A novel multi-stage attack dataset for smart home intrusion detection.

With the rise of fifth-generation (5G) networks in critical applications, it is urgent to move from detection of malicious activity to systems capable of providing a reliable verdict suitable for mitigation. In this regard, understanding and interpreting machine learning (ML) models’ security alerts is crucial for enabling actionable incident response orchestration. Explainable Artificial Intelligence (XAI) techniques are expected to enhance trust by providing insights into why alerts are raised. Under the umbrella of XAI, interpretability of outcomes is crucially dependent on understanding the influence of specific inputs, referred to as feature attribution. A dominant approach to feature attribution statistically associates feature sets that can be correlated to a given alert. This paper investigates its merits against the backdrop of criticism from recent literature, in comparison with feature attribution based on logic. We extensively study two methods, SHAP and VoTE-XAI, as representatives of each feature attribution approach by analyzing their interpretations of alerts generated by an XGBoost model across three 5G-relevant datasets (5G-NIDD, MSA, and PFCP) covering multiple attack scenarios. We identify three metrics for assessing explanations: sparsity, how concise they are; stability, how consistent they are across samples from the same attack type; and efficiency, how fast an explanation is generated. Our results reveal that logic-based attributions are consistently more sparse and stable across alerts. More importantly, we found a significant divergence between features selected by SHAP and VoTE-XAI. However, none of the top-ranked features selected by SHAP were missed by VoTE-XAI. Finally, we analyze the efficiency of both methods, discussing their suitability for real-time security monitoring even in high-dimensional 5G environments (478 features).

Quantum inspired hyperparameter optimization for enhanced deep learning based intrusion detection in wireless sensor networks

This data article presents a labelled flow-based network traffic dataset collected from a controlled Internet of Things (IoT) laboratory environment. The dataset captures network communication generated by Raspberry Pi-based IoT nodes configured to emulate service and client roles. Traffic was recorded during normal operations and during the execution of predefined cyberattack scenarios within an isolated experimental network. Network traffic was recorded at the packet level using passive network monitoring and stored in PCAPNG format. The packet captures were subsequently processed into bidirectional network flows, producing flow records with statistical and temporal attributes derived from the observed packet exchanges. Cyberattack-related flows were labelled using the experimental ground-truth markers recorded during each attack campaign, complemented by the fixed attacker node IP address. Flows outside the marked intervals were labelled as benign and corresponded to regular device communication. This combined labelling approach reduces the potential for overlap between benign and attack activities. The dataset covers nine attack scenarios grouped into six attack categories. It is released through a structured repository containing raw packet captures, labelled flow files, and supporting metadata for flow-based IoT traffic analysis, cyberattack detection research, and optional re-labelling.

Radio nuclear attack scenarios are potential threats that state actors must deal with more than ever in the context of preparedness and response since the Cold War. Radioactive contamination can occur in many scenarios, which means that, in addition to increased skin- and whole-body doses from external radiation exposure, there is also a risk of incorporation and contamination carryover. In many contexts, only theoretical considerations have been made about which substances would be suitable for removing various radioactive compounds. The goal of this work is to systematically investigate the efficacy of various skin decontamination agents in aqueous solutions, e.g., soap, urea peroxide, EDTA, citric acid, and hydrochloric acid. As a model radionuclide we utilized Manganese-56 in two chemical forms: 1. 56MnCl2 and 2. 56MnO2. The contamination was deposited on the surface of ex vivo pig skin during a 15 min contamination protocol. Pre- and post-decontamination measurements were performed by using a lead-shielded gamma spectrometer in a standardized geometry. The counts in 180 s were analyzed after decay and background correction. The decontamination process involved a standardized 30-second spray followed by a single wipe on the pig skin performed by the same decontaminating experimenter. While the tested decontamination agents were approximately equally efficient in removing water-insoluble radioactive contamination (56MnO2), decontamination from water-soluble 56MnCl2 showed a dependency on the decontamination agents. We found that low-concentration aqueous acid solutions (e.g., 3% citric acid) showed a considerably enhanced efficiency compared to a 1% soap solution.

