Search Results (1,619)

Physical Unclonable Functions (PUFs) represent a highly promising hardware security primitive, yet they face constraints of insufficient reliability and threats from modeling attacks. This paper designs a novel Feed-Forward Crossbar Matrix Arbiter PUF (FC-MA PUF). It incorporates an inter-stage crossbar structure, a feed-forward control system, and a mechanism for selecting reliable challenge-response pairs. These features significantly enhance the structural non-linearity and stability, substantially improving security and adaptability to a wider range of operating environments. It provides a high-strength authentication solution with low resource overhead for lightweight security-demanding devices such as IoT devices. The proposed FC-MA PUF has been successfully implemented on a Field-Programmable Gate Array (FPGA) platform. Experimental results for the selected 4-stage FC-MA PUF configuration show a bias, inter-chip uniqueness, and bit error rate (BER) of 49.88%, 49.68%, and 0.018%, respectively. Furthermore, the structure allows for flexible configuration of the number of feed-forward modules based on practical application requirements: a greater number of feed-forward modules enhances security but also leads to an increased BER and a decreased proportion of stable challenge-response pairs. Experimental results based on a training set of 1,000,000 challenge-response pairs demonstrate that: with two feed-forward units, the stable (Challenge Response Pair)CRP ratio is 39.72% and the Covariance Matrix Adaptation Evolutionary Strategies (CMA-ES) attack prediction success rate is 58.20%; with three units, the ratio decreases to 29.12% and the prediction rate drops to 54.91%; with four units, these values further decline to 20.18% and 52.33% respectively. These results confirm that the proposed FC-MA PUF effectively resists multiple modeling attacks, including Logistic Regression (LR), Support Vector Machine (SVM), and CMA-ES. Full article

The data plane and the control plane are targets for Distributed Denial of Service (DDoS) attacks in the Software-Defined Internet of Things (SDIoT). Currently available studies rely on observations from a single network layer which limits the cross-layer attack analysis. This paper presents a synchronized, phase-aware, and a multi-layer traffic collection framework mimicking SDIoT environments under diverse DDoS attack scenarios. The data collected are the metrics captured at host, switch, and controller layers during normal, attack, and post-attack phases with strict temporal alignment. For capturing diverse DDoS attack behaviors in SDIoT environments, representative data plane attacks including volumetric flooding and switch-level flow table saturation were used. Control plane level attack targeting the SDN controller was implemented. The evaluation was done using a Mininet-based SDIoT testbed with a POX controller. Each scenario is executed across five independent runs with statistical validation. The proposed framework enables reproducible and time-aligned multi-layer analysis through standardized orchestration and automated logging. Results indicate that SDIoT DDoS behavior demonstrates differently across traffic, state, and resource-level metrics, and that accurate characterization benefits from temporally aligned multi-layer monitoring rather than relying solely on packet rate analysis. Full article

The proliferation of Internet of Things (IoT) devices continues to expand the network attack surface while introducing stringent privacy requirements that challenge effective intrusion detection. Federated learning enables collaborative model training without centralizing raw network telemetry. However, existing federated intrusion detection approaches often degrade under statistical heterogeneity and remain vulnerable to zero-day attacks when they rely on labeled data or reconstruction-based objectives. This work proposes Fed-DTCN (Federated Dual Temporal Contrastive Network), an unsupervised federated framework for zero-day anomaly detection in IoT environments. Fed-DTCN learns robust representations of benign IoT traffic using contrastive learning with semantic-preserving augmentations. A dual-encoder architecture disentangles globally shared features from client-specific patterns, improving generalization under heterogeneous federated deployments. Personalization and privacy are preserved by selectively aggregating only the shared encoder parameters. The framework employs a compact temporal convolutional backbone together with a soft-weighted contrastive objective to constrain benign representations, thereby enabling reliable detection of out-of-distribution threats. Extensive experiments on the TON_IoT and CSE-CIC-IDS2018 benchmarks show that Fed-DTCN matches or surpasses a state-of-the-art supervised baseline on standard attacks, achieving an F1-score of 99.99% on TON_IoT. In a zero-day evaluation where the Botnet class is withheld during training, Fed-DTCN attains an F1-score of 96%, compared to 0.52% for the supervised baseline. Ablation studies validate the effectiveness of the proposed augmentations, while evaluations under heterogeneous client partitions demonstrate reduced inter-client variance and consistent per-client improvements, indicating suitability for realistic IoT deployments. Full article

