Search Results (105)

Emergency vehicle authentication in vehicular ad hoc networks must satisfy strict latency, privacy, and trust constraints. Existing Public Key Infrastructure- and Conditional Privacy-Preserving Authentication-based schemes incur substantial overhead from certificate management and expensive per-hop verification, making them unsuitable for real-time emergency scenarios. We propose a lightweight zero-knowledge- and blockchain-assisted authentication scheme that eliminates certificates, pseudonym pools, and the requirement for online interaction with a trusted authority during the authentication phase. The Certificate Authority (CA) is involved only during offline initialization stages (vehicle enrollment and Merkle tree construction); once provisioning is complete, the runtime authentication process operates without any online CA interaction. Each emergency vehicle registers one-time hash commitments on-chain after proving membership in a category-specific Merkle tree, and authenticates messages by broadcasting a hash along with a zero-knowledge proof of preimage knowledge. Roadside units verify the proof and consult the on-chain state to enforce single-use semantics, creating a tamper-resistant audit trail. Evaluation using the Veins framework (OMNeT++/SUMO) demonstrated a constant 288-byte authenticated payload, millisecond-level end-to-end delay independent of hop count, and stable blockchain processing under sustained load. Full article

The proliferation of Enterprise Networks, characterized by heterogeneous devices, distributed data sources, and increasingly sophisticated cyber threats, has exposed the limitations of traditional perimeter-based security models. Guided by the principles of Zero Trust Architecture (ZTA), this paper presents a Zero-Trust (ZT)-Driven Federated Learning Algorithm for Privacy Enhancement (ZT-FL-PE), designed to safeguard model and data confidentiality in decentralized learning environments. By integrating ZTA’s “never trust, always verify” posture with Federated Learning’s (FL) decentralized training paradigm, the proposed framework eliminates the need for centralized data aggregation and significantly reduces the attack surface. The algorithm specifically targets two prominent threats to model privacy: property inference attacks (PIAs) and membership inference attacks (MIAs). We introduce adaptive verification mechanisms and privacy-preserving update transformations that enforce continuous authentication, constrain adversarial behavior, and strengthen resilience against inference-based exploitation. Experimental results demonstrate that ZT-FL-PE substantially enhances privacy protection while maintaining high model accuracy and imposing only low-to-moderate computational overhead, making it a practical and robust solution for modern ZT Enterprise environments. Full article

As a foundational protocol in wireless sensor networks (WSNs), LEACH has long contended with the dual challenges of energy load balancing and security defense. To clarify the protocol’s evolutionary trajectory within the modern IoT context, this paper presents a systematic review and restructuring of LEACH’s optimization mechanisms. The core contributions of this study are threefold: First, it establishes a taxonomy for energy optimization in LEACH. It provides an in-depth analysis of how intelligent algorithms—such as fuzzy logic and meta-heuristics—reshape cluster head election and data transmission paths in heterogeneous network environments, thereby resolving the inherent blindness of traditional mechanisms. Second, it elucidates the evolutionary patterns of LEACH security mechanisms. The paper details the transition of defense strategies from early static encryption and authentication to dynamic countermeasure mechanisms, offering a clear framework for understanding the protocol’s defensive boundaries. Finally, addressing the bottleneck where high security levels often incur high energy costs, the paper explores the feasibility of incorporating zero-trust architecture (ZTA) into WSNs within the future outlook section. This discussion aims to provide a new theoretical perspective for future research on balancing enhanced defense capabilities with energy efficiency. Full article