One of the main challenges facing Wireless Sensor Networks (WSN) is how to achieve energy efficiency while ensuring security. To address this issue, this paper proposes a strategy called NeuroSense, which combines deep reinforcement learning (DRL) techniques to achieve an optimal trade-off between energy efficiency and security for WSNs. Specifically, the core idea of NeuroSense is to learn and optimize data transmission paths in real time using DRL models. By intelligently selecting data transmission paths, the proposed NeuroSense strategy improves energy-aware routing decisions and helps reduce uneven energy depletion across nodes, thereby contributing to longer network operation. In addition, NeuroSense incorporates security-related state information into the DRL decision process and adjusts routing and protection decisions under the considered attack scenarios. Experimental results in simulation show that the proposed NeuroSense strategy achieves better performance than five baseline strategies in total energy consumption, communication delay, and resilience-related evaluation outcomes under the tested settings.

The swift incorporation of cutting edge technologies has expanded the range for a potential adversary to conduct adaptive attacks against systems and despite progress in detection, machine learning based security remains vulnerable, highlighting the need for more robust and reliable defense methods. Existing DDoS detection techniques are not resilient against adaptive adversarial manipulation and instead concentrate on accuracy under benign circumstances. To defend against adversarial attacks, this paper presents a reliable and comprehensible intrusion detection paradigm and to improve detection transparency and reliability, the suggested method utilizes Graph Neural Networks (GNNs), Deep Neural Network (DNN), DeepFool, First Gradient Sign Method (FGSM) and an ensemble-based (DeepFool with FGSM) adversarial training procedure, we introduce a novel adversarial dataset, AdvCICDDoS2019, constructed by injecting four types of adversarial attacks, Adversarial Perturbation (AP), Adversarial Outlier Injection (AOI), Adversarial Noise Injection (ANI), and Adversarial Benign (AB), into the original CICDDoS2019 dataset. During training, adversarial perturbations based on DeepFool and FGSM are combined to improve robustness, while SHAP and LIME are utilized to offer both extensive and instance-level interpretability and the extensive experimental tests show that the proposed framework threefold exceeds current methods by between 4% and 12% in a range of attack scenarios. The model is quite resilient against smartly constructed traffic, with a detection accuracy of up to 97% under hostile settings. The results further demonstrate that the reliability of the model is improved by adding explainable adversarial defense mechanisms and adding graph-aware learning improves the system's ability to recognize complex traffic connections, leading to more transparent and robust IoT intrusion detection.

Unmanned Aerial Vehicle (UAV) swarms’ dependence on BeiDou Global Navigation Satellite System (GNSS) signals exposes them to high-risk spoofing attacks that can severely compromise spatial coordination, navigation fidelity, and mission continuity. To address these vulnerabilities, this study proposes a novel, multi-layered detection and mitigation framework tailored for decentralized UAV networks to enable real-time spoofing resilience. The architecture integrates a residual-based anomaly tracker using a Kalman filter, supervised signal classification through ensemble models (XGBoost and Random Forest), and a transformer-based model that leverages temporal UAV telemetry to detect contextual irregularities associated with spoofing activity. A purpose-built simulation platform replicating complex urban threat environments, which includes multipath interference and adversarial UAV-based spoofers, was used to rigorously assess system performance under realistic attack scenarios. Experimental evaluations reveal that the hybrid framework consistently achieves detection accuracies close to 99%, maintains false alarm rates below 2%, and initiates mitigation responses within an average of 3 s. The system preserves swarm coordination and navigational precision by sustaining mission success rates above 97% under active spoofing. These results demonstrate the efficacy of integrating statistical estimation, machine learning inference, and temporal-context modeling for robust GNSS spoofing defense. The proposed solution advances the security of UAV swarms and paves the way for practical deployment by offering efficient, low-latency inference and adaptable control strategies in adversarial operational environments.

