Search Results (143)

In increasingly interconnected tactical environments, cybersecurity, trust, and interoperability must evolve in tandem. Federated Coalition Networks (FCNs) enable multinational cooperation while preserving national sovereignty; however, the secure management of identities, policies, and configurations across coalition domains remains a critical challenge, particularly under adversarial and resource-constrained conditions. This paper proposes a blockchain-enabled management framework aligned with the defense-in-depth paradigm, focusing on management-plane functions such as policy enforcement, public key infrastructure (PKI) management, and auditable governance, rather than time-critical tactical communications. The solution relies on a permissioned blockchain architecture with Byzantine Fault Tolerant consensus, avoiding energy-intensive Proof-of-Work mechanisms and supporting operation under Disconnected, Intermittent, and Low-bandwidth (DIL) conditions. A coalition-level trust-and-governance model is introduced to prevent unilateral control while preserving national autonomy. A realistic use case and a proof-of-concept implementation demonstrate the feasibility of the approach, showing bounded latency, limited energy overhead, and sufficient throughput for FCN management. These results indicate that appropriately tailored blockchain solutions can effectively enhance resilience, trust, and compliance in federated defense networks. Full article

Large organizations face a critical systems integration challenge when executing multiple concurrent security modernization programs. This paper examines the U.S. Department of Defense’s simultaneous implementation of three transformational initiatives—post-quantum cryptography (PQC) migration, Zero Trust Architecture (ZTA) deployment, and AI security assurance—each operating under separate governance structures, timelines, and compliance frameworks. Through systematic evidence synthesis of 59 sources (47 policy/standards documents and 12 performance benchmarks), we identify cross-program dependencies that create integration failures when programs operate in isolation. We propose a shared modernization substrate—a four-layer infrastructure architecture (Cryptographic Services, Identity Management, Analytics Pipeline, Policy Orchestration) that enables coordinated execution while preserving program independence. The framework addresses the fundamental systems challenge of achieving interoperability across programs with misaligned schedules and competing resource demands. We introduce a five-level Triad Convergence Maturity Model (TCMM) with operationalized indicators enabling repeatable organizational assessment. Illustrative application to three DoD modernization contexts demonstrates the framework’s ability to differentiate maturity levels. Performance analysis synthesizes published benchmark data: enterprise PQC latency overhead is modest (measured), while tactical environment estimates of 158–383% overhead are derived from benchmark extrapolation under packet-loss assumptions (modeled). Scenario modeling suggests that coordinated incident response through the substrate architecture could substantially reduce risk exposure windows compared to siloed approaches (modeled). The framework transforms fragmented program execution into synchronized systems modernization, offering practical guidance for chief information officers, program managers, and enterprise architects managing concurrent technology transitions. Full article

Several state institutions are involved in border security management, including border guards, customs services, veterinary and phytosanitary supervision, and other institutions whose areas of responsibility overlap at border control points. In this study, we found that most EU member states still use sectoral systems, with varying degrees of cooperation. The authors emphasise the importance of providing a unified (comprehensive, integrated, and sustainable) approach to border security risk management. The study focuses on the security risk management of the external border. The authors explore a feasible methodological solution and provide recommendations for improving border security and common risk management at the tactical (one-year) level, based on an analysis of scientific literature and practical work experience, as well as surveys and empirical considerations. Quantitative and qualitative research methods are employed in the study. The study’s main findings demonstrate how methodological solutions can support sustainable risk management and provide essential risk assessment techniques. The authors propose a 5-level matrix to assess the impact of external border security risks. National and international agencies can apply the study’s outcome to facilitate mutual collaboration and enhance sustainable, common security risk management practices. Full article