In today’s digital era, cyberattacks pose a critical threat to networks of all scales, from local systems to global infrastructures. Intrusion detection systems (IDSs) are essential for identifying and mitigating such threats. However, existing machine learning-based IDS often suffer from low detection accuracy, heavy reliance on manual feature extraction, and limited coverage of attack categories. To address these limitations, we propose a modular, deployment-ready intrusion detection framework that integrates multiple heterogeneous datasets through a hybrid transformer–multilayer perceptron (Transformer–MLP) architecture. The system employs three parallel Transformer–MLP models, each specialized for a distinct dataset, whose probabilistic outputs are fused using a weighted decision-level strategy. Unlike traditional feature-level fusion, this strategy ensures module independence, eliminates the need for global retraining when adding new components, and provides seamless modular scalability. The framework accurately identifies twenty-one traffic categories, including one benign and twenty attack classes, derived from a unified mapping across multiple heterogeneous sources to ensure a consistent cross-dataset taxonomy. By combining advanced contextual representation learning with ensemble-based probabilistic fusion, the framework demonstrates high detection accuracy and practical applicability in real-world network environments. The Transformer module captures complex contextual dependencies, while the MLP performs final classification. Class imbalance is mitigated via adaptive synthetic sampling (ADASYN), synthetic minority over-sampling technique (SMOTE), edited nearest neighbor (ENN), and class weight adjustments. Empirical evaluation demonstrates the framework’s high effectiveness: for binary classification, it achieves 99.98% on CICIDS2017, 99.19% on NSL-KDD, and 99.98% on NF-BoT-IoT-v2; for two-stage multi-class classification, 99.56%, 99.55%, and 97.75%; and for one-phase multi-class classification, 99.73%, 99.07%, and 98.23%, respectively. Moreover, the framework enables real-time deployment with 4.8–6.9 ms latency, 9800–14,200 fps throughput, and 412–458 MB memory. These results outperform existing multi-dataset IDS approaches, highlighting the architectural effectiveness, robustness, and practical applicability of the proposed framework. Full article

Targeting resource-constrained Internet of Things (IoT) devices, this paper proposes Stuck-at-Fault Physical Unclonable Function (SAF-PUF), a lightweight Resistive Random-Access Memory (RRAM)-based PUF that exploits the intrinsic addresses of manufacturing-induced SAF defects as a stable entropy source. By using the coordinates of Stuck-at-1 (SA1) cells to seed a 32-bit Linear Feedback Shift Register (LFSR), SAF-PUF generates robust, variable-length responses with zero Bit Error Rate (BER) across a wide temperature range from −40 °C to 125 °C, without any error-correction circuitry. Experimental results based on 100,000 Challenge–Response Pairs (CRPs) demonstrate strong resilience against machine learning (ML) attacks, with prediction accuracies of logistic regression (LR), support vector machines (SVM), neural networks (NN) and convolutional neural networks (CNNs) remaining close to 50%. Moreover, a “use-then-conceal” mechanism is introduced to enhance post-authentication security, enabling response obfuscation with minimal cell reconfiguration. These features make SAF-PUF a high-security, low-overhead hardware root of trust suitable for IoT applications. Full article

The Industrial Internet of Things (IIoT) enhances industrial efficiency but also introduces substantial security challenges. Authentication is a key building block for securing IIoT networks. However, many recent IoT authentication schemes rely on offline registration and transmit temporary identity credentials in plaintext during registration, which exposes them to privileged-user attacks and limits their practicality in complex deployment scenarios. To address these issues, this paper presents an efficient three-factor authentication scheme with secure online registration for IIoT. The proposed scheme leverages Intel Software Guard Extensions (SGX) to protect the registration master key and support online registration. In addition, a dynamic credential update mechanism is introduced to mitigate privileged-user attacks. The security of the scheme is validated through ProVerif-based formal verification and informal security analysis, while its performance is evaluated through comparative analysis and NS-3 simulations. The results demonstrate that the proposed scheme provides enhanced security with low overhead, making it suitable for IIoT environments. Full article

