Existing network intrusion detection systems (NIDS) exhibit imbalanced detection performance for both known and unknown attacks in encrypted traffic, primarily due to highly entangled and poorly separable traffic feature distributions. To address this, we propose a two-stage framework integrating feature disentanglement and dynamic graph diffusion: first, a parameter-free mutual information optimization achieves first-order disentanglement of attack-relevant features; second, a memory-augmented model enables second-order specificity disentanglement; finally, a dynamic topology-aware graph neural network supports streaming spatiotemporal aggregation. This work is the first to unify nonparametric mutual information-based disentanglement, memory-enhanced representation learning, and dynamic graph diffusion within encrypted-traffic intrusion detection. Evaluated on multiple encrypted traffic benchmarks, our method significantly improves detection robustness—achieving up to a 26% gain in F1-score for unknown attacks and a 62% improvement for hard-to-detect known attacks (e.g., Backdoor), while preserving high interpretability.

Network-based intrusion detection system (NIDS) monitors network traffic for malicious activities, forming the frontline defense against increasing attacks over information infrastructures. Although promising, our quantitative analysis shows that existing methods perform inconsistently in declaring various unknown attacks (e.g., 9% and 35% F1 respectively for two distinct unknown threats for an SVM-based method) or detecting diverse known attacks (e.g., 31% F1 for the Backdoor and 93% F1 for DDoS for a GCN-based state-of-the-art method), and reveals that the underlying cause is entangled distributions of flow features. This motivates us to propose 3D-IDS, a novel method that aims to tackle the above issues through two-step feature disentanglements and a dynamic graph diffusion scheme. Specifically, we first disentangle traffic features by a non-parameterized optimization based on mutual information, automatically differentiating tens and hundreds of complex features of various attacks. Such differentiated features will be fed into a memory model to generate representations, which are further disentangled to highlight the attack-specific features. Finally, we use a novel graph diffusion method that dynamically fuses the network topology for spatial-temporal aggregation in evolving data streams. By doing so, we can effectively identify various attacks in encrypted traffics, including unknown threats and known ones that are not easily detected. Experiments show the superiority of our 3D-IDS. We also demonstrate that our two-step feature disentanglements benefit the explainability of NIDS.