Search Results (2,061)

To enable fine-grained electricity management on the user side under the dual-carbon strategy and address the inherent limitations of traditional non-intrusive load monitoring (NILM) methods in multi-load parallel operation scenarios, this paper proposes a novel synergistically optimized framework. The framework sequentially integrates three core modules to tackle the key challenges of load identification: SSA-VMD-based load quantity estimation, CNN-LSTM-Attention-based current separation, and GAF-ResNet18-based load recognition. First, the Sparrow Search Algorithm optimizes Variational Mode Decomposition parameters, combined with Pearson-PCA, to accurately estimate the number of operating loads in mixed-power signals without prior knowledge. Second, a hybrid CNN-LSTM-Attention model extracts deep spatial-temporal features from the aggregated current spectrogram, enabling high-fidelity separation and reconstruction of individual load current waveforms. Third, the separated current signals are transformed into Gramian Angular Field images and classified by a ResNet18 network for robust load identification. The framework’s efficacy is rigorously validated on both the public PLAID dataset and a self-constructed laboratory dataset, covering diverse dual-load and triple-load operating conditions. Results demonstrate that the method achieves R² coefficients exceeding 0.9 for current waveform reconstruction and maintains load recognition accuracy above 91% across all test cases, significantly improving identification performance under complex electricity consumption conditions. This high-performance load disaggregation provides critical data support for advanced grid applications, including demand response, load forecasting, and distribution network planning, thereby contributing to the intelligence and efficiency of future power systems. Full article

Elastic backscatter lidar and ceilometer systems provide continuous observations of aerosol and cloud vertical structure, but the interpretation of conventional attenuated backscatter products is often limited by the dominance of signal amplitude, strong event-to-event variability, and the reduced visibility of subtle internal features. In this study, we present a refinement framework designed to extract additional structural information from elastic lidar measurements through multiscale local diagnostics applied directly to the native backscatter field. The methodology combines standardized residual fields, local gradients, variance-based metrics, space–time decorrelation scales and structure functions to highlight atmospheric boundaries, internal layering, mixing zones, and coherent structures that are not always evident in conventional representations. The approach is evaluated through three contrasting atmospheric case studies observed in 2024. Two spring events are associated with mineral dust intrusions characterized by different vertical coupling with the planetary boundary layer, while a summer case represents a non-dust regime dominated by diurnal boundary-layer evolution. The refined diagnostics consistently reveal features hidden or only weakly visible in the raw backscatter field, including sharp interfaces, embedded stratification, wave-like perturbations and transitions between decoupled and mixed atmospheric states. Results show that the proposed metrics enable a more objective description of aerosol-layer dynamics and boundary–layer interactions without requiring complex inversion procedures or auxiliary measurements. Because the method relies only on standard elastic lidar observations, it is in principle applicable to ceilometer and lidar monitoring networks. However, the present evaluation is based on three contrasting case studies and should therefore be regarded as a proof-of-concept demonstration. The framework offers a candidate pathway for enhanced atmospheric feature detection and improved interpretation of routine profiling observations, with automated regime classification as a longer-term goal requiring validation on larger and more diverse datasets. Full article

The Internet of Medical Things (IoMT) enables real-time monitoring and decision support systems in healthcare. However, due to their heterogeneous structure, limited resources, and high criticality, IoMT networks are vulnerable to cyberattacks. This situation increases the need for low-latency, high-accuracy, and generalizable attack detection systems. In this experimental study, the Multi-Scale Depthwise Channel Attention Network (MSCA-Net) model is proposed for multi-class attack detection in IoMT environments. The model consists of three core components: multi-scale depthwise separable convolutions to capture traffic patterns across different time scales, a squeeze-and-excitation-based channel attention mechanism that adaptively weights discriminative features, and a lightweight unidirectional LSTM layer that models temporal dependencies. This architecture enables effective representation learning with low parameter costs. The proposed model was evaluated on the WUSTL-EHMS-2020 and CICIoMT2024 datasets. On the CICIoMT2024 dataset, it achieved 99.75% accuracy and a weighted F1 score of 99.77% in a 6-class scenario. It has also demonstrated competitive results in 19-class fine-grained classification. Experimental comparisons show that MSCA-Net offers a better performance-to-cost trade-off compared to nine different baseline models. Furthermore, it demonstrates a speed advantage of up to two times in inference time. The results obtained at the conclusion of the experimental study demonstrate that the proposed approach effectively addresses the challenges of multi-scale feature extraction, class imbalance, and computational efficiency. Furthermore, the model appears to offer a viable solution for real-time attack detection in IoMT environments. Full article

