Computer Networks最新文献

{"title":"Design and evaluation of an Autonomous Cyber Defence agent using DRL and an augmented LLM","authors":"Johannes Loevenich ,&nbsp;Erik Adler ,&nbsp;Tobias Hürten ,&nbsp;Roberto Rigolin F. Lopes","doi":"10.1016/j.comnet.2025.111162","DOIUrl":"10.1016/j.comnet.2025.111162","url":null,"abstract":"<div><div>In this paper, we design and evaluate an Autonomous Cyber Defence (ACD) agent to monitor and act within critical network segments connected to untrusted infrastructure hosting active adversaries. We assume that modern network segments use software-defined controllers with the means to host ACD agents and other cybersecurity tools that implement hybrid AI models. Our agent uses a hybrid AI architecture that integrates deep reinforcement learning (DRL), augmented Large Language Models (LLMs), and rule-based systems. This architecture can be implemented in software-defined network controllers, enabling automated defensive actions such as monitoring, analysis, decoy deployment, service removal, and recovery. A core contribution of our work is the construction of three cybersecurity knowledge graphs that organise and map data from network logs, open source Cyber Threat Intelligence (CTI) reports, and vulnerability frameworks. These graphs enable automatic mapping of Common Vulnerabilities and Exposures (CVEs) to offensive tactics and techniques defined in the MITRE ATT&amp;CK framework using Bidirectional Encoder Representations from Transformers (BERT) and Generative Pre-trained Transformer (GPT) models. Our experimental evaluation of the knowledge graphs shows that BERT-based models perform better, with precision (83.02%), recall (75.92%), and macro F1 scores (58.70%) significantly outperforming GPT models. The ACD agent was evaluated in a Cyber Operations Research (ACO) gym against eleven DRL models, including Proximal Policy Optimisation (PPO), Hierarchical PPO, and ensembles under two different attacker strategies. The results show that our ACD agent outperformed baseline implementations, with its DRL models effectively mitigating attacks and recovering compromised systems. In addition, we implemented and evaluated a chatbot using Retrieval-Augmented Generation (RAG) and a prompting agent augmented with the CTI reports represented in the cybersecurity knowledge graphs. The chatbot achieved high scores on generation metrics such as relevance (0.85), faithfulness (0.83), and semantic similarity (0.88), as well as retrieval metrics such as contextual precision (0.91). The experimental results suggest that the integration of hybrid AI systems with knowledge graphs can enable the automation and improve the precision of cyber defence operations, and also provide a robust interface for cybersecurity experts to interpret and respond to advanced cybersecurity threats.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"262 ","pages":"Article 111162"},"PeriodicalIF":4.4,"publicationDate":"2025-03-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143562749","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"CAEAID: An incremental contrast learning-based intrusion detection framework for IoT networks","authors":"Zinuo Yin ,&nbsp;Hongchang Chen ,&nbsp;Hailong Ma ,&nbsp;Tao Hu ,&nbsp;Luxin Bai","doi":"10.1016/j.comnet.2025.111161","DOIUrl":"10.1016/j.comnet.2025.111161","url":null,"abstract":"<div><div>Nowadays, the swiftly advancing and intricately diverse IoT node devices produces high-dimensional, discrete, and temporally dynamic network traffic feature data. The ensuing data distribution sparsity and concept drift can critically impair the effectiveness of traditional deep learning-based intrusion detection models. To address these issues, we propose an incremental contrastive learning-based intrusion detection framework for IoT networks, CAEAID. On one hand, to tackle the high-dimensional sparse distribution of traffic, we construct a contrastive autoencoder. It effectively learns low-dimensional latent representations of IoT traffic features by minimizing the distance between similar samples while maximizing the distance between dissimilar samples. Subsequently, we identify abnormal traffic based on distance. The contrastive autoencoder clarifies the boundaries of traffic categories and alleviates the challenges posed by high-dimensional sparse spaces. Simultaneously, we apply improved extreme value theory to fit IoT traffic features and adaptively establish thresholds for detecting extreme discrete anomalous traffic for auxiliary analysis. On the other hand, to handle concept drift, CAEAID creates a pseudo-labeled dataset based on detection consistency, enabling incremental learning and periodic model updates for adaptive detection. Experimental results indicate that compared to other advanced methods, CAEAID improves the accuracy on the IoTID20 and CICIDS2018 datasets by at least 1.15% and 1.72%, respectively. Furthermore, the framework demonstrates superior performance in precision, recall, and F1-score.