Critical infrastructures (CIs) increasingly depend on deeply layered, cyber–physical networks whose implicit recursion—created by tunnels, overlays, and 5G/6G slices—obscures traffic context and hampers intrusion detection. We posit that stacks with explicit recursion, such as the Recursive InterNetwork Architecture (RINA), offer a more natural substrate for AI-driven security because each layer already defines a well-scoped, isolated monitoring domain. To test this premise we present Learning-in-the-Middle (LIM), a framework that attaches lightweight anomaly detectors—Isolation Forest (IF), One-Class SVM (OCSVM), or Auto-Encoder (AE)—to every Distributed IPC Facility (DIF) in a RINA stack. A comprehensive simulation of three CI-relevant attack scenarios shows: (i) LIM lifts \(F_{1}\) scores to \(0.98\!-\!0.99\) for edge-local DoS and cross-layer floods, outperforming even strong global baselines (Global-AE/OCSVM) by up to 10 percentage points and eclipsing the conventional Global-IF baseline by an order of magnitude. (ii) For the tunnel-hijack scenario, a finely tuned Global-OCSVM matches the best LIM variant ( \(F_{1}\!\approx \!0.97\) ), underscoring that detection scope and learner choice are jointly decisive. (iii) All six detectors maintain similarly low false-positive rates (0.9–1.8 %), while per-packet overhead stays within 19–23 µs on commodity hardware. These results highlight explicit recursion plus distributed AI as a powerful recipe for context-aware, low-latency protection of complex CI networks.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Learning-in-the-Middle: Explicit-Recursion Anomaly Detection for Critical Infrastructures

  • Toktam Ramezanifarkhani,
  • Peyman Teymoori

摘要

Critical infrastructures (CIs) increasingly depend on deeply layered, cyber–physical networks whose implicit recursion—created by tunnels, overlays, and 5G/6G slices—obscures traffic context and hampers intrusion detection. We posit that stacks with explicit recursion, such as the Recursive InterNetwork Architecture (RINA), offer a more natural substrate for AI-driven security because each layer already defines a well-scoped, isolated monitoring domain. To test this premise we present Learning-in-the-Middle (LIM), a framework that attaches lightweight anomaly detectors—Isolation Forest (IF), One-Class SVM (OCSVM), or Auto-Encoder (AE)—to every Distributed IPC Facility (DIF) in a RINA stack. A comprehensive simulation of three CI-relevant attack scenarios shows: (i) LIM lifts \(F_{1}\) scores to \(0.98\!-\!0.99\) for edge-local DoS and cross-layer floods, outperforming even strong global baselines (Global-AE/OCSVM) by up to 10 percentage points and eclipsing the conventional Global-IF baseline by an order of magnitude. (ii) For the tunnel-hijack scenario, a finely tuned Global-OCSVM matches the best LIM variant ( \(F_{1}\!\approx \!0.97\) ), underscoring that detection scope and learner choice are jointly decisive. (iii) All six detectors maintain similarly low false-positive rates (0.9–1.8 %), while per-packet overhead stays within 19–23 µs on commodity hardware. These results highlight explicit recursion plus distributed AI as a powerful recipe for context-aware, low-latency protection of complex CI networks.