Sleep-related respiratory disturbances are difficult to monitor continuously outside specialized laboratories because conventional polysomnography is resource-intensive and intrusive. This study presents a contactless edge-AI engineering prototype for detecting controlled voluntary respiratory-motion suppression and motion artifacts using a 60 GHz frequency-modulated continuous-wave radar. The system integrates a 60 GHz radar front end, lightweight local preprocessing, an INT8 one-dimensional convolutional neural network deployed on the Analog Devices MAX78000 CNN accelerator (Analog Devices Thailand, Chon Buri, Thailand), and an event-driven Raspberry Pi Zero 2W gateway for alert transmission. Evaluation was performed using a controlled healthy-volunteer dataset consisting of normal breathing, voluntary breath-holding-induced respiratory suppression, and deliberate motion artifact. The final valid test set contained 270 technically valid 30 s windows balanced across the three classes. The INT8 model achieved an overall accuracy of 92.6% (95% confidence interval: 88.8–95.2%), with a macro-averaged precision, recall, and F1-score of 92.6%, 92.6%, and 92.5%, respectively. Active CNN inference on the MAX78000 consumed 0.152 ± 0.011 mJ and was completed in 5.20 ± 0.11 ms, corresponding to approximately 280-fold lower active inference energy than Python 3.14.6/TensorFlow Lite 2.21.0-based execution on the Raspberry Pi Zero 2W. These results demonstrate the feasibility of privacy-aware, low-power respiratory-pattern classification at the edge. However, the study should be interpreted strictly as an engineering proof-of-concept based on controlled voluntary breathing and movement tasks in healthy volunteers. It is not a clinically validated apnea or obstructive sleep apnea detection system and did not include polysomnography, oxygen saturation measurement, airflow sensing, sleep staging, or diagnosed patient cohorts. Full article

Intrusion detection in industrial cyber-physical systems is constrained by small labelled-attack corpora and by the subtler signal of physical-process attacks compared with classical IT-network intrusions, motivating renewed interest in foundation-model-based detectors; classical detectors are typically trained per dataset and degrade under the distribution shift that is common in operational technology, where attack repertoires evolve faster than retraining cycles. Two foundation-model families are now plausible candidates: open-source Large Language Models (LLMs) and recent tabular foundation models (TabPFN, TabICL) pre-trained for in-context tabular inference. We compare the two families head-to-head, alongside Random Forest and XGBoost classical anchors, across three established industrial security benchmarks (SWaT, HAI, WUSTL-IIoT-2021) under a controlled multi-seed full-holdout protocol with paired McNemar and cross-seed Mann–Whitney tests. The empirical picture is dataset-dependent rather than universal: tabular foundation models establish a strong, previously unreported baseline that is competitive with or superior to classical anchors on every dataset evaluated, while LLMs are complementary detectors with a specific advantage on schemas that carry process-engineering semantics (such as SWaT’s named sensor channels). A per-class analysis on the WUSTL five-class attack taxonomy shows that the two families have structurally different strengths: tabular methods dominate traffic-rich attacks (Denial-of-Service, Reconnaissance), whereas LLMs are competitive on rare attack types (Backdoor, Command Injection). A confidence-gated cascade that escalates only low-confidence tabular decisions to an LLM exceeds either detector alone at a small query budget, and a leave-one-attack-type-out analysis shows that foundation-model detectors generalise to unseen attack families substantially better than the classical anchors. The appropriate detector choice in industrial cyber-physical security is therefore informed by the dataset’s feature schema, the attack-type mix, and the operational cost envelope, rather than by a specific performance metric. Full article

In the past few years, cyber-attacks have risen at an exponential rate across all sectors, and both private and public institutions have faced increasingly sophisticated threats. As this upward trend continues, the need for advanced and efficient threat detection systems is essential. This paper investigates the use of feature importance (FI) Coefficients to improve Artificial Neural Network (ANN) and Convolutional Neural Network (CNN) models, leveraging feature selection to enhance model interpretability and optimize performance. By systematically filtering out the weaker features, we examine the reduced features’ impact on model accuracy, precision, recall, and F1 score. Experiments were conducted on two new datasets, UWF-ZeekDataSum2025-1 and UWF-ZeekDataSum2025-2, using a baseline ANN/CNN architecture and multiple architectural variants. The results on UWF-ZeekDataSum2025-1 show a clear performance gain for certain feature importance thresholds, with models such as ANN-Minimal, ANN-Overfit-Wide, ANN-Shallow-Low-Optimization, CNN-Shallow, and CNN-Very-Shallow outperforming the baseline after reducing the feature space from seventeen features to fewer than four. For UWF-ZeekDataSum2025-2, improvements occur across a broader range of thresholds, with models including ANN-Deep-Sub-Conv, ANN-Shallow-Low-Opt, CNN-Shallow, CNN-Very-Shallow, and ANN-Minimal exceeding 95% performance around the 0.25–0.28 thresholds, with additional gains at 0.31–0.32 for some architectures. These findings demonstrate that by strategically leveraging feature importance coefficient thresholds, we can significantly enhance neural network intrusion detection systems, offering a reproducible pathway for adapting these methods on similar environments. Full article

