A State-Aware Zero Trust Communication Approach for Offshore Wind Farm
ABSTRACT. Because physical on-site access is constrained, offshore wind farm OT environments rely heavily on remote monitoring, maintenance, and control, and consequently diverse communications with different operational purposes and levels of importance continuously occur. However, existing Zero Trust discussions in OT environments have mainly focused on structural aspects such as access restriction, path control, and segmentation, and have not sufficiently specified how the operational significance of communication should be interpreted or how it should be connected to differentiated protection in OT environments. Accordingly, this paper proposes a state-aware communication approach that classifies offshore wind farm OT communication into normal, warning, and critical states, interprets the meaning and importance of communication differently according to the operational state, and then applies differentiated protection levels accordingly. The case study results show that the proposed approach maintained the loss rate of important communication at 0.3% while limiting the total communication volume to 4.1 MB, thereby forming a more balanced protection structure between the visibility of important communication and the overall communication burden.
EVCSec: Adaptive Authentication Approach for Electric Vehicle Charging System
ABSTRACT. The rapid expansion of electric vehicle charging infrastructure, combined with equipment heterogeneity from multiple manufacturers, diverse device environments, and public network reliance, has escalated security threats against Electric Vehicle Charging Systems (EVCS). Legacy protocols such as OCPP 1.6 and ISO 15118 expose vulnerabilities in static authentication, session management, and certificate handling, with real-world incidents including OCPP zero-day flaws and global EV charging network breaches. This paper proposes an efficient, adaptive reputation-based authentication protocol for EVCS environments. Built on an integrated ISO 15118-20 and OCPP 2.0.1 architecture, it computes reputation scores from vehicle charging history, anomaly frequency, time-based trust decay, and location risk, classifying them into three levels for dynamic authentication strength adjustment. Authentication levels adapt across EV-charger-CSMS segments, ensuring real-time session continuity and data integrity. Formal verification via Scyther confirms security against known attacks.
A Comparative Study of Evaluation Methodologies for Anomaly Detection on ICS Benchmarks
ABSTRACT. In Industrial Control System (ICS) anomaly detection research, benchmark datasets collected from testbeds such as SWaT, WADI, and HAI have been widely used; however, concerns about the reliability of reported performance have been raised persistently due to inherent limitations in both the datasets and the evaluation methodologies. In particular, widely used evaluation metrics such as Point-Adjusted F1 have been shown to overestimate model performance, and fixed thresholds fail to capture data characteristics. However, it has not been systematically examined whether the choice of evaluation methodology influences model comparison outcomes on ICS benchmarks. To address this gap, we compared the performance of traditional ML models (PCA, Isolation Forest) and state-of-the-art DL models (USAD, TranAD) across four ICS benchmark datasets: SWaT, WADI, HAI 21.03, and HAI 23.05. In Exp1, we applied a variety of evaluation metrics (AUROC, AUPRC, Affiliation Precision/Recall) to identical anomaly scores. In Exp2, we applied Oracle and Label-free threshold methods (Best F1, NDT, P95, P99) to quantify how the choice of evaluation methodology shifts relative model rankings. The results show that ML models matched or outperformed DL models in 15 out of 16 dataset-metric combinations. Moreover, the PA-F1 score of a single model varied by up to 0.719 across threshold methods, confirming that the choice of evaluation methodology can considerably alter model rankings. These results indicate that ICS anomaly detection research requires not only improvements in detection models but also systematic examination of evaluation methodologies.
Deployability of Conventional AI and Quantum Machine Learning Detectors for Authentication-Passing Insider Threats in a 5G System
ABSTRACT. 5G now carries authenticated insider threats that bypass perimeter trust: rogue base
stations cloning legitimate certificates, clone user equipment sharing leaked credentials, and
co-located relay agents forwarding NAS bytes without any stolen credentials at all. We
reproduce four such authentication-passing attack scenarios (Benign, Eavesdrop, Impersonation, Relay) on a 5G testbed integrated with an IMS subsystem, and quantify the deployability of four detectors (a cross-plane rule classifier, XGBoost, a Variational Quantum
Classifier, and a Hybrid CN-Q-CN model) along three axes. (T) We decompose pipeline
latency into capture, extract, infer, and alert stages, and report slack = tattack goal −tdetect
per (model, scenario). (P) We contrast passive-tap and inline Network Function placement
of the detector at AMF and S-CSCF. (Q) We measure per-inference simulator latency for
both quantum models and contrast it with the literature-reported Quantum Processing
Unit runtime envelope. Three numbers carry the paper: feature extraction consumes 18–
23 ms across all models, an order of magnitude above any model’s tinfer; inline placement
of a Hybrid detector adds ∆p99 = 109 ms to the NGAP REGISTER round-trip; and the
literature QPU envelope is more than 350× the simulator p99 for the deepest model we
evaluate. From these measurements we derive operational implications for 5G Zero Trust
adoption, the near-term role of Quantum Machine Learning, and the evolution axes of
AI-Native 6G.