The increasing complexity and heterogeneity of Internet of Things (IoT) systems pose significant challenges for systematic security and vulnerability assessment. From a knowledge-centric perspective, IoT security analysis requires transforming heterogeneous asset information into structured and interpretable security knowledge. In this paper, we propose a structured methodology for vulnerability analysis that models the attack surface of an IoT system by explicitly linking asset characteristics to known vulnerabilities, security controls, and countermeasures. The approach starts with a visual representation of the system architecture, where hardware, software, and communication components are identified and described through their technical characteristics. These characteristics are automatically mapped to relevant vulnerabilities, security controls, and countermeasures using a dedicated software tool called AVCA (Asset Vulnerabilities and Countermeasures Analyzer). The tool generates graph-based analytical representations that model vulnerabilities–countermeasures relationships in compliance with the Cloud Security Alliance (CSA) IoT Security Framework. From these graphs, attack–countermeasure trees are derived to provide a clear and interpretable representation of potential threats and mitigation strategies. The proposed methodology was evaluated through a case study involving a representative IoT system and an exploratory applicability experiment with participants with different levels of experience in IoT and cybersecurity. The results suggest that the approach is feasible and practically applicable for supporting security analysts in the systematic assessment of IoT attack surfaces, vulnerability identification, and selection of appropriate countermeasures under the evaluated conditions. This work highlights the role of structured and interpretable knowledge extraction as a foundation for knowledge-centric and interpretable IoT security analysis. Full article

The rapid growth of Internet-of-Things (IoT) deployments has substantially expanded the attack surface of modern cyber–physical systems, making accurate and computationally feasible malware detection essential for enterprise and industrial environments. This study presents a large-scale, systematic comparison of 27 machine learning (ML) and 18 deep learning (DL) models for IoT malware detection across eight major malware categories: Trojan, Botnet, Ransomware, Rootkit, Worm, Spyware, Keylogger, and Virus. A realistic dataset was constructed using 50,000 executable samples collected from the Any.Run platform, including 8000 malware instances (1000 per class) and 42,000 benign samples. Each sample was executed in a sandbox to extract detailed static and behavioral telemetry. A targeted feature-selection pipeline reduced the feature space to 47 diagnostic features spanning static properties, behavioral indicators, process/file/registry activity, debug signals, and network telemetry, yielding a compact representation suitable for malware detection in IoT settings. Experimental results demonstrate that ensemble tree-based ML models consistently dominate performance on the engineered tabular feature set as 7 of the top 10 models are ML, with CatBoost and LightGBM achieving near-ceiling accuracy and low false-positive rates. Per-malware analysis further shows that optimal model choice depends on malware behavior. CatBoost is best for Trojan/Spyware, LightGBM for Botnet, XGBoost for Worm, Extra Trees for Rootkit, and Random Forest for Keylogger, while DL models are competitive only for specific categories, with TabNet performing best for Ransomware and FT-Transformer for Virus. In addition, an end-to-end computational time analysis across all 45 models reveals a clear efficiency advantage for boosted tree ensembles relative to most DL architectures, supporting deployment feasibility on commodity CPU hardware. Overall, the study provides actionable guidance for designing adaptive IoT malware detection frameworks, recommending gradient-boosted ensemble ML models as the primary deployment choice, with selective DL models only when category-specific gains justify additional computational cost. Full article

The proliferation of Internet of Things (IoT) devices and embedded processors has recently spurred rapid advances in hardware-level security. This paper systematically reviews developments in securing microcontroller units (MCUs) and constrained embedded platforms from 2020 to 2026, a period marked by the finalization of NIST’s post-quantum cryptography standards and accelerated commercial deployment of hardware security primitives. Through analysis of the peer-reviewed literature, industry implementations, and standardization efforts, we survey five critical areas: post-quantum cryptography (PQC) implementations on resource-constrained hardware, physically unclonable functions (PUFs) for device authentication, hardware Roots of Trust and secure boot mechanisms, side-channel attack mitigations, and Trusted Execution Environments (TEEs) for microcontroller-class devices. For each domain, we analyze technical mechanisms, deployment constraints (power, memory, cost), security guarantees, and commercial maturity. Our review distinguishes itself through its integration perspective, examining how these primitives must be composed to secure real-world embedded systems, and its emphasis on post-standardization PQC developments. We highlight critical gaps including PQC memory overhead challenges, ML-resistant PUF designs, and TEE developer friction, while documenting commercial progress such as PSA Level 3 certified components and 500+ million PUF-enabled devices deployed. This synthesis provides practitioners with practical guidance for securing the next generation of IoT and embedded systems. Full article