Network intrusion detection systems (NIDS) play a crucial role in modern network environments where diverse and rapidly evolving traffic patterns are observed. Although deep learning-based NIDS have demonstrated strong performance within specific datasets, their effectiveness significantly degrades when applied to unseen network environments due to domain discrepancies. In this paper, we first experimentally demonstrate the performance degradation of time-series-based NIDS under cross-domain conditions using multiple benchmark datasets. Then, we propose a LoRA-based domain adaptation framework for time-series-based NIDS models. Instead of retraining the entire model, the proposed approach freezes the backbone network and applies low-rank updates to selected layers, enabling parameter-efficient adaptation to new domains. Experimental results show that the proposed method consistently improves cross-domain detection performance across multiple dataset combinations, particularly in terms of recall, while requiring only a small number of additional parameters. Full article

The Internet of Vehicles (IoV) is reshaping intelligent transportation through pervasive connectivity, real-time data exchange, cooperative perception, and vehicle–edge–cloud services, while also expanding cybersecurity and privacy risks across heterogeneous cyber–physical environments. This paper presents a PRISMA 2020-informed systematic review of IoV security and privacy protection research. A cross-layer and lifecycle-oriented analytical framework is developed by integrating a four-layer IoV architecture—sensing layer, network access layer, coordinative computing layer, and application layer—with a five-stage data lifecycle covering data collection, transmission, storage, usage, and disposal. Based on this framework, the paper examines representative threat surfaces, vehicle-to-everything (V2X) communication security, public key infrastructure (PKI) based authentication, trust management, privacy-preserving data sharing, intrusion detection, active defense, and AI-assisted security analytics. Privacy-preserving mechanisms, including differential privacy, federated learning, blockchain, homomorphic encryption, and secure multi-party computation, are further compared in terms of deployment layer, lifecycle stage, real-time suitability, and representative performance evidence. In addition, the review discusses the engineering relevance of UNECE WP.29 R155/R156, ISO/SAE 21434, and related national standards, with emphasis on compliance evidence, over-the-air (OTA) governance, supply-chain coordination, and lifecycle cybersecurity management. The review shows that no single protection mechanism can simultaneously satisfy the requirements of real-time performance, scalability, privacy preservation, trustworthiness, and regulatory compliance in dynamic IoV environments. Future research should emphasize lightweight and adaptive protection, cross-layer trust coordination, privacy–utility co-optimization, trustworthy AI-assisted security operations, and evidence-based lifecycle governance. This review provides a structured reference for researchers and a practical basis for secure and privacy-aware IoV system design. Full article

Accurately mapping surface freshwater bodies (e.g., ponds, reservoirs, and small lakes) is vital for managing insular ecosystems and communities. However, satellite-based extraction in coastal settings is challenged by seawater intrusion, complex topography, and cloud cover. Focusing on bedrock islands outside China’s Pearl River Estuary, this study developed a robust method to address these issues. We used both Gaofen-1 (GF-1) optical and Gaofen-3 (GF-3) Synthetic Aperture Radar (SAR) imagery, supported by field-collected water quality samples from surface freshwater body shorelines for model training and validation. The performance of two index-based methods (the Normalized Difference Water Index, NDWI, and the Normalized Difference Vegetation Index, NDVI), two machine learning algorithms (Random Forest, RF, and Support Vector Machine, SVM), and a U-Net convolutional neural network (U-Net) deep learning model was compared. The U-Net model achieved the highest accuracy, with Area Under the Curve (AUC) values of 0.881 (GF-1) and 0.840 (GF-3). It effectively discriminated freshwater from seawater and mitigated cloud interference, demonstrating superior precision and robustness over traditional methods. This work establishes a high-precision framework for monitoring island freshwater resources, supporting sustainable water management. The proposed framework provides a practical tool for tracking freshwater availability under climate variability and anthropogenic pressures, contributing to the monitoring of Sustainable Development Goal (SDG) indicator 6.3.2 on ambient water quality. Full article