Zero Trust Network Access (ZTNA) has emerged as a fundamental paradigm for securing cloud-native and distributed computing environments. However, existing ZTNA implementations remain largely limited by static policy enforcement and opaque machine-learning-based anomaly detection mechanisms, which often lack contextual adaptability, policy awareness, and interpretable decision-making capabilities. These limitations create significant challenges in dynamic multi-cloud environments where access behavior continuously evolves and security decisions must be both accurate and explainable. To address these challenges, this study proposes Cognitive ZTNA framework, a unified neuro-symbolic trust enforcement framework that integrates transformer-based behavioral trust modeling with ontology-guided symbolic reasoning. The proposed architecture enables continuous trust evaluation by combining behavioral access patterns with explicit policy semantics through a hybrid trust fusion mechanism. This design allows the system to capture long-range behavioral dependencies while maintaining policy-compliant and interpretable access control decisions. The framework is evaluated using the CloudZT-Bench-2025 dataset, comprising 4.2 million cross-platform access events derived from enterprise security telemetry, AWS CloudTrail logs, and simulated adversarial scenarios. Experimental results demonstrate that Cognitive ZTNA achieves Precision = 0.96, Recall = 0.93, and F1-score = 0.95, significantly outperforming rule-based and machine-learning baselines while reducing the false positive rate to 0.03. In addition, the system maintains real-time feasibility with an average decision latency of 24 ms and explanation latency below 5 ms, while achieving 92% analyst-rated explanation sufficiency. These findings demonstrate that integrating behavioral intelligence with symbolic policy reasoning enables adaptive, interpretable, and policy-aware Zero Trust enforcement. The proposed framework therefore provides a practical foundation for next-generation ZTNA systems capable of supporting secure, transparent, and context-aware access control in modern cloud environments. Full article

The rapid evolution of 6G networks and large-scale Internet of Things (IoT) deployments intensifies security and privacy challenges in embedded SIM (eSIM) Remote SIM Provisioning (RSP), particularly during the bootstrap and profile delivery phases. Traditional perimeter-based and VPN-centric approaches expose static attack surfaces, making provisioning workflows vulnerable to denial-of-service (DoS) attacks, reconnaissance, and profile lock-in risks. This paper presents MTD-SDP-eSIM, a hardware-anchored Zero Trust Architecture that secures eSIM provisioning by integrating the embedded Universal Integrated Circuit Card (eUICC) as a root of trust with Software-Defined Perimeter (SDP), Software-Defined Networking (SDN), and Moving Target Defense (MTD). The framework introduces Hardware-Anchored Single Packet Authorization (ES-SPA), which cryptographically binds initial access to tamper-resistant eUICC credentials and enforces an authenticate-before-connect model. A unified Zero Trust controller dynamically orchestrates SDP access control, SDN-based micro-segmentation, and MTD-driven Network Address Shuffling during high-risk provisioning phases. This framework is validated on a high-fidelity 6G testbed built using ns-3, Open5GS, and P4-programmable switches. Experimental results demonstrate a 90% DoS survival rate during provisioning, a 35% scalability improvement over VPN-based baselines, and a 75% reduction in profile lock-in failures through runtime deletion verification. These findings confirm that anchoring dynamic network defenses in hardware-rooted identity significantly enhances the resilience, scalability, and privacy of eSIM provisioning for massive 6G IoT deployments. Full article

This work develops a zero-trust, physics-constrained mathematical framework for detecting stealthy drift perturbations in power system dynamical models. Such perturbations constitute adversarial, statistical deviations that preserve first-order operating trends, making them difficult to identify using classical residual-based estimators or unconstrained data-driven models. We introduce ZETWIN, a spatio-temporal learning architecture formulated as a constrained optimization problem in which the nodal admittance matrix $Y_{bus}$ acts as a graph-structured linear operator embedded directly into the loss functional. This construction enforces Kirchhoff-consistent latent representations and yields a mathematically grounded zero-trust decision rule that flags any trajectory violating physical feasibility, independent of prior attack signatures. The proposed framework is evaluated using a PyPSA-based AC–DC meshed network, demonstrating an AUROC = 0.994, and F1 = 0.969. The formulation highlights how physics-informed constraints, graph operators, and spatio-temporal approximation theory can be combined to construct mathematically interpretable zero-trust detectors for complex dynamical systems. Full article