Abstract The actuator is the critical component of the unmanned aerial vehicle (UAV). The interference and suppression to the signal of UAV’s actuators are challenging to directly detect or physically mitigate, thus posing a significant threat to UAV flight safety. Under the assumption of sensor integrity, the state-of-the-art physics-based attack detection approaches can identify the actuator attacks at runtime. However, when both sensor and actuator attacks are allowed simultaneously, such physics-based attack detection approaches cannot differentiate between the two physical attacks, thereby failing to locate the specific compromised actuators or maintain the UAV’s resilience to the actuator attack at runtime. This paper presents EADR , an efficient runtime framework for detecting and recovering from UAV actuator attacks. By leveraging the existing signal-characteristic-based sensor attack detection mechanism, EADR prevents potential sensor attacks from impacting the resilience of actuator attacks. In response to typical attack scenarios, we implement actuator attack detection based on the nonlinear dynamic model combined with the cumulative sum (CUSUM) detection algorithm. We further locate the specific compromised actuators, determine the required compensations for the signal of these actuators at runtime, and apply the compensations to the actuators to effectively recover the UAV system state. The experimental results demonstrate that the time to detection (TTD) of EADR ’s detector is significantly reduced compared with the state-of-the-art approaches. EADR ’s recovery mechanism can reduce the flight positional error by approximately 56.3 – 77.6%. The average runtime overhead of EADR is less than 2%, ensuring the real-time performance required for real-world UAV flight.

The rapid proliferation of sophisticated cyber threats has exposed critical limitations in conventional security architectures that rely on isolated, reactive tools. This paper presents ZeroGuardian-XDR, an intelligent and lightweight Extended Detection and Response (XDR) framework engineered to deliver real-time network threat detection, automated vulnerability assessment, and proactive incident alerting through a unified platform. The proposed system employs a trained autoencoder neural network for behavioral anomaly detection, enabling the identification of zero-day and previously unknown threats without reliance on static signature databases. ZeroGuardian-XDR integrates nine live global threat intelligence feeds including AlienVault OTX, Abuse.ch, Feodo Tracker, URLhaus, Blocklist.de, ThreatFox, NVD CVEs, MITRE ATT&CK, and EmergingThreats, collectively maintaining over 22,000 dynamic threat indicators automatically refreshed every six hours. The system maps all detections to the MITRE ATT&CK framework with 87% technique coverage across 8 tactical phases and 691 monitored techniques. A professional SOC-style web dashboard, multi-channel alert delivery via Telegram and email, automated PDF report generation, and an Nmap-powered CVE vulnerability scanner complete the integrated architecture. Experimental evaluation using five simulated zero-day attack scenarios demonstrated 100% detection accuracy with minimal false positive rates. The framework is deployed on Ubuntu Server 24.04 and made publicly available through open-source distribution with Windows and Linux installer packages. ZeroGuardian-XDR represents a scalable, cost-effective, and academically reproducible cybersecurity solution for modern network protection

Wind power plants (WPPs) rely significantly on extensive communication networks and data exchange for their operation and control. Thus, various cybersecurity issues can be created by their rapid integration into modern power grids. On this basis, this paper introduces novel denial-of-service (DoS), false data injection (FDI), and hybrid cyberattack models targeting rotor speed sensors of doubly-fed induction generator (DFIG)-based WPPs. The attacks are designed so that they excite lightly-damped oscillatory modes of the connected power grid while originating from a set of sensors in the WPP's turbines. Then, to counter the developed attacks, a graph deviation network (GDN) integrated with a physics-informed neural network (PINN) is developed for real-time cyberattack detection in a realistic noisy environment while maintaining compatibility with IEC-61400-25. Finally, a well-tailored robust <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$H_{\infty }$</tex-math></inline-formula>-based controller is designed to mitigate the impact of the sophisticated attacks and stabilize the power grid. The impact of the cyberattacks and the effectiveness of the proposed detection and mitigation framework are demonstrated on a modified New England 39-bus system, including practical deployment considerations and robustness under extended attack scenarios.