Attribute-based encryption (ABE) is an advanced public key encryption mechanism that enables the precise control of access to encrypted data based on attributes assigned to users and data. Attribute-based access control (ABAC), which is built on ABE, is crucial in providing dynamic, fine-grained, and context-aware security management in modern Internet of Things (IoT) applications. ABAC controls access based on attributes associated with users, devices, resources, and environmental conditions rather than fixed roles, making it highly adaptable to the complex and heterogeneous nature of IoT ecosystems. ABE can significantly improve the security and manageability of modern military IoT systems. Nevertheless, its practical implementation requires obtaining a range of performance data and assessing the additional overhead, particularly regarding data transmission efficiency. This paper provides a comparative analysis of the performance of two cryptographic schemes for attribute-based encryption in the context of special Internet of Things (IoT) applications. This applies to special environments, both military and civilian, where infrastructure is unreliable and dynamic and decisions must be made locally and in near-real time. From a security perspective, there is a need for strong authentication, precise access control, and a zero-trust approach at the network edge as well. The CIRCL scheme, based on traditional pairing-based ABE (CP-ABE), is compared with the newer Covercrypt scheme, a hybrid key encapsulation mechanism with access control (KEMAC) that provides quantum resistance. The main goal is to determine which scheme scales better and meets the performance requirements for two different scenarios: large corporate networks (where scalability is key) and tactical edge networks (where minimal bandwidth and post-quantum security are paramount). The benchmark results are used to compare the operating costs in detail, such as the key generation time, message encryption and decryption times, public key size, and cipher overhead, showing that Covercrypt provides a reduction in ciphertext overhead in tactical scenarios, while CIRCL offers faster decryption throughput in large-scale enterprise environments. It is concluded that the optimal choice depends on the specific constraints of the operating environment. Full article

Network operators increasingly rely on abstracted telemetry (e.g., flow records and time-aggregated statistics) to achieve scalable monitoring of high-speed networks, but this abstraction fundamentally constrains the forensic and security inferences that can be supported from network data. We present a design-time audit framework that evaluates which threat hypotheses become non-supportable as network evidence is transformed from packet-level traces to flow records and time-aggregated statistics. Our methodology examines three evidence layers (L0: packet headers, L1: IP Flow Information Export (IPFIX) flow records, L2: time-aggregated flows), computes a catalog of 13 network-forensic artifacts (e.g., destination fan-out, inter-arrival time burstiness, SYN-dominant connection patterns) at each layer, and maps artifact availability to tactic support using literature-grounded associations with MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). Applied to backbone traffic from the MAWI Day-In-The-Life (DITL) archive, the audit reveals selectiveinference loss: Execution becomes non-supportable at L1 (due to loss of packet-level timing artifacts), while Lateral Movement and Persistence become non-supportable at L2 (due to loss of entity-linked structural artifacts). Inference coverage decreases from 9 to 7 out of 9 evaluated ATT&CK tactics, while coverage of defensive countermeasures (MITRE D3FEND) increases at L1 (7 → 8 technique categories) then decreases at L2 (8 → 7), reflecting a shift from behavioral monitoring to flow-based controls. The framework provides network architects with a practical tool for configuring telemetry systems (e.g., IPFIX exporters, P4 pipelines) to reason about and provision the minimum forensic coverage. Full article

Industrial control systems (ICSs) are increasingly interconnected with enterprise IT networks and remote services, which expands the attack surface of operational technology (OT) environments. However, collecting sufficient attack traffic from real OT/ICS networks is difficult, and the resulting scarcity and class imbalance of malicious data hinder the development of intrusion detection systems (IDSs). At the same time, large language models (LLMs) have shown promise for security analytics when system events are expressed in natural language. This study investigates an LLM-based network IDS for a smart-factory OT/ICS environment and proposes a synthetic data generation method that injects domain knowledge into attack samples. Using the ICSSIM simulator, we construct a bottle-filling smart factory, implement six MITRE ATT&CK for ICS-based attack scenarios, capture Modbus/TCP traffic, and convert each request–response pair into a natural-language description of network behavior. We then generate synthetic attack descriptions with GPT by combining (1) statistical properties of normal traffic, (2) MITRE ATT&CK for ICS tactics and techniques, and (3) expert knowledge obtained from executing the attacks in ICSSIM. The Llama 3.1 8B Instruct model is fine-tuned with QLoRA on a seven-class classification task (Benign vs. six attack types) and evaluated on a test set composed exclusively of real ICSSIM traffic. Experimental results show that synthetic data generated only from statistical information, or from statistics plus MITRE descriptions, yield limited performance, whereas incorporating environment-specific expert knowledge is associated with substantially higher performance on our ICSSIM-based expanded test set (100% accuracy in binary detection and 96.49% accuracy with a macro F1-score of 0.958 in attack-type classification). Overall, these findings suggest that domain-knowledge-infused synthetic data and natural-language traffic representations can support LLM-based IDSs in OT/ICS smart-factory settings; however, further validation on larger and more diverse datasets is needed to confirm generality. Full article