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"262 ","pages":"Article 111161"},"PeriodicalIF":4.4,"publicationDate":"2025-03-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143551383","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Enabling efficient collection and usage of network performance metrics at the edge","authors":"Antonio Calagna ,&nbsp;Stefano Ravera ,&nbsp;Carla Fabiana Chiasserini","doi":"10.1016/j.comnet.2025.111158","DOIUrl":"10.1016/j.comnet.2025.111158","url":null,"abstract":"<div><div>Microservices (MSs)-based architectures have become the de facto standard for designing and implementing edge computing applications. In particular, by leveraging Network Performance Metrics (NPMs) coming from the Radio Access Network (RAN) and sharing context-related information, AI-driven MSs have demonstrated to be highly effective in optimizing RAN performance. In this context, this work addresses the critical challenge of ensuring efficient data sharing and consistency by proposing a holistic platform that regulates the collection and usage of NPMs. We first introduce two reference platform architectures and detail their implementation using popular, off-the-shelf database solutions. Then, to evaluate and compare such architectures and their implementation, we develop PACE, a highly configurable, scalable, MS-based emulation framework of producers and consumers of NPMs, capable of realistically reproducing a broad range of interaction patterns and load dynamics. Using PACE on our cloud computing testbed, we conduct a thorough characterization of various NPM platform architectures and implementations under a spectrum of realistic edge traffic scenarios, from loosely coupled control loops to latency- and mission- critical use cases. Our results reveal fundamental trade-offs in stability, availability, scalability, resource usage, and energy footprint, demonstrating how PACE effectively enables the identification of suitable platform solutions depending on the reference edge scenario and the required levels of reliability and data consistency.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"262 ","pages":"Article 111158"},"PeriodicalIF":4.4,"publicationDate":"2025-03-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143551386","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"LM-Hunter: An NLP-powered graph method for detecting adversary lateral movements in APT cyber-attacks at scale","authors":"Mario Pérez-Gomariz ,&nbsp;Fernando Cerdán-Cartagena ,&nbsp;Jess García","doi":"10.1016/j.comnet.2025.111181","DOIUrl":"10.1016/j.comnet.2025.111181","url":null,"abstract":"<div><div>APT (Advanced Persistent Threat) actors are highly skilled cyber attackers who employ sophisticated techniques to infiltrate and maintain unauthorized access to a network over an extended period. In the APT lifecycle, lateral movement stands out as a critical stage where intruders escalate privileges and move across the network to expand their control and access to sensitive data. While solutions such as UEBA (User and Entity Behavior Analytics) or graph analysis have been proposed to identify lateral movements, their application in real-world cybersecurity incidents remains impractical in terms of both scalability and performance. This paper introduces LM-Hunter, a new robust and efficient method for identifying stealth adversaries moving laterally through the network at scale. LM-Hunter takes advantage of graphs and Transformers, a specific architecture within NLP (Natural Language Processing), to learn the network dynamics for hunting the most suspicious lateral movements of the users. The method is validated in a real-world cybersecurity incident at a Fortune 500 company, one of the largest corporations in the United States, demonstrating its capability to identify adversarial lateral movements in large enterprise networks. LM-Hunter enhances the threat detection capabilities of Incident Response and Threat Hunting teams in real-world scenarios. The application of the method is facilitated by releasing LM-Hunter as an open-source tool, expanding the arsenal of cybersecurity teams for combating cyber threats.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"262 ","pages":"Article 111181"},"PeriodicalIF":4.4,"publicationDate":"2025-03-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143580697","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Soft failure detection and identification in optical networks using cascaded deep learning model","authors":"Subhendu Ghosh,&nbsp;Aneek Adhya","doi":"10.1016/j.comnet.2025.111159","DOIUrl":"10.1016/j.comnet.2025.111159","url":null,"abstract":"<div><div>Due to malfunction of network devices and surge in physical layer impairments, the quality of transmission (QoT) in backbone optical networks may degrade. If the cause of the degradation is not timely diagnosed and addressed adequately, it may deteriorate into a hard failure. In this study, we consider the external cavity laser (ECL) malfunction-, erbium-doped fiber amplifier (EDFA) malfunction-, and nonlinear interference-related soft failures. We propose a software-defined optical network (SDON)-based soft failure detection and identification strategy using a cascaded deep learning model. Time-series QoT data of normal and degraded lightpaths obtained through the optical performance monitoring equipment is used to train the proposed cascaded deep learning model. In the first stage, a long short-term memory-based autoencoder (LSTM-AE) model is used as a binary classifier to identify the anomalous time-series sequences. Subsequently, an LSTM-based multiclass classifier is used to identify the type of soft failure. Our proposed approach shows an accuracy of 99.70%.