{"id":"https://openalex.org/W7154685551","doi":"https://doi.org/10.1109/tifs.2026.3685079","title":"Early-Stage Detection of Encrypted Malware Traffic via Multi-Flow Temporal Graph Learning","display_name":"Early-Stage Detection of Encrypted Malware Traffic via Multi-Flow Temporal Graph Learning","publication_year":2026,"publication_date":"2026-01-01","ids":{"openalex":"https://openalex.org/W7154685551","doi":"https://doi.org/10.1109/tifs.2026.3685079"},"language":null,"primary_location":{"id":"doi:10.1109/tifs.2026.3685079","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2026.3685079","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5029476055","display_name":"Jizhe Jia","orcid":null},"institutions":[{"id":"https://openalex.org/I125839683","display_name":"Beijing Institute of Technology","ror":"https://ror.org/01skt4w74","country_code":"CN","type":"education","lineage":["https://openalex.org/I125839683","https://openalex.org/I890469752"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jizhe Jia","raw_affiliation_strings":["School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China","institution_ids":["https://openalex.org/I125839683"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Yi Zhao","orcid":"https://orcid.org/0000-0003-3632-3381"},"institutions":[{"id":"https://openalex.org/I125839683","display_name":"Beijing Institute of Technology","ror":"https://ror.org/01skt4w74","country_code":"CN","type":"education","lineage":["https://openalex.org/I125839683","https://openalex.org/I890469752"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yi Zhao","raw_affiliation_strings":["School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China"],"raw_orcid":"https://orcid.org/0000-0003-3632-3381","affiliations":[{"raw_affiliation_string":"School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China","institution_ids":["https://openalex.org/I125839683"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5047030842","display_name":"Meng Shen","orcid":"https://orcid.org/0000-0002-1867-0972"},"institutions":[{"id":"https://openalex.org/I125839683","display_name":"Beijing Institute of Technology","ror":"https://ror.org/01skt4w74","country_code":"CN","type":"education","lineage":["https://openalex.org/I125839683","https://openalex.org/I890469752"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Meng Shen","raw_affiliation_strings":["School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China"],"raw_orcid":"https://orcid.org/0000-0002-1867-0972","affiliations":[{"raw_affiliation_string":"School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China","institution_ids":["https://openalex.org/I125839683"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022355020","display_name":"Susu Cui","orcid":"https://orcid.org/0000-0001-5249-5699"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"government","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Susu Cui","raw_affiliation_strings":["Chinese Academy of Sciences, Institute of Information Engineering, Beijing, China"],"raw_orcid":"https://orcid.org/0000-0001-5249-5699","affiliations":[{"raw_affiliation_string":"Chinese Academy of Sciences, Institute of Information Engineering, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100378601","display_name":"Jing Wang","orcid":"https://orcid.org/0000-0002-8491-4146"},"institutions":[{"id":"https://openalex.org/I4210087772","display_name":"National Computer Network Emergency Response Technical Team/Coordination Center of Chinar","ror":"https://ror.org/00247dh76","country_code":"CN","type":"nonprofit","lineage":["https://openalex.org/I4210087772"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jing Wang","raw_affiliation_strings":["National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing, China","institution_ids":["https://openalex.org/I4210087772"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5133870480","display_name":"Bufan Zhao","orcid":null},"institutions":[{"id":"https://openalex.org/I125839683","display_name":"Beijing Institute of Technology","ror":"https://ror.org/01skt4w74","country_code":"CN","type":"education","lineage":["https://openalex.org/I125839683","https://openalex.org/I890469752"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Bufan Zhao","raw_affiliation_strings":["School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China","institution_ids":["https://openalex.org/I125839683"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100777576","display_name":"Wei Wang","orcid":"https://orcid.org/0000-0002-5974-1589"},"institutions":[{"id":"https://openalex.org/I87445476","display_name":"Xi'an Jiaotong University","ror":"https://ror.org/017zhmm22","country_code":"CN","type":"education","lineage":["https://openalex.org/I87445476"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Wei