LMT-SDNN: A Lightweight Malicious Traffic Detection Method for the Internet of Things Based on Multi Teacher Distillation

The rapid proliferation of Internet of Things (IoT) devices, coupled with their inherent security vulnerabilities, has significantly expanded the attack surface, intensifying threats such as man-in-the-middle attacks, traffic hijacking, and distributed denial-of-service (DDoS) attacks, thereby posing serious risks to the security and reliability of the entire ecosystem. The network traffic associated with IoT devices is diverse and dynamic, often exhibiting complex structural features such as periodic fluctuations, varying packet sizes, and time-varying patterns that make detection challenging. Although deep learning has demonstrated strong capabilities in efficiently identifying complex and dynamic malicious traffic through powerful feature extraction and adaptive learning abilities, its high model complexity, substantial computational demands, and large parameter sizes hinder direct deployment on resource-constrained IoT devices. In order to tackle this issue, this paper proposes a malicious traffic detection framework for the Internet of Things (IoT) based on multi-teacher knowledge distillation. The proposed model, termed the Lightweight Multi-Teacher Spatiotemporal Distillation Neural Network (LMT-SDNN), employs two high-performance teacher models: Residual Inception and a One-Dimension Convolution Netural Network (1D-CNN) integrated with idirectional Long Short-Term Memory (BiLSTM), to effectively capture the complex structural features of network traffic. Furthermore, a novel Time-Related Window Loss (TRW) function is design to enhance the student’s ability to capture temporal features, thereby improving its overall performance. The effectiveness of LMT-SDNN is validated through comparisons with five baseline models on two publicly available datasets, ToN_IoT and BoT_IoT. Experimental results show that LMT-SDNN achieves a compression rate of over 99% in both model complexity and parameter count, while maintaining an accuracy exceeding 99%, indicating its strong potential for multiclass malicious traffic detection in IoT environments.