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"262 ","pages":"Article 111159"},"PeriodicalIF":4.4,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143580694","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"UGL: A comprehensive hybrid model integrating GCN and LSTM for enhanced intrusion detection in UAV controller area networks","authors":"Ying Du ,&nbsp;Yilong Li ,&nbsp;Pu Cheng ,&nbsp;Zhijie Han ,&nbsp;Yanan Wang","doi":"10.1016/j.comnet.2025.111157","DOIUrl":"10.1016/j.comnet.2025.111157","url":null,"abstract":"<div><div>The Unmanned Aerial Vehicle Controller Area Network (UAVCAN) is a lightweight communication protocol based on the Controller Area Network (CAN) bus, designed to facilitate communication among various components within unmanned aerial vehicles (UAVs). Traditional CAN-based intrusion detection and anomaly monitoring methods primarily target vehicle networks, rendering them less adaptable and effective for UAV systems due to differences in network structure and data patterns. UAV networks encounter significant challenges, including limited information density and a reduced number of electronic components. To address these challenges, this paper introduces two key innovations to enhance security in UAV networks. First, Based on the extended dataset, we propose a novel graph construction method specifically designed for scenarios where UAVs have only a few Electronic Control Unit (ECU) nodes, effectively enhancing the information density. Secondly, this study designs an innovative network attack detection model called UAV-GCNLSTM (UGL), which combines the efficiency of Graph Convolutional Networks (GCN) in capturing network topology with the capability of Long Short-Term Memory networks (LSTM) in processing sequential data. Experimental results demonstrate that the UGL model achieves an accuracy of 1.0000 for Flooding attacks, 0.9854 for Fuzzy attacks, and 0.9635 for Replay attacks, significantly outperforming the compared models.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"262 ","pages":"Article 111157"},"PeriodicalIF":4.4,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143551384","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Collaborative cloud–edge task scheduling scheme in the networked UAV Internet of Battlefield Things (IoBT) territories based on deep reinforcement learning model","authors":"Mustafa Ibrahim Khaleel","doi":"10.1016/j.comnet.2025.111156","DOIUrl":"10.1016/j.comnet.2025.111156","url":null,"abstract":"<div><div>Multiaccess cloud–edge computing (MCEC) represents a burgeoning technology facilitating the delegation of mobile application tasks, especially those demanding swift processing and substantial computational capabilities, to cloud data centers. The intricate maneuvering of unmanned aerial vehicles (UAVs) in interconnected combat cloud systems poses a noteworthy challenge in determining the optimal distribution of task offloading. Uneven task allocation to specific UAVs could result in heightened latency and diminished reliability. We consider combat cloud networks over various regions, each with numerous edge servers that will be connected to different independent UAVs over high-speed links, to handle latency-sensitive and compute-intensive tasks in three possible offloading alternatives: using the nearest edge server, using neighboring edges, and using far-cloud resources. The contribution of this work is a two-step procedure involving reinforcement learning (RL) technique to handle the challenge of cloud–edge servers’ task allocation and to determine the most effective offloading approach that minimizes latency, maximizing reliability. First, it deals with the issues related to task distribution in combat cloud systems, centered on optimizing the balance between latency and reliability in case of task delegation to UAVs. It involves making strategic decisions on when and where tasks can be migrated by considering the mobility of the unmanned aerial systems. The second contribution is based on performing an RL algorithm in a collaborative UAV cluster. Compared with the other two methods, our algorithm improves the latency by about 20%–40% and enhances reliability by about 13%–28% in terms of non-violation of QoS constraints.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"261 ","pages":"Article 111156"},"PeriodicalIF":4.4,"publicationDate":"2025-02-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143529381","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"AUV-aided isolated sub-network prevention for reliable data collection by underwater wireless sensor networks","authors":"Chandra Sukanya Nandyala,&nbsp;Ho-Shin Cho","doi":"10.1016/j.comnet.2025.111154","DOIUrl":"10.1016/j.comnet.2025.111154","url":null,"abstract":"<div><div>The unique characteristics of the underwater environment, such as limited infrastructure, challenging acoustic communication channels, and constrained battery power of underwater sensor nodes, significantly impact the overall network lifetime of underwater wireless sensor networks (UWSNs). In a multi-hop