Maritime piracy remains a persistent security challenge across several global regions, with violent incidents posing the greatest threat to crew safety and vessel operations. This study investigates the relationship between violent escalation in piracy incidents and a set of contextual and operational variables using classical categorical data statistics. A dataset comprising reported maritime piracy and armed robbery events from 2015–2024 was compiled from IMB, OBP, and IMO sources and analysed through chi-square tests of independence, followed by Cramér’s V to quantify the strength of association. The results demonstrate that violence is not randomly distributed across incident characteristics. Geographic region exhibits the strongest measurable association with violent outcomes, reflecting the influence of regional security dynamics and the presence of organized criminal networks. Attack type and weapon type show additional, though weaker, associations, indicating that close-range engagement and the presence of firearms increase the likelihood of escalation. Vessel type, flag state, and seasonal timing display only marginal effects. Overall, the findings highlight that the probability of violence during piracy events is primarily shaped by spatial context and tactical execution. The study confirms that chi-square and Cramér’s V offer a transparent, interpretable framework for identifying key risk factors and can serve as a foundation for operational threat assessments and maritime security planning. Full article

With the increasing adoption of advanced drone technologies across diverse fields, the Internet of Drones (IoD) has emerged as a novel mobility paradigm, particularly enhancing Intelligent Transportation Systems (ITS) in urban environments. Despite its significant potential, the IoD faces substantial challenges due to inherent resource constraints such as limited computational power and energy capacity, which hinder the implementation of robust cybersecurity solutions. These limitations expose IoD networks to various security vulnerabilities and privacy threats, necessitating an exhaustive analysis and understanding of these risks. In this paper we introduce SafeIoD, a comprehensive security framework designed to establish standardized procedures for proactive risk identification in Internet of Drones (IoD) devices. It involves sequential steps to determine the trustworthiness of devices subjected to these certification. Therefore, SafeIoD seeks to ensure a basic security level before implementation in a real scenario, where the network devices are evaluated in regards to the specific security requirements. Validation through experimental testing with 15 participants across four IoD deployment scenarios and one military certification case demonstrated the framework’s effectiveness: the tool achieved 73% user satisfaction rating, successfully identified an average of 3.0 security requirements per device, and provided specific lightweight cryptographic algorithm recommendations for 62.2% of elicited requirements. In a tactical military scenario simulation, the framework accurately predicted risk propagation patterns, with COOJA network simulations confirming that implementation of framework-recommended protocols reduced successful attack propagation from 60% to below 5% of the network. Full article

This paper presents a novel method for the precise localization of remote radio-signal sources using a formation of unmanned aerial vehicles (UAVs). The approach is based on time-difference-of-arrival (TDoA) measurements and the geometric analysis of hyperbolas formed by pairs of UAVs. By studying the asymptotic intersections of these hyperbolas, the method ensures unique determination of the source position, even in the presence of multiple intersection points. Theoretical analysis confirms that the correct intersection point is located at a significantly larger distance from the UAV formation center compared to spurious intersections, providing a rigorous criterion for resolving localization ambiguity. The proposed framework also addresses secure inter-UAV communication via optical-fiber links and supports expansion of UAV groups with directional antennas and low-power signal relays. Additionally, the study discusses practical UAV configurations, including hybrid propulsion and jet-assisted kamikaze platforms, demonstrating the applicability of the method in contested environments. The results indicate that this approach provides a robust mathematical basis for unambiguous emitter localization and enables scalable, secure, and resilient multi-UAV systems, with potential applications in electronic-warfare scenarios, surveillance, and tactical operations. Full article

