luoyue789/sm4_detection

SM4 is a symmetric encryption standard widely used in Chinese government and commercial networks. This repository is a research and engineering prototype for detecting network intrusions inside SM4-encrypted traffic flows, where reading packet contents directly is not possible. The project is written in Python and includes a web-based dashboard for monitoring detection results. The detection method works by extracting statistical features from the encrypted data itself rather than inspecting what the data says. After simulating encryption using SM4-GCM on network traffic samples from public datasets, the system computes features such as entropy, statistical distribution moments, byte-length ratios, and frequency-domain values. A deep learning binary classifier is then trained on these features to separate normal traffic from anomalous flows. Training used the UNSW-NB15 public dataset, with cross-dataset testing on TON-IoT to check how well the model generalizes. The project extends this offline research pipeline into three production-ready deployment paths. The first is a batch analysis workflow for replaying captured packet files from a real campus network. The second is a cloud-native microservice pipeline using Docker Compose, where separate services handle capture, feature extraction, graph construction, detection, and alerting, and communicate over Kafka with metrics tracked in Prometheus and Grafana. The third is a Kubernetes DaemonSet that places a detection probe on every node in a cluster, using the Kubernetes API to map network addresses to pod and service identities. A Flask API serves a situational-awareness dashboard that shows detection statistics and alerts in near real time. This project would be most useful to researchers or security engineers working on intrusion detection in networks that use the SM4 cipher, and who want a system that operates without decrypting the traffic. The entire README is written in Chinese. The repository does not state a license.