UWSN, the death of a special node — cut-vertex (CV) — divides the network into the main network and an isolated sub-network (ISN). The UWSN may struggle to operate continuously and efficiently owing to the death of underwater sensor nodes, resulting in a shorter network lifetime and reduced data reliability. Consequently, the data generated by the ISN is lost. To address this issue, this paper presents an autonomous underwater vehicle (AUV)-aided ISN prevention protocol for UWSNs. The proposed protocol employs an AUV to explore and identify a CV by utilizing the information collected from the sensor nodes. Subsequently, the AUV predicts the future residual energy of the CV, ensuring its arrival near the CV prior to the energy depletion of the CV and the formation of an ISN. Then, instead of the CV, the AUV directly collects data from the CV-associated sensor nodes while the CV harvests energy. The CV replenishes its energy by harnessing ambient underwater sources and subsequently reintegrates into the network after attaining sufficient energy recharge. In this study, we evaluate the performance of the proposed protocol by comparing it with the Q-learning-based topology-aware routing protocol, a hybrid data-collection scheme, stratification-based data-collection scheme, and Q-learning-based energy-efficient and lifetime-aware routing protocol in terms of the lifetime of the network, lifetime of the CVs, energy consumption, end-to-end delay, and packet delivery ratio.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"262 ","pages":"Article 111154"},"PeriodicalIF":4.4,"publicationDate":"2025-02-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143580695","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Design of a provable secure lightweight privacy-preserving authentication protocol for autonomous vehicles in IoT systems","authors":"Mohd Shariq ,&nbsp;Ismail Taha Ahmed ,&nbsp;Mehedi Masud ,&nbsp;Aymen Dia Eddine Berini ,&nbsp;Norziana Jamil","doi":"10.1016/j.comnet.2025.111155","DOIUrl":"10.1016/j.comnet.2025.111155","url":null,"abstract":"<div><div>The rapid advancement of the Internet of Things (IoT) has enabled the adoption of autonomous vehicles (AVs) and drones in intelligent transportation systems (ITS), improving traffic efficiency and safety. However, security and privacy in interconnected ITS environments is a major concern. It is imperative to safeguard sensitive information from various known attacks while enabling secure communication. Keeping in view the security and privacy of autonomous vehicles in IoT systems, this paper puts forward Provable Secure Lightweight Privacy-Preserving Authentication Protocol (PSLAP). The proposed PSLAP protocol achieves high-level security by utilizing cryptographic primitives such as exclusive-OR, secure one-way hash, elliptic curve cryptography (ECC), and concatenation operators. The proposed PSLAP protocol is demonstrated to be resistant to numerous known security assaults through an informal security and privacy assessment. This study presents a formal security analysis using a widely accepted real-or-random (ROR) model which demonstrates the security hardness of the proposed scheme. Additionally, the performance analysis shows that the proposed protocol has minimal computation and communication costs compared to other existing protocols.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"261 ","pages":"Article 111155"},"PeriodicalIF":4.4,"publicationDate":"2025-02-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143529382","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Dynamic pricing and scheduling in LEO satellite networks","authors":"Xianglong Li ,&nbsp;Kaiwei Mo ,&nbsp;Zongpeng Li ,&nbsp;Hong Xu","doi":"10.1016/j.comnet.2025.111152","DOIUrl":"10.1016/j.comnet.2025.111152","url":null,"abstract":"<div><div>The dynamic nature of Low Earth Orbit (LEO) satellite networks, characterized by high-speed movement, narrow coverage, uneven spatial distribution and multi-satellite coordination, presents unique challenges and opportunities for network resource allocation. Existing literature has not fully addressed all the practical implementation challenges in LEO satellite networks; the predefined LEO pricing system lacks flexibility and does not consider user utility. This work introduces an auction-based framework to dynamically price and schedule Internet services in LEO satellite networks, optimizing resource allocation among users. We model the NP-Hard LEO Internet service scheduling problem into an Integer Linear Programming (ILP), providing both primal and dual forms. Leveraging an auction mechanism design, our online algorithm OSAL efficiently distributes satellite network resources while maximizing social welfare by ensuring resources are allocated to users who value them most. We demonstrate that OSAL effectively addresses the complexities of node mobility and spatial coverage in LEO satellites, improving the availability and efficiency of Internet services in this rapidly evolving field.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"262 ","pages":"Article 111152"},"PeriodicalIF":4.4,"publicationDate":"2025-02-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143551385","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}