Wang","raw_affiliation_strings":["Key Laboratory for Intelligent Networks and Network Security, Ministry of Education, Xi&#x2019;an Jiaotong University, Xi&#x2019;an, China"],"raw_orcid":"https://orcid.org/0000-0002-5974-1589","affiliations":[{"raw_affiliation_string":"Key Laboratory for Intelligent Networks and Network Security, Ministry of Education, Xi&#x2019;an Jiaotong University, Xi&#x2019;an, China","institution_ids":["https://openalex.org/I87445476"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5133865234","display_name":"Liehuang Zhu","orcid":"https://orcid.org/0000-0003-3277-3887"},"institutions":[{"id":"https://openalex.org/I125839683","display_name":"Beijing Institute of Technology","ror":"https://ror.org/01skt4w74","country_code":"CN","type":"education","lineage":["https://openalex.org/I125839683","https://openalex.org/I890469752"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Liehuang Zhu","raw_affiliation_strings":["School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China"],"raw_orcid":"https://orcid.org/0000-0003-3277-3887","affiliations":[{"raw_affiliation_string":"School of Cyberspace Science and Technology, Beijing Institute of Technology, Beijing, China","institution_ids":["https://openalex.org/I125839683"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":8,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.54337414,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"21","issue":null,"first_page":"4460","last_page":"4474"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.3422999978065491,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.3422999978065491,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.3156000077724457,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.20509999990463257,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.5873000025749207},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.5002999901771545},{"id":"https://openalex.org/keywords/graph","display_name":"Graph","score":0.45089998841285706},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.3199000060558319},{"id":"https://openalex.org/keywords/feature-extraction","display_name":"Feature extraction","score":0.30869999527931213},{"id":"https://openalex.org/keywords/deep-learning","display_name":"Deep learning","score":0.2939000129699707},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.28630000352859497}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8651999831199646},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.5873000025749207},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.5002999901771545},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.45089998841285706},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.4422000050544739},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.3199000060558319},{"id":"https://openalex.org/C52622490","wikidata":"https://www.wikidata.org/wiki/Q1026626","display_name":"Feature extraction","level":2,"score":0.30869999527931213},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.2939000129699707},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.28630000352859497},{"id":"https://openalex.org/C59404180","wikidata":"https://www.wikidata.org/wiki/Q17013334","display_name":"Feature learning","level":2,"score":0.2858000099658966},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.28450000286102295},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.26840001344680786},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.26669999957084656},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.2662999927997589},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.26179999113082886},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.26170000433921814},{"id":"https://openalex.org/C36464697","wikidata":"https://www.wikidata.org/wiki/Q451553","display_name":"Visualization","level":2,"score":0.25999999046325684},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.25949999690055847},{"id":"https://openalex.org/C88230418","wikidata":"https://www.wikidata.org/wiki/Q131476","display_name":"Graph theory","level":2,"score":0.2538999915122986}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tifs.2026.3685079","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2026.3685079","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1858642095","display_name":null,"funder_award_id":"U23A20304","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2171639479","display_name":null,"funder_award_id":"62472036","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G5621461503","display_name":null,"funder_award_id":"U25A20428","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320334978","display_name":"Beijing Nova