Environment-Adaptive Few-Shot Network Traffic Anomaly Detection for IoT via Aligned Prototype Learning

Network traffic anomaly detection is a cornerstone of IoT security, yet practical deployments often suffer from severe label scarcity and rapid evolution of attack behaviors, yielding emerging or variant intrusions with only a few annotated samples. Meanwhile, heterogeneous IoT environments induce distribution shifts in background traffic, which can drastically degrade the generalization of conventional supervised detectors and few-shot classifiers. To address these challenges, we propose an Environment-Adaptive Aligned Prototype Network (APN) for few-shot IoT traffic anomaly recognition. APN builds class prototypes from limited support samples and introduces a two-stage prototype alignment mechanism to improve robustness under domain and context changes: (i) internal alignment refines prototypes by leveraging intra-support structure to mitigate prototype bias caused by scarce supervision, and (ii) external alignment further adjusts prototypes using query-side distribution cues to enhance sensitivity to environment-specific background patterns. Notably, the proposed alignment is lightweight and can be integrated into a prototypical learning framework without introducing excessive model complexity. Extensive experiments on few-shot intrusion/anomaly traffic benchmarks demonstrate that APN consistently improves classification accuracy and effectively alleviates performance degradation under stricter few-shot settings, indicating strong generalization and robustness for real-world IoT security monitoring.