In the highly volatile realm of global security, the necessity for leading-edge and effectual border resilience tactics has never been more imperative. This PRISMA 2020 guided systematic literature review (SLR) examines the intersection of artificial intelligence (AI), open-source intelligence (OSINT), and social media intelligence (SOCMINT) for enhancing border protection. Our systematic investigation across major databases (IEEE Xplore, Scopus, SpringerLink, MDPI, ACM) and grey literature sources yielded 3932 initial records and, after screening and eligibility assessment, 73 studies and reports from acknowledged organizations, contributing to the evidence synthesis. Three research questions (RQ1–RQ3) were addressed concerning the following: (a) the effectiveness and application of AI in OSINT/SOCMINT for border protection, its (b) data, technical, and operational limitations, and its (c) ethical, legal, and societal implications (GELSI). Evidence matrices summarize the findings, while narrative syntheses underline and thematically group the extracted insights. Results indicate that AI techniques—fluctuating from machine learning (ML) and natural language processing (NLP) to computer vision and emerging large language models (LLMs)—produce quantifiable improvements in forecasting irregular migration, detecting human trafficking, and supporting multimodal intelligence fusion. However, limitations include misinformation, data bias, adversarial vulnerabilities, governance deficits, and sandbox-to-production gaps. Ethical and societal concerns highlight risks of surveillance overreach, discrimination, and insufficient oversight, among others. To our knowledge, this is the first SLR at this intersection. We conclude that, AI-assisted OSINT/SOCMINT presents transformative potential for border protection requiring, nonetheless, balanced governance, robust validation, and future research on LLM/agentic AI, human–AI teaming, and oversight mechanisms. Full article

This paper presents a portable cluster architecture based on a lightweight Kubernetes distribution designed to provide enhanced computing capabilities in isolated environments. The architecture is validated in two operational scenarios: (1) machine learning operations (MLOps) for on-site learning, fine-tuning and retraining of models and (2) web hosting for isolated or resource-constrained networks, providing resilient service delivery through failover and load balancing. The cluster leverages low-cost Raspberry Pi 4B units and virtualized nodes, integrated with Docker containerization, Kubernetes orchestration, and Kubeflow-based workflow optimization. System monitoring with Prometheus and Grafana offers continuous visibility into node health, workload distribution, and resource usage, supporting early detection of operational issues within the cluster. The results show that the proposed dual-mode cluster can function as a compact, field-deployable micro-datacenter, enabling both real-time Artificial Intelligence (AI) operations and resilient web service delivery in field environments where autonomy and reliability are critical. In addition to performance and availability measurements, power consumption, scalability bottlenecks, and basic security aspects were analyzed to assess the feasibility of such a platform under constrained conditions. Limitations are discussed, and future work includes scaling the cluster, evaluating GPU/TPU-enabled nodes, and conducting field tests in realistic tactical environments. Full article

This research proposes a heterogeneous graph neural network (GNN) framework to attribute advanced persistent threat (APT) activity using enriched cyber threat intelligence (CTI). We construct a tripartite graph linking APT groups, contextualised Tactics, Techniques, and Procedures (TTPs), and their Cyber Kill Chain (CKC) stages. TTP nodes are embedded with Sentence-BERT (SBERT) vectors for semantic similarity, while CKC stages provide procedural context. This design captures both behavioural semantics and attack-stage relationships, enabling robust and interpretable attribution. Empirical evaluation on the APTNotes corpus achieves a Macro-F1 score of 0.84 and 85% accuracy, addressing limitations in baselines such as DeepOP (technique prediction without CKC integration) and APT-MMF (no procedural or temporal TTP modelling). The framework is suitable for Security Operations Centres (SOCs), enabling faster and more accurate decision-making during incident response. Overall, the study advances automated and explainable APT attribution for practical SOC deployment. Full article