A state estimation algorithm based on stochastic linearization theory and Gaussian mixture model for nonlinear deception attack scenarios

Vehicular Ad Hoc Networks (VANETs) are an essential part of Intelligent Transportation Systems as they provide real-time interaction between vehicles and roadside infrastructure but face significant problems like privacy leakage, sluggishness, and dynamic network structure. Current solutions are mostly centralized, and thus, there is a high probability of sensitive data being exposed, or reactive, and therefore, do not have the ability to make proactive and predictive decisions. In the quest to address these shortcomings, the present paper proposes a new framework, referred to as Federated Digital Twin Edge Intelligence with Graph Neural Networks (Fed-DT-EdgeGNN), a combination of Digital Twin-based simulation to model realistic traffic and attack scenarios, spatio-temporal Graph Neural Networks to model intricate vehicular interactions, and Federated Learning between K = 10 RSUs to allow In order to have a strong privacy protection, Differential Privacy-based Stochastic Gradient Descent (DP-SGD) is used with the following parameters: ε = 1.0, δ = 10 -5, clipping norm C = 1.0, and noise multiplier σ = 0.5, and there will be no sensitive information leakage during model updates. The framework is tested with T = 50 rounds of communication and 5 local training steps with a learning rate of 2 x 10 -5 and attains an accuracy of 95.2%, precision of 94.6%, recall of 95.8%, and F1-score of 95.1%, and has good performance when the traffic is non-IID. The given solution provides the scalable, secure, and predictive solution of future generation vehicular communication systems, which allows to manage the traffic effectively and trust the smart transportation environment.

The proliferation of Wireless Sensor Networks (WSNs) in mission-critical applications has made them primary targets for sophisticated routing layer threats, specifically multi-point wormhole attacks that compromise data integrity through artificial low-latency tunnels. This project proposes an Autonomous Self-Rerouting for Multi-Wormhole Mitigation in Wireless Sensor Networks using XGBoost Ensemble Learning to transition network security from passive detection to active, autonomous resilience. Initially, the framework ingests real-time telemetry data, including Round Trip Time (RTT) and Hop-Count Symmetry, which is refined using an Adaptive Feature-Aware Noise Suppression (AFNS) Logic to eliminate environmental jitter and synchronization artifacts. The refined data is then processed by an XGBoost-based Ensemble Classifier, which performs high-dimensional feature extraction to isolate the subtle signatures of colluding malicious nodes. To minimize false positives caused by natural network congestion, a Symptom-Aware Trust Engine (DTE) is integrated to evaluate node reliability over multiple transmission cycles. Once a threat is validated, an Autonomous Mitigation Layer is triggered to logically prune malicious edges from the network topology. The system then utilizes a Cost-Aware Dijkstra’s Algorithm to recalculate secure alternative paths in real-time, ensuring zero-downtime communication. Experimental results demonstrate that the proposed integrated approach maintains a Packet Delivery Ratio (PDR) above 95% even during intense attack scenarios. Ultimately, this framework provides a robust, self-healing solution that significantly improves the reliability and longevity of secure WSN infrastructures

The rapid expansion of digital infrastructure, network security has become a critical challenge. Traditional intrusion detection systems (IDS) often struggle with high false-positive rates and poor adaptability to new attack patterns. To address these issues, this paper proposes an enhanced AI-based Network Intrusion Detection System (NIDS) using Generative Adversarial Networks (GANs). GANs, consisting of a generator and a discriminator, enable the system to detect anomalies more effectively by learning complex attack patterns from network traffic data. The generator produces synthetic attack scenarios, improving the model’s ability to recognize both known and novel threats, while the discriminator distinguishes between legitimate and malicious traffic. Unlike conventional machine learning-based IDS, which rely on static datasets, the proposed system continuously evolves, improving its detection accuracy over time.