Program","ror":"https://ror.org/034k14f91"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":35,"referenced_works":["https://openalex.org/W1516506771","https://openalex.org/W1985987493","https://openalex.org/W2090934172","https://openalex.org/W2105594594","https://openalex.org/W2125834021","https://openalex.org/W2150823344","https://openalex.org/W2157949690","https://openalex.org/W2171801319","https://openalex.org/W2200832203","https://openalex.org/W2537766808","https://openalex.org/W2545004184","https://openalex.org/W2606697812","https://openalex.org/W2885743621","https://openalex.org/W2897924986","https://openalex.org/W2912856897","https://openalex.org/W2963197901","https://openalex.org/W3005988012","https://openalex.org/W3010934630","https://openalex.org/W3021740526","https://openalex.org/W3116203245","https://openalex.org/W3120227884","https://openalex.org/W3208773001","https://openalex.org/W4296473472","https://openalex.org/W4306406279","https://openalex.org/W4324007233","https://openalex.org/W4385245566","https://openalex.org/W4385444612","https://openalex.org/W4386385252","https://openalex.org/W4389454898","https://openalex.org/W4390547394","https://openalex.org/W4401508167","https://openalex.org/W4405183144","https://openalex.org/W4406261318","https://openalex.org/W4409474994","https://openalex.org/W4416549523"],"related_works":[],"abstract_inverted_index":{"Malware":[0],"widely":[1],"adopts":[2],"network":[3],"traffic":[4,27,42,90,194,198],"encryption":[5],"techniques":[6],"to":[7,67,126,162],"conceal":[8],"malicious":[9],"activities.":[10],"Recent":[11],"research":[12],"has":[13],"demonstrated":[14],"the":[15,39,44,62,68,101,124,129,219,250,256],"effectiveness":[16],"of":[17,34,245,261],"machine":[18],"learning":[19,22,160],"(ML)-,":[20],"deep":[21],"(DL)-,":[23],"and":[24,190,203,233],"pre-training-based":[25],"malware":[26,45,89,119,152,193,235],"detection":[28,56,91,186,195],"methods.":[29],"However,":[30],"a":[31,112,151,157,183],"vast":[32],"majority":[33],"these":[35],"methods":[36,49,222],"rely":[37],"on":[38,52,100,128],"collected":[40],"complete":[41,262],"during":[43],"attack.":[46],"While":[47],"certain":[48],"can":[50,122,145,166],"operate":[51],"partial":[53],"traffic,":[54,120],"their":[55],"accuracy":[57],"often":[58],"significantly":[59],"decreases":[60],"when":[61],"available":[63],"data":[64,114],"is":[65,74],"restricted":[66],"extreme":[69],"early":[70],"stage,":[71],"where":[72],"information":[73],"most":[75],"sparse.":[76],"In":[77],"this":[78],"paper,":[79],"we":[80,154],"propose":[81],"<italic":[82,107,168,176,179,215,238],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[83,108,169,177,180,216,239],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">DawnGuard</i>,":[84],"an":[85,242],"effective":[86],"early-stage":[87,118,130,197,228],"encrypted":[88,192],"framework":[92,161],"through":[93],"multi-flow":[94],"temporal":[95,102,158],"graph":[96,159],"learning.":[97],"Specifically,":[98],"based":[99],"packet":[103],"density":[104],"distribution":[105],"analysis,":[106],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">DawnGuard</i>":[109,217,240],"innovatively":[110],"proposes":[111],"self-adjusting":[113],"augmentation":[115],"strategy":[116],"for":[117],"which":[121,165],"force":[123],"model":[125],"focus":[127],"interaction":[131],"phase":[132],"with":[133,196,209],"more":[134,147],"distinguishable":[135,148],"properties.":[136],"Meanwhile,":[137],"considering":[138],"that":[139,214],"temporal-topological":[140],"correlations":[141],"among":[142],"multiple":[143],"flows":[144],"provide":[146],"properties":[149],"in":[150,223],"attack,":[153],"further":[155],"develop":[156],"extract":[163],"features,":[164],"form":[167],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">Multi-Flow":[170],"Graph":[171],"Features":[172],"(MGF)</i>.":[173],"By":[174],"utilizing":[175,255],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">MGF</i>,":[178],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">Dawn-Guard</i>":[181],"implements":[182],"Vision":[184],"Transformer-based":[185],"mechanism,":[187],"enabling":[188],"accurate":[189],"precise":[191],"by":[199,253],"capturing":[200],"both":[201],"local":[202],"global":[204],"contextual":[205],"relationships.":[206],"Extensive":[207],"experiments":[208],"two":[210],"real-world":[211],"datasets":[212],"demonstrate":[213],"outperforms":[218],"state-of-the-art":[220],"(SOTA)":[221],"three":[224],"typical":[225],"scenarios:":[226],"varying":[227],"time":[229],"windows,":[230],"imbalanced":[231],"data,":[232],"unseen":[234],"detection.":[236],"Particularly,":[237],"achieves":[241],"average":[243],"F1":[244],"95.11%,":[246],"8.7%":[247],"higher":[248],"than":[249],"SOTA":[251],"method,":[252],"only":[254],"first":[257],"20%":[258],"loading":[259],"ratio":[260],"traffic.":[263]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-04-18T00:00:00"}