Modern connected vehicles rely on the controller area network (CAN) to disseminate safety-critical in-vehicle information, including sensor-related and vehicle-state signals such as engine revolutions per minute (RPM) and gear state, among electronic control units (ECUs). Because CANs lack built-in authentication and encryption, malicious message injection and spoofing can compromise the integrity and availability of vehicular sensing and control functions. Existing deep-learning-based intrusion-detection systems (IDSs) show a clear trade-off: supervised methods perform well on known attacks but rely on costly labels, whereas unsupervised methods can identify unseen attacks but often suffer from high false-positive rates. To address these limitations, this paper proposes a semi-supervised generative adversarial network (SGAN) framework for CAN bus intrusion detection that combines image-based CAN representation with adversarial learning. Consecutive CAN messages are converted into $64\times 9$ grayscale images, and the proposed framework is trained in three phases. First, the discriminator establishes an initial decision boundary using a small labeled subset. It then refines this boundary through distribution-level likelihood objectives and generated samples. Finally, the generator is trained to produce realistic samples capable of deceiving the discriminator. The proposed method was evaluated on the Hacking and Countermeasure Research Lab (HCRL) car-hacking dataset using leave-one-class-out experiments to simulate unknown attacks and achieved an average accuracy of 99.73% and an average F1-score of 99.63% on unknown attacks. Moreover, with only 0.21 M parameters and 3.25 M floating-point operations (FLOPs), the model is well suited for resource-constrained in-vehicle platforms. These results indicate that the proposed framework can serve as a practical cybersecurity component for protecting CAN-carried data in vehicular sensing applications. Full article

DoS and DDoS attacks remain a major threat to service availability in modern IP and IoT networks, yet many learning-based detectors depend on dataset-specific flow exports, feature tables, or preprocessing conventions. This article presents a unified sequence-level detection pipeline designed to process heterogeneous public datasets through the same representation. Raw PCAP/PCAPNG traces from CIC-IDS-2017, CIC-DDoS-2019, and CICIoT2023 are converted into one-second aggregates per destination host using header-only features derived from IP, TCP, UDP, and ICMP metadata, source diversity, and packet timing. Dataset-specific annotations are used only to assign binary DoS/DDoS labels to this common representation. The resulting time-ordered aggregates are grouped into fixed-length temporal windows and classified by a compact transformer encoder, TemporalDosTransformer, which produces a window-level attack probability. The study focuses on whether a clean PCAP-based aggregation and labelling flow can support consistent DoS/DDoS detection across multiple datasets without payload inspection, flow-exporter dependence, or dataset-specific feature engineering. Full article

Intrusion detection serves as a core technology for securing heterogeneous edge networks, including IoT, industrial edges, and 5G networks. However, existing federated learning-based intrusion detection systems suffer from environmental heterogeneity, limited sample availability, and severe class imbalance—issues that result in inefficient resource allocation and compromised detection performance against rare attacks. In this paper, we propose a novel lightweight intrusion detection model for heterogeneous edge networks, named FedNIDS-CNN, which is based on dynamic distillation-aided federated learning with a CNN backbone. In the data preprocessing phase, a two-level class balancing strategy integrating nearest-neighbor interpolation augmentation and adaptive synthetic sampling is employed to ensure distortion-free sample synthesis. For feature and model optimization, principal component analysis (PCA) is used to reduce the dimensionality of traffic features, while a lightweight 1D-CNN is adopted as the base model to alleviate computational overhead on edge devices. During federated training and knowledge aggregation, a dynamic weight distillation loss mechanism is designed to enhance the model’s ability to recognize minority-class attacks. Meanwhile, the federated framework supports client-side local training and server-side weighted soft-label aggregation, enabling effective knowledge fusion across heterogeneous models. Experimental results on the CICIDS2017 dataset demonstrate that the proposed method achieves an accuracy of 98.55% and an F1-score of 98.40%. Benefiting from the soft-label transmission and parameter-free aggregation design, the framework gets rid of the constraint of homogeneous model architecture and natively supports heterogeneous network models and edge devices with different computing capabilities. It also significantly reduces communication traffic and per-round training latency, confirming its excellent real-time performance and applicability in resource-constrained edge environments. Full article