Modern enterprise networks face an ever-expanding threat landscape characterized by zero-day exploits, polymorphic malware, distributed denial-of-service campaigns, and sophisticated insider threats that consistently evade signature based detection systems. Traditional Intrusion Detection Systems (IDS), despite decades of refinement, suffer from high false-positive rates, inability to detect novel attacks, and an absence of contextual explanation that forces security analysts to manually interpret raw machine-generated data. This paper presents the design, implementation, and experimental evaluation of a Network Traffic Anomaly Detection Security Operations Center (SOC) Dashboard that addresses these limitations through the integration of hybrid unsupervised machine learning and generative artificial intelligence. The system deploys a weighted ensemble of Isolation Forest and Local Outlier Factor (LOF) to compute continuous anomaly scores across 60,000 synthetic network flow records, classifying detected anomalies into four severity tiers: LOW, MEDIUM, HIGH, and CRITICAL. A deterministic rule engine operates in parallel, applying domain specific security rules to escalate alert severity for high-confidence attack signatures including port scanning, distributed denial of-service patterns, and command-and-control port usage. The central innovation of this work is the integration of the LLaMA 3.1 8B Instant large language model via the Groq API to generate automated, human-readable, MITRE ATT&amp;CK-mapped triage reports for each detected alert, eliminating the need for manual expert interpretation and substantially reducing mean time to respond. The Streamlit-based interactive dashboard presents results across three analytical modules: Incident Detail and Explainability, Network Graph Visualization, and AI-Powered Triage. Experimental results demonstrate successful detection of all injected attack scenarios, generation of 4,800 severity classified alerts from 60,000 traffic events, and LLM response latency averaging approximately two seconds per query. This work demonstrates that combining unsupervised behavioral detection with generative AI explanation bridges the semantic gap between machine output and analyst understanding, enabling faster, more accessible, and more effective cybersecurity operations.

Vehicular Adhoc Networks (VANET) play a critical role in intelligent transportation systems by enabling real-time communication among vehicles and infrastructure. However, due to their highly dynamic topology, decentralized architecture, and high node mobility, VANET environments are vulnerable to multiple security threats such as Distributed Denial of Service (DDoS), Sybil, and Blackhole attacks. Existing traditional systems primarily rely on individual machine learning models for attack detection, which often struggle to handle multivariate attack scenarios and fail to adapt effectively to rapidly changing network conditions. These approaches suffer from limitations such as high false alarm rates, poor generalization, and reduced detection accuracy under varying traffic patterns. To address these challenges, there is a strong need for a robust and adaptive detection framework that can accurately identify multiple attack types while maintaining consistency across dynamic environments. The proposed system introduces a hybrid stacking-based model and also baseline classifiers like Gaussian Naïve Bayes (GNB) and Support Vector Machine (SVM) and K-Nearest Neighbors (KNN). The model leverages a Stacked Tree Alternating Optimization (TAO) Tree along with EDA-driven feature optimization to enhance detection performance. A meta-learning layer combines the outputs of base models to improve overall prediction stability and reduce misclassification. The system is further implemented as a Flaskbased web application to enable real-time attack detection, monitoring, and visualization through an interactive interface. The proposed approach demonstrates improved precision, reduced false alarms, and strong adaptability across diverse VANET traffic conditions. This work highlights the significance of hybrid stacking techniques in strengthening VANET security and provides a scalable solution for secure and efficient intelligent transportation systems