Developed in 2023, the Modified Generalized Feistel Network (MGFN) is a block cipher that complies with Malaysia’s national cryptographic and cybersecurity policies. MGFN is a 64-bit block cipher with a 128-bit master key, specifically designed to deliver lightweight cybersecurity in resource-constrained Internet of Things (IoT) environments. In this paper, we analyze the security of the full-round MGFN against differential and linear cryptanalysis. We present concrete key recovery strategies for both attacks by employing multiple peeling-off steps. As a result, for the first time, we demonstrate a practical differential cryptanalysis of the full-round MGFN within a realistic time bound. In addition, we propose a practical linear cryptanalysis of the round-reduced MGFN. Our results provide the first practical security assessment of MGFN and offer concrete insights into its resistance against differential and linear cryptanalysis, thereby supporting the design and evaluation of lightweight block ciphers for IoT environments. Full article

The increasing reliance of Internet of Things (IoT) applications on low-power wide-area network technologies, particularly Long Range Wide Area Network (LoRaWAN), has amplified the need for security monitoring approaches that go beyond attack-specific signatures and generic traffic anomalies. Existing solutions are often tailored to individual threat scenarios or rely on statistical indicators, which limits their ability to systematically capture protocol-level misuse in an interpretable manner. This paper addresses this gap by proposing a protocol-aware validation methodology based on a Digital Twin abstraction of LoRaWAN communication behavior. The Over-The-Air Activation (OTAA) procedure is modeled as a finite-state machine that encodes expected message sequences, timing constraints, and specification-driven state transitions. Observed network events are continuously evaluated against this formal state model, enabling the identification of protocol-level deviations indicative of anomalous or non-conformant behavior. Illustrative examples include replay behavior, timing inconsistencies, and integrity-related anomalies, although the framework is not limited to predefined attack categories. The results demonstrate that state machine-based Digital Twin provides a structured and extensible foundation for protocol-aware security validation and Security Operation Center (SOC)-oriented telemetry enrichment. In this sense, the presented approach represents a concrete step toward protocol-aware intrusion detection for LoRaWAN networks by establishing a state-synchronized semantic validation layer upon which higher-level detection mechanisms can be built. Full article

The Internet of Things (IoT) faces critical security challenges stemming from resource-constrained devices and inadequate intrusion detection capabilities. Traditional machine learning approaches struggle with high-dimensional network traffic data due to the curse of dimensionality, severe class imbalance between benign and malicious traffic, and dependence on manual feature engineering that fails to capture complex non-linear attack patterns. Although deep neural networks offer automatic feature extraction, they suffer from two fundamental limitations: the degradation problem, where increasing network depth paradoxically raises training error rather than improving performance, and uniform channel weighting, which prevents the network from adaptively emphasizing attack-relevant features while suppressing irrelevant noise. This research proposes a novel hybrid framework integrating Fractional Tchebichef moment-based feature preprocessing with deep Residual Networks enhanced by Squeeze-and-Excitation (ResNet-SE) attention mechanisms. Fractional Tchebichef moments provide compact, noise-resistant representations by operating directly in the discrete domain, eliminating discretization errors inherent in continuous moment approaches. Network traffic features are transformed into 232 × 232 moment-based matrices capturing discriminative patterns across multiple scales. Comprehensive evaluation on Bot-IoT and Leopard Mobile IoT datasets demonstrates superior performance, achieving 99.78% accuracy and a 99.37% F1-score, substantially outperforming K-Nearest Neighbors (84.7%), Support Vector Machines (87.5%), and baseline CNNs (99.3%). Ablation studies confirm synergistic contributions, with residual connections contributing 0.18% and SE attention adding 0.14% improvements. Cross-dataset evaluation achieves 96.34% and 97.12% accuracy on UNSW-NB15 and IoT-Bot datasets without retraining, while the framework processes 127.9 samples per second across diverse attack taxonomies. Full article

