In recent years, encrypted traffic detection has become a widely studied topic in the field of cybersecurity. However, due to the limitations of single-flow analysis and the static nature of existing models, current methods still face several challenges in real-world applications. First, single-flow analysis is insufficient for detecting coordinated attacks, as attackers often distribute malicious activities across multiple flows to evade threshold-based detection. Second, static models struggle to adapt to zero-day malware families and adversarial strategies unseen during training, while retraining often leads to catastrophic forgetting. In addition, a single monolithic model has difficulty jointly handling complex heterogeneous features, including cryptographic fingerprints, statistical distributions, temporal patterns, and protocol semantics.

To address these issues, the cybersecurity team of our center proposed AEGIS (Adversarial-Enhanced Graph Intelligence System). The framework first adopts a multi-agent architecture that decomposes the detection task among specialized agents responsible for different heterogeneous features. Furthermore, a novel Graph-Text Alignment mechanism is introduced to bridge the topological learning capability of Graph Neural Networks (GNNs) with the semantic understanding ability of Large Language Models (LLMs). Specifically, the GNN identifies collaborative multi-flow attack patterns that may appear benign when analyzed individually but exhibit suspicious correlations collectively, while the LLM provides interpretable explanations for these graph structures. Finally, the team designed an Adversarial Self-Play mechanism, enabling the system to continuously evolve and adapt without retraining.

Experimental results demonstrate that, compared with state-of-the-art baseline methods, AEGIS achieves an F1-score of 97.8% (an improvement of 2.4 percentage points), attains an F1-score of 82.4% on zero-day threats (an improvement of 7.9 percentage points), and improves average robustness against adversarial attacks by 5.9 percentage points.

This research work has been accepted by KSEM 2026 (International Conference on Knowledge Science, Engineering and Management), a CCF-recommended Category C conference and a recognized academic conference in the fields of computer science, engineering, and management. The first author of the paper is Yaohui Wang, a Ph.D. student at our center, and the corresponding author is Senior Engineer Chun Long. This work was jointly supported by the Strategic Priority Research Program of the Chinese Academy of Sciences (XDA0460104) and the Youth Innovation Promotion Association of the Chinese Academy of Sciences (2023181).

Overview of AEGIS

Related Publication：Yaohui Wang, Degang Sun, Guanyao Du, Wei Wan, Jing Zhao, and Chun Long*, “AEGIS: A Multi-Agent Collaborative Framework with Adversarial Self-Play for Encrypted Malware Traffic Detection.” International Conference on Knowledge Science, Engineering and Management (KSEM), Beijing, China, 2026.