Timing and burst patterns can leak through encryption, and an adaptive adversary can exploit them. This undermines metadata-only detection in a stand-alone consumer gateway. Therefore, consumer gateways need streaming intrusion detection on encrypted traffic using metadata only, under tight CPU and latency budgets. We present a streaming IDS for stand-alone gateways that instantiates a lightweight two-state unit derived from Network-Optimised Spiking (NOS) dynamics per flow, named \emph{NOS-Gate}. NOS-Gate scores fixed-length windows of metadata features and, under a $K$-of-$M$ persistence rule, triggers a reversible mitigation that temporarily reduces the flow's weight under weighted fair queueing (WFQ). We evaluate NOS-Gate under timing-controlled evasion using an executable \emph{worlds} benchmark that specifies benign device processes, auditable attacker budgets, contention structure, and packet-level WFQ replay to quantify queue impact. All methods are calibrated label-free via burn-in quantile thresholding. Across multiple reproducible worlds and malicious episodes, at an achieved $0.1\%$ false-positive operating point, NOS-Gate attains 0.952 incident recall versus 0.857 for the best baseline in these runs. Under gating, it reduces p99.9 queueing delay and p99.9 collateral delay with a mean scoring cost of $\approx 2.09\,μ\mathrm{s}$ per flow-window on CPU.

翻译：时序与突发模式可能通过加密泄露，自适应攻击者可利用这一特性。这削弱了独立消费者网关中仅基于元数据的检测能力。因此，消费者网关需要在严格的CPU和延迟预算下，仅基于元数据对加密流量进行流式入侵检测。我们提出一种面向独立网关的流式入侵检测系统，为每个流实例化一个基于网络优化脉冲动力学（NOS）的轻量级双态单元，命名为NOS-Gate。该系统对固定长度的元数据特征窗口进行评分，并在K-of-M持久性规则下触发可逆缓解措施，在加权公平队列（WFQ）中临时降低该流的权重。我们使用可执行世界基准（该基准定义了良性设备进程、可审计的攻击者预算、竞争结构以及包级WFQ重放以量化队列影响）在时间控制规避场景下评估NOS-Gate。所有方法均通过熔断分位数阈值进行无标签校准。在多个可复现的世界和恶意事件场景中，在达到0.1%假阳性率工作点时，NOS-Gate实现了0.952的事件召回率，而最佳基线方法在这些运行中仅为0.857。在门控机制下，它降低了p99.9排队延迟和p99.9附带延迟，在CPU上每个流窗口的平均评分成本约为2.09微秒。