ABSTRACT The quick growth of the Internet of Vehicles (IoV) needs secure, low‐latency, and trusted communication frameworks. Existing Intrusion Detection Systems (IDS) are struggling to provide effective threat detection in changing vehicular networks. This creates a critical need for adaptive detection mechanisms that can perform efficiently at the network edge. According to this background, we propose a Zero‐Tuned Peripheral Stacked Ensemble (ZTPSE) for efficient attack detection and mitigation in practical VANET environments. In this framework, lightweight base learners run on edge nodes to detect attacks locally. A central meta‐learner then combines these local outputs using stacking without manual tuning. This design allows fast and efficient detection under different traffic densities and attack scenarios. By combining distributed detection with ensemble learning, ZTPSE detects multiple attack types and allows the system to take a rapid response action. Simulation results indicate that the proposed ZTPSE framework achieves high detection accuracy of 95.70% in varying traffic densities and maintains a low false‐positive rate (FPR) of 0.05%.

Vehicle platooning has emerged as a prominent Intelligent Transportation Systems (ITS) application due to its promise toward enabling high-speed movement of Connected Autonomous Vehicle (CAV) fleets in a close formation. This close formation is usually associated with stringent constraints such as a short and strictly bounded safety gaps between consecutive platoon vehicles. In order to meet these stringent specifications, CAV fleets critically depend on the underlying platoon communication protocols, which are vulnerable to various types of attacks that may be launched by an attacker. For instance, a common attack, namely False Data Injection (FDI) attack, can potentially disrupt and destabilize a platoon’s close formation by causing collisions among platoon vehicles, or causing potential traffic disruption due to platoon slowdown, thus making the platoon unsafe . One mechanism for mitigating an FDI attack can be the placement of uniformly separated Road-Side Units (RSUs) along the path of a vehicle platoon. The RSUs can act as the root of trust to detect and mitigate attack attempts. However, frequent RSU placements over a path can lead to prohibitive deployment costs. In this work, we first formulate a constraint optimization problem which aims to minimize RSU deployments along a path (by maximizing the inter-RSU distance), while ensuring that the safety of a platoon under a given FDI attack scenario is guaranteed. Our methodology outputs an RSU placement solution such that the worst-case attack (which spans the entire inter-RSU blind spot) is unable to violate the safety guarantee of the platoon. A platoon’s robustness, in the presence of state-of-the-art attack detectors and trusted RSUs, is defined by its resilience against possible stealthy FDI attacks in the inter-RSU blind spots. We leverage this concept and propose a novel SMT-based hierarchical solution strategy. Our method iteratively hypothesizes an inter-RSU distance and formally checks the safety of the resulting platooning solution against possible attack scenarios. The process terminates when the RSU deployment spacings can no longer be relaxed without violating safety constraints. We motivate this work through simulations in PLEXE. Our experimental results demonstrate that the method is able to minimize RSU deployments while preserving safety, under diverse real-world highway platooning scenarios.

The increasing digitalization of energy transmission and distribution infrastructures has made industrial control systems (ICS), and especially IEC 61850-based communication structures, critical. IEC 61850 performs protection and control functions in substations in real time via GOOSE and MMS protocols. The fast and low-latency operation of these protocols is essential; however, their open structure leaves systems vulnerable to cyberattacks. Traditional signature-based solutions are insufficient for detecting such anomalies, and models capable of learning both time and state relationships are needed. This study develops a time-aware probabilistic NFA model to detect anomalous behavior in IEC 61850 traffic. The model analyzes GOOSE and MMS message sequences with both state transitions and time differences (Δt). Thus, not only the message sequence but also the timing variations between events are learned. The probability of each transition is dynamically updated, and deviations from normal behavior are marked as “anomalies”. The dataset used in this study was created based on normal and attack scenarios conducted in the Sakarya University Critical Infrastructure National Testbed Center Energy Laboratory (Center Energy). The experimental results obtained in the study show that the model detects time-based, structural, and behavioral anomalies with high accuracy. With a dual-model configuration, results of 91.7% accuracy, 88.9% precision, 100% recall, and a 94.1% F1-score were achieved; particularly in time-based attack scenarios, the model performance reached an accuracy level of up to 93%.