reports , 2025 , 15 : 12066 .

Sinha P , Sahu D , Prakash S , et al . An efficient data driven framework for intrusion detection in wireless sensor networks using deep learning [J ] . Scientific Reports , 2025 , 15 : 34046 . DOI: 10.1038/s41598-025-12867-x http://dx.doi.org/10.1038/s41598-025-12867-x

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Differentially Private with Sparse and Smooth Self-Distillation

Low-Rank Adaptation Based Flexibility-Aware Distillation Method

A Deep Learning Based Intrusion Detection System for Electric Distribution Grids

Encrypted Traffic Pre-Trained Model with Long-Range Dependency and Local Dynamic Perception

Remote Traffic Fingerprinting Attack Based on Cell Sequence Reconstruction

Related Author

ZHAO Deng-feng

XUE Da-xuan

ZHAO Su-yun

CHEN Hong

LI Jia-ming

BAO Zhi-qiang

HUANG Zhen-hua

SUN Sheng-li

Related Institution

School of Information, Renmin University of China

School of Computer Science, South China Normal University

Research Institute of Hundsun Technologies Co., Ltd.

School of Software & Microelectronics, Peking University

DataGrand Co., Ltd.

⁰