Edge computing is now widely used to support real-time and safety-critical IoT services. However, current edge schedulers usually optimize only performance, while security verification and trust assessment are handled as separate modules. This separation creates a practical risk: tasks may be assigned to lightly loaded but compromised edge nodes, or secure nodes may become overloaded, violating latency requirements. We propose EdgeGuard-AI, a unified trust-driven and load-aware scheduling framework inspired by zero-trust security principles for next-generation IoT edge networks. The framework jointly learns dynamic node trust and short-term workload patterns from distributed edge data and integrates both signals into scheduling decisions. Experimental results on a realistic IoT edge security dataset show a task success rate of 97.3 percent, average scheduling latency of 58.1 ms during stress periods, unsafe offloading below 2 percent, and trust discrimination AUC of 0.971. Full article

Underwater Acoustic Sensor Networks (UASNs) are pivotal for environmental monitoring, surveillance, and marine data collection. However, their open and largely unattended operational settings, constrained communication capabilities, limited energy resources, and susceptibility to insider attacks make it difficult to achieve safe, secure, and efficient collaborative learning. Federated learning (FL) offers a privacy-preserving method for decentralized model training but is inherently vulnerable to Byzantine threats and malicious participants. This paper proposes trust-aware FL for underwater sensor networks (TAFL-UWSN), a trust-aware FL framework designed to improve security, reliability, and energy efficiency in UASNs by incorporating trust evaluation directly into the FL process. The goal is to mitigate the impact of adversarial nodes while maintaining model performance in low-resource underwater environments. TAFL-UWSN integrates continuous trust scoring based on packet forwarding reliability, sensing consistency, and model deviation. Trust scores are used to weight or filter model updates both at the node level and the edge layer, where Autonomous Underwater Vehicles (AUVs) act as mobile aggregators. A trust-aware federated averaging algorithm is implemented, and extensive simulations are conducted in a custom Python-based environment, comparing TAFL-UWSN to standard FedAvg and Byzantine-resilient FL approaches under various attack conditions. TAFL-UWSN achieved a model accuracy exceeding 92% with up to 30% malicious nodes while maintaining a false positive rate below 5.5%. Communication overhead was reduced by 28%, and energy usage per node dropped by 33% compared to baseline methods. The TAFL-UWSN framework demonstrates that integrating trust into FL enables secure, efficient, and resilient underwater intelligence, validating its potential for broader application in distributed, resource-constrained environments. Full article

Zero-trust architecture (ZTA) requires continuous and adaptive identity authentication to maintain security in dynamic environments. However, current federated learning (FL)-based authentication models often struggle to incorporate evolving attack patterns without experiencing catastrophic forgetting. Moreover, non-independent and identically distributed (non-IID) client data and concept drift frequently lead to degraded model robustness and personalization. To address these issues, this paper presents a hybrid learning framework that integrates federated learning with incremental learning (IL) for sustainable authentication. A Dynamic Weighted Federated Aggregation (DWFA) algorithm is developed to mitigate concept drift by adjusting aggregation weights in real time, ensuring that the global model adapts to changing data distributions. This approach enables continuous learning from distributed threat data while maintaining privacy and eliminating the need for historical data retention. Experimental results on real-world traffic datasets indicate that the proposed framework outperforms conventional FL baselines, reducing the overall error rate by approximately 56% and improving the detection rate for novel attack types by over 17.8%. Furthermore, the framework remains stable against performance decay while maintaining efficient communication overhead. This study provides an adaptive, privacy-preserving solution for identity authentication in zero-trust systems. Full article

Targeting resource-constrained Internet of Things (IoT) devices, this paper proposes Stuck-at-Fault Physical Unclonable Function (SAF-PUF), a lightweight Resistive Random-Access Memory (RRAM)-based PUF that exploits the intrinsic addresses of manufacturing-induced SAF defects as a stable entropy source. By using the coordinates of Stuck-at-1 (SA1) cells to seed a 32-bit Linear Feedback Shift Register (LFSR), SAF-PUF generates robust, variable-length responses with zero Bit Error Rate (BER) across a wide temperature range from −40 °C to 125 °C, without any error-correction circuitry. Experimental results based on 100,000 Challenge–Response Pairs (CRPs) demonstrate strong resilience against machine learning (ML) attacks, with prediction accuracies of logistic regression (LR), support vector machines (SVM), neural networks (NN) and convolutional neural networks (CNNs) remaining close to 50%. Moreover, a “use-then-conceal” mechanism is introduced to enhance post-authentication security, enabling response obfuscation with minimal cell reconfiguration. These features make SAF-PUF a high-security, low-overhead hardware root of trust suitable for IoT applications. Full article

