DEML: Data-Enhanced Meta-Learning Method for IoT APT Traffic Detection

Advanced Persistent Threat (APT) is one of the most representative attacks that pose significant challenges to Internet of Things (IoT) security due to its stealthiness, dynamism, and adaptability. To detect IoT APT, machine learning-based methods are proposed to extract traffic features and mine attack semantics automatically. However, IoT APT traffic sample in actual scenarios is unbalanced and scarce, which affects the detection performance of existing methods. To resolve these challenges, we propose a data-enhanced meta-learning (DEML) method for detecting IoT APT traffic in this paper. Specifically, DEML uses non-functional feature-based generative adversarial network (NFGAN) to extend IoT APT traffic samples. DEML also uses a meta-learning model to further enhance the learning ability to IoT APT samples (including newly generated and original IoT APT traffic samples). We conduct experiments on a hybrid dataset where benign traffic comes from IoT-23 and APT traffic comes from Contagio. Experimental results show that our method outperforms the existing data enhancement methods. In addition, DEML achieves a detection accuracy of 99.35%, which is better than the baseline models in IoT APT traffic detection.