Predicting basketball game outcomes in elite competitions is a complex task influenced by multiple interacting performance factors. This study applied a supervised machine learning (ML) framework to predict EuroLeague game outcomes using team-level game-related statistics. Four algorithms—Logistic Regression (LR), Support Vector Machine (SVM), Random Forest (RF), and Naïve Bayes (NB)—were trained and compared following recursive feature elimination (RFE) to identify the most informative predictors. The dataset comprised comprehensive in-game statistics describing shooting efficiency, rebounding, ball security, and spatial shot distribution. Model performance was evaluated using accuracy, area under the receiver operating characteristic curve (AUC), precision, recall, and F1-score, ensuring both discrimination and calibration assessment. Among the four classifiers, SVM (AUC = 0.922, Accuracy = 0.841) and LR (AUC = 0.933, Accuracy = 0.818) achieved the highest predictive performance, outperforming RF and NB. Feature importance analysis using Shapley Additive Explanations (SHAP) on the best-performing SVM classifier revealed that true shooting percentage (TS%), defensive rebounds (DR), steals (ST), and turnovers (TO) were the most influential predictors of game outcomes. Teams that demonstrated higher shooting efficiency, greater rebounding control, and fewer turnovers showed a significantly higher probability of winning. These results confirm that well-validated and interpretable ML models can accurately predict game outcomes in professional basketball using readily available box-score statistics. The integration of RFE-based feature selection and SHAP interpretability provides transparent, evidence-based insights that can inform tactical decisions, enhance scouting accuracy, and support coaches in developing data-driven performance strategies within elite basketball environments. Full article

Cyber Threat Intelligence (CTI) reports are essential resources for identifying the Tactics, Techniques, and Procedures (TTPs) of hackers and cyber threat actors. However, these reports are often lengthy and unstructured, which limits their suitability for automatic mapping to the MITRE ATT&CK framework. This study designs and compares five hybrid classification models that combine statistical features (TF-IDF), transformer-based contextual embeddings (BERT and ModernBERT), and topic-level representations (BERTopic) to automatically classify CTI reports into 12 ATT&CK tactic categories. Experiments using the rcATT dataset, consisting of 1490 public threat reports, show that the model integrating TF-IDF and ModernBERT achieved a micro-precision of 72.25%, reflecting a 10.07-percentage-point improvement in detection precision compared with the baseline. The model combining TF-IDF and BERTopic achieved a micro F_0.5 of 67.14% and a macro F_0.5 of 63.20%, demonstrating balanced performance across both frequent and rare tactic classes. These findings indicate that integrating statistical, contextual, and semantic representations can improve the balance between precision and recall while enabling clearer interpretation of model outputs in multi-label CTI classification. Furthermore, the proposed model shows potential applicability for improving detection efficiency and reducing analyst workload in Security Operations Center (SOC) environments. Full article

This study introduces a modular, behaviorally curated malware dataset suite consisting of eight independent sets, each specifically designed to represent a single malware class: Trojan, Mirai (botnet), ransomware, rootkit, worm, spyware, keylogger, and virus. In contrast to earlier approaches that aggregate all malware into large, monolithic collections, this work emphasizes the selection of features unique to each malware type. Feature selection was guided by established domain knowledge and detailed behavioral telemetry obtained through sandbox execution and a subsequent report analysis on the AnyRun platform. The datasets were compiled from two primary sources: (i) the AnyRun platform, which hosts more than two million samples and provides controlled, instrumented sandbox execution for malware, and (ii) publicly available GitHub repositories. To ensure data integrity and prevent cross-contamination of behavioral logs, each sample was executed in complete isolation, allowing for the precise capture of both static attributes and dynamic runtime behavior. Feature construction was informed by operational signatures characteristic of each malware category, ensuring that the datasets accurately represent the tactics, techniques, and procedures distinguishing one class from another. This targeted design enabled the identification of subtle but significant behavioral markers that are frequently overlooked in aggregated datasets. Each dataset was balanced to include benign, suspicious, and malicious samples, thereby supporting the training and evaluation of machine learning models while minimizing bias from disproportionate class representation. Across the full suite, 10,000 samples and 171 carefully curated features were included. This constitutes one of the first dataset collections intentionally developed to capture the behavioral diversity of multiple malware categories within the context of Internet of Things (IoT) security, representing a deliberate effort to bridge the gap between generalized malware corpora and class-specific behavioral modeling. Full article