The development of Software-Defined Networks (SDNs) introduces new challenges in network security, particularly in detecting Distributed Denial of Service (DDoS) attacks and network anomalies. Due to the centralized architecture of SDN, traditional detection methods are often insufficient in dynamic environments. Therefore, machine learning techniques are increasingly applied to improve detection effectiveness. This paper analyzes the impact of network topology on the performance of machine learning-based detection methods in SDN environments. A controlled experimental setup based on the RYU controller and OpenFlow 1.3 was implemented using Mininet. Two network topologies (linear and hierarchical) were evaluated under multiple attack scenarios, including TCP SYN flood and TCP/UDP port scanning. Two supervised learning models, Random Forest (RF) and K-Nearest Neighbors (KNN), were implemented and compared using standard evaluation metrics: accuracy, precision, recall, F1-score, and detection time. The results show that Random Forest significantly outperforms KNN, achieving up to 100% accuracy and detection times as low as 4.24 s, while KNN exhibits lower stability and reduced recall in anomaly detection scenarios. The study demonstrates that network topology has a measurable impact on both detection performance and latency. The observed effects varied across attack scenarios and machine learning models. Hierarchical topology generally improved detection sensitivity in DDoS scenarios, while linear topology often enabled lower detection latency during selected anomaly detection experiments. The results indicate that both machine learning model selection and network topology should be jointly considered when designing intrusion detection systems for SDN environments. These findings contribute to improving the effectiveness and responsiveness of security mechanisms in modern programmable networks. Full article

Traditional Network Intrusion Detection Systems (NIDSs) face persistent challenges in detecting zero-day attacks due to concept drift, high false-positive rates, and limited adaptability. This research introduces a Cognitive Network Intrusion Detection System (CNIDS) whose central novelty is that effective zero-day handling does not arise from any single mechanism but from the interaction between continual representation learning, persistent vector memory, and human-aligned feedback. By reframing zero-day resilience as a continuous learning process rather than a static detection task, CNIDS emphasizes adaptive operational behavior over raw automated accuracy. The proposed framework integrates Continual Pre-Training (CPT) to align representations with evolving traffic, Supervised Fine-Tuning (SFT) to preserve precision on known attacks, and a Human-in-the-Loop Reinforcement Signal (HRS) that converts low-confidence alerts into structured learning updates. These components are unified through a vector database that functions as long-term episodic memory, enabling similarity-based reasoning and cross-dataset generalization. Ablation results show that disabling any component degrades zero-day adaptation: removing CPT increases drift sensitivity, removing vector memory prevents knowledge retention, and removing human feedback collapses learning to static inference. Using a class-exclusion zero-day protocol on NSL-KDD, UNSW-NB15, and CICIDS2017, CNIDS raises zero-day detection from 0% to 18.2% while maintaining precision above 80% and stabilizing false positives. Full article

The Robot Operating System (ROS) is widely used in modern robotics, but its open architecture makes it vulnerable to numerous cyber threats. Although machine learning (ML)-based intrusion detection systems (IDSs) demonstrate strong classification performance on ROS-specific datasets, reliance on topology-dependent identifiers such as source and destination IP addresses, port numbers, and Flow IDs remains a critical limitation in current research. This reliance may encourage algorithms to exploit scenario-specific endpoint signatures instead of relying primarily on transferable behavioral patterns. Consequently, classification scores may be artificially inflated due to data leakage. This study addresses this issue by quantitatively measuring the impact of data leakage and introducing a topology-independent, explainable ROS framework that provides a more realistic, leakage-aware, and topology-independent evaluation framework. The evaluation involved testing the LightGBM, XGBoost, and CatBoost algorithms on ROSIDS23. Additionally, Random Forest and Gradient Boosting were included to verify the presence of data leakage. In our ablation study, models that included topology features achieved near-perfect Macro-F1 values of 0.999 to 1.000. In contrast, removing topology-dependent features reduced the Macro-F1 score to about 0.66. This finding shows that topology descriptors, rather than just transferable attack behaviors, can significantly influence the near-perfect scores seen with topology-preserving protocols. Even without topology data, ML models effectively captured temporal behavioral patterns and detected DoS attacks with nearly perfect performance, reaching F1 scores of 0.99 or higher. However, semantic attacks like Unauthorized Subscribe remained tough to classify, with F1 scores of 0.43 or lower. Additionally, SHapley Additive exPlanations (SHAP) analysis improves the interpretability of IDSs by identifying the main behavioral features that drive model decisions and suggesting feature-level directions for rule-based defense configurations in ROS environments. Full article