As distributed terminals are increasingly integrated into modern power systems with high penetration of renewable energy and decentralized resources, access control mechanisms must support continuous and highly detailed trust assessment. Existing approaches based on machine learning primarily rely on network traffic features from a single source and analyze terminals in isolation, which limits their ability to capture complex device states and correlated attack behaviors. This paper presents a trust assessment framework for distributed power grid terminals that combines multidimensional behavioral modeling with dual domain graph neural networks. Behavioral features are collected from network traffic, runtime environment, and hardware or kernel events and are fused into compact representations through a variational autoencoder to mitigate redundancy and reduce computational overhead. Based on the fused features and observed communication relationships, two graphs are constructed in parallel: a feature domain graph reflecting behavioral similarity and a topological domain graph capturing communication structure between terminals. Graph convolution is performed in both domains to jointly model individual behavioral risk and correlation across terminals. A fusion mechanism based on attention is further introduced to adaptively integrate embeddings specific to each domain, together with a loss function that enforces both shared and complementary representations across domains. Experiments conducted on the CIC EV Charger Attack Dataset 2024 show that the proposed framework achieves a classification accuracy of 96.84%, while maintaining a recall rate above 95% for the low trust category. These results indicate that incorporating multidimensional behavior perception and dual domain relational modeling improves trust assessment performance for distributed power grid terminals under complex attack scenarios. Full article

5G systems have delivered on their promise of seamless connectivity and efficiency improvements since their global rollout began in 2020. However, maintaining subscriber identity privacy on the network remains a critical challenge. The 3GPP specifications define numerous identifiers associated with the subscriber and their activity, all of which are critical to the operations of cellular networks. While the introduction of the Subscription Concealed Identifier (SUCI) protects users across the air interface, the 5G Core Network (CN) continues to operate largely on the basis of the Subscription Permanent Identifier (SUPI)—the 5G-equivalent to the IMSI from prior generations—for functions such as authentication, billing, session management, emergency services, and lawful interception. Furthermore, the SUPI relies solely on the transport layer’s encryption for protection from malicious observation and tracking of the SUPI across activities. The crucial role of the largely unprotected SUPI and other closely related identifiers creates a high-value target for insider threats, malware campaigns, and data exfiltration, effectively rendering the Mobile Network Operator (MNO) a single point of failure for identity privacy. In this paper, we analyze the architectural vulnerabilities of identity persistence within the CN, challenging the legacy “honest-but-curious” trust model. To quantify the extent of subscriber identities being utilized and exchange within various API calls in the CN, we conducted a study of the occurrence of SUPI as a parameter throughout the collection of 5G SBI (Service-Based Interface) Core VNF (Virtual Network Function) API (Application Programming Interface) schemas. Our extensive analysis of the 3GPP specifications for 3GPP Release 18 revealed a total of 4284 distinct parameter names being used across all API calls, with a total of 171,466 occurrences across the API schema. More importantly, it revealed a highly skewed distribution in which subscriber identity plays a pivotal role. Specifically, the “supi” parameter ranks 57th with 397 occurrences. We found that SUPI occurs both as a direct parameter (“supi”) and within 72 other parameter names that contain subscriber identifiers as defined in 3GPP TS 23.003. For these 73 parameter names, we identified a total of 8757 occurrences. At over 5.11% of all parameter occurrences, this constitutes a disproportionately large share of total references. We also detail scenarios where subscriber privacy can be compromised by internal actors and review future privacy-preserving frameworks that aim to decouple subscriber identity from network operations. By suggesting a shift towards a zero-trust model for CN architecture and providing subscribers with greater control over their identity management, this work also offers a potential roadmap for mitigating insider threats in current deployments and influencing specific standardization and regulatory requirements for future 6G and Beyond-6G networks. Full article