Fog computing extends cloud services to the network edge to support low-latency IoT applications. However, since fog environments are distributed and resource-constrained, intrusion detection systems must be adapted to defend against cyberattacks while keeping computation and communication overhead minimal. This systematic review presents research on intrusion detection systems (IDSs) for fog computing and synthesizes advances and research gaps. The study was guided by the “Preferred-Reporting-Items for-Systematic-Reviews-and-Meta-Analyses” (PRISMA) framework. Scopus and Web of Science were searched in the title field using TITLE/TI = (“intrusion detection” AND “fog computing”) for 2021–2025. The inclusion criteria were (i) 2021–2025 publications, (ii) journal or conference papers, (iii) English language, and (iv) open access availability; duplicates were removed programmatically using a DOI-first key with a title, year, and author alternative. The search identified 8560 records, of which 4905 were unique and included for qualitative grouping and bibliometric synthesis. Metadata (year, venue, authors, affiliations, keywords, and citations) were extracted and analyzed in Python to compute trends and collaboration. Intrusion detection systems in fog networks were categorized into traditional/signature-based, machine learning, deep learning, and hybrid/ensemble. Hybrid and DL approaches reported accuracy ranging from 95 to 99% on benchmark datasets (such as NSL-KDD, UNSW-NB15, CIC-IDS2017, KDD99, BoT-IoT). Notable bottlenecks included computational load relative to real-time latency on resource-constrained nodes, elevated false-positive rates for anomaly detection under concept drift, limited generalization to unseen attacks, privacy risks from centralizing data, and limited real-world validation. Bibliometric analyses highlighted the field’s concentration in fast-turnaround, open-access journals such as IEEE Access and Sensors, as well as a small number of highly collaborative author clusters, alongside dominant terms such as “learning,” “federated,” “ensemble,” “lightweight,” and “explainability.” Emerging directions include federated and distributed training to preserve privacy, as well as online/continual learning adaptation. Future work should consist of real-world evaluation of fog networks, ultra-lightweight yet adaptive hybrid IDS, self-learning, and secure cooperative frameworks. These insights help researchers select appropriate IDS models for fog networks. Full article

The emergence of the Internet of Things (IoT) has introduced major security challenges. Deep learning models have shown strong potential for intrusion detection. However, they often require large datasets and high computational resources. In contrast, IoT environments are resource-constrained and lack sufficient labeled data. This paper proposes a lightweight intrusion detection approach based on Long Short-Term Memory (LSTM) networks and homogeneous transfer deep learning. The model is first trained on a subset of the BoT-IoT dataset as a source domain. It is then fine-tuned on a disjoint subset containing a rare attack type. This setup represents adaptation to unseen attack behaviors within the same environment. By freezing earlier layers and fine-tuning only the final layers, the method reduces training overhead while preserving performance. This is important to meet the IoT requirement for frequent, lightweight model updates on resource-constrained devices. The proposed model achieved 99.9% accuracy, a macro F1-score of 0.96, and a 47.8% reduction in training time compared to training from scratch. Extensive experiments confirm that it maintains balanced detection across both common and rare classes. Full article

Distributed denial-of-service (DDoS) attacks have become a critical threat to Internet of Things (IoT) infrastructures due to their high traffic dynamics, strong class imbalance, and strict resource constraints at the edge. This paper proposes ChebyKANRes, a lightweight intrusion detection model that combines Chebyshev polynomial expansions to parameterize learnable univariate transformations, a gate mechanism to modulate feature flow, and residual connections to stabilize optimization in deeper KAN-style stacks. Experiments were conducted on the CICIoT2023 dataset focusing on benign traffic and 12 DDoS subtypes, using a reproducible pipeline with stratified splitting, cross-validation (k = 5), and early stopping. The proposed model consistently improves multi-class performance (Accuracy: 0.9983) over an optimized MLP baseline (Accuracy: 0.9641), while maintaining a compact size suitable for edge deployment (≈123 k parameters; ~0.47 MB). Within CICIoT2023 and the evaluated split/training protocol, the proposed ChebyKANRes configuration shows improved imbalance-robust multiclass detection while maintaining a compact model size and comparable batch inference time. Full article