Network slicing is a core enabler of multi-tenant 5th Generation (5G) architectures, allowing heterogeneous services to coexist over shared infrastructure. However, ensuring effective isolation between slices remains a critical security challenge, as failures may enable cross-slice interference, data leakage, or cascading service disruption. This article analyses security vulnerabilities affecting 5G network slicing from a risk-oriented perspective, with particular emphasis on isolation weaknesses across orchestration, virtualization, network, and interface layers. Due to the technical immaturity and instability of current open-source slicing platforms, experimental validation of security mechanisms proved infeasible. These limitations are therefore treated as empirical evidence informing a structured vulnerability taxonomy and a qualitative risk assessment grounded in confidentiality, integrity, and availability. Building on this analysis, the article proposes a conceptual security framework that integrates defence-in-depth, zero-trust principles, continuous monitoring, and adaptive response mechanisms to enforce isolation dynamically. Aligned with established standards and regulatory references, the framework provides a coherent theoretical foundation for future experimental validation and the secure design of resilient 5G network slicing architectures. Full article

Mandatory SIM card registration, while essential to regulatory oversight and national security, continues to raise significant privacy concerns due to the centralized collection and storage of sensitive user data by Mobile Network Operators (MNOs). This paper introduces a novel framework that combines blockchain technology with Zero-Knowledge Proofs (ZKPs) to enable secure and privacy-preserving identity verification during SIM registration. The proposed system allows users to authenticate their identity attributes without revealing any personal information, effectively minimizing direct data access by MNOs or intermediaries. A smart contract deployed on the blockchain enforces regulatory policies while ensuring the transparency, immutability, and auditability of all registration events. By removing single points of failure and minimizing trust in centralized authorities, this work offers a cryptographically secure and regulation-compliant solution, with scalability supported by its modular design for next-generation digital identity management in telecommunications infrastructures. Full article

Attribute-based encryption (ABE) is an advanced public key encryption mechanism that enables the precise control of access to encrypted data based on attributes assigned to users and data. Attribute-based access control (ABAC), which is built on ABE, is crucial in providing dynamic, fine-grained, and context-aware security management in modern Internet of Things (IoT) applications. ABAC controls access based on attributes associated with users, devices, resources, and environmental conditions rather than fixed roles, making it highly adaptable to the complex and heterogeneous nature of IoT ecosystems. ABE can significantly improve the security and manageability of modern military IoT systems. Nevertheless, its practical implementation requires obtaining a range of performance data and assessing the additional overhead, particularly regarding data transmission efficiency. This paper provides a comparative analysis of the performance of two cryptographic schemes for attribute-based encryption in the context of special Internet of Things (IoT) applications. This applies to special environments, both military and civilian, where infrastructure is unreliable and dynamic and decisions must be made locally and in near-real time. From a security perspective, there is a need for strong authentication, precise access control, and a zero-trust approach at the network edge as well. The CIRCL scheme, based on traditional pairing-based ABE (CP-ABE), is compared with the newer Covercrypt scheme, a hybrid key encapsulation mechanism with access control (KEMAC) that provides quantum resistance. The main goal is to determine which scheme scales better and meets the performance requirements for two different scenarios: large corporate networks (where scalability is key) and tactical edge networks (where minimal bandwidth and post-quantum security are paramount). The benchmark results are used to compare the operating costs in detail, such as the key generation time, message encryption and decryption times, public key size, and cipher overhead, showing that Covercrypt provides a reduction in ciphertext overhead in tactical scenarios, while CIRCL offers faster decryption throughput in large-scale enterprise environments. It is concluded that the optimal choice depends on the specific constraints of the operating environment. Full article