Contextual VEX State Inference for Firmware-Based Control Systems from Firmware-Derived SBOMs
ABSTRACT. The presence of a reported CVE does not necessarily mean that a firmware-based Industrial Control System asset is actually affected. In ICS environments, vulnerability applicability depends not only on component presence, but also on configuration conditions, feature enablement, network exposure, industrial protocol dependency, and operational mode. This study proposes a checklist-driven method for directly inferring final VEX states by combining SBOM data, public vulnerability information, vendor advisories, cyber threat intelligence, and operational context. The method consists of three stages: asset-centered input construction, VEX-oriented checklist generation, and checklist-based state determination. In the case study, a pseudo-gold dataset of 25 firmware-CVE pairs was constructed from the firmware SBOM of DH_IPC-HX8XXX-Eos_EngSpn_N_Stream3 (V2.420). Under the measured Qwen2.5-7B-Instruct zero-shot baseline, the method achieved 56.0% label accuracy, 72.0% status accuracy, and 50.5% macro-F1. The results demonstrate the feasibility of checklist-driven VEX inference from firmware-derived SBOM evidence in ICS/OT settings.
QRSign: Secure and Integrity-Assured Generation Framework for QR Phishing Detection
ABSTRACT. QR (Quick Response) codes are widely used for rapid information access across diverse applications; however, their increasing adoption has led to a rise in QR phishing (Quishing) attacks, where users are redirected to malicious websites without prior visibility of embedded URLs. In this paper, we propose QRSign, a secure and integrity-assured QR code generation framework designed to mitigate QR phishing attacks. Unlike conventional approaches, the proposed framework does not directly embed the original URL into the QR code but instead enforces controlled redirection through a verification server, enabling security validation prior to user access. In addition, the framework shifts computationally expensive malicious URL detection from the scanning phase to the generation phase, thereby preserving usability while enhancing security. During QR code generation, the system performs blacklist-based URL validation and integrates an HMAC (Hash-based Message Authentication Code) with a timestamp to ensure data integrity and prevent tampering. Upon scanning, the framework verifies the integrity of the QR code and provides security feedback before allowing access to the original URL. The proposed framework not only enhances the reliability of the original URL but also ensures integrity, thereby preventing the possibility of QR code tampering and improving user security awareness by providing warnings for external QR codes.
What Do NFMs See? Analyzing Attack Classification in Encrypted Traffic
ABSTRACT. Conventional AI-based intrusion detection systems (AI-IDS) have been criticized for their vulnerability to shortcut learning due to reliance on human-defined features. Network Foundation Models (NFMs) offer the potential to overcome this limitation by directly processing packet information within flows in a structured manner. However, high performance alone cannot reveal what information within flows a model actually relies on for classification. In this paper, we classify 6 attack types in encrypted traffic using two NFMs that differ in how they represent traffic—netFound and NetMamba—and analyze what information each model relies on through packet/burst order shuffle experiments. netFound processes up to 72 packets organized in burst units, using tokenized headers along with burst-level metadata (bytes, IAT, flow duration, etc.) as input, whereas NetMamba uses only the header (80 bytes) and payload (240 bytes) of the first 5 packets. Both models achieved over 99% accuracy; however, the shuffle experiments revealed entirely different dependency structures. netFound showed no performance change even when all orders were shuffled, indicating reliance on flow-level metadata such as bytes per burst, inter-burst IAT, and flow duration. In contrast, NetMamba's accuracy dropped sharply to 52% when packet order was shuffled, demonstrating strong dependence on packet sequence order. Notably, NetMamba exhibited the largest performance degradation for full-flow attacks (HTTP_CC, SQLi, Slowloris)—attacks distinguished by characteristics such as transmission intervals and data sizes that appear after the first 5 packets—yet NetMamba cannot directly observe these characteristics and was instead relying on the order information among the first 5 packets. This study highlights the importance of verifying not only the performance of NFMs in attack classification, but also what information the models rely on for classification.
CIV: Content Integrity Verification for Distributed Intrusion Detection Systems
ABSTRACT. In distributed IoT environments, an intrusion detection system (IDS) typically aggregates reports from individual nodes. However, prior work largely assumes that such reports are trustworthy and has not sufficiently addressed the risk that compromised nodes can manipulate their reports—without altering the underlying network traffic—to distort the IDS input. To address these limitations, we propose the Content Integrity Verification (CIV) framework. CIV leverages gateway-level observations as an independent reference and quantitatively measures the standardized discrepancy between each node’s report and the corresponding observation. CIV then excludes reports exceeding a predefined threshold from aggregation, thereby mitigating the impact of manipulated inputs on IDS performance. Experimental results show that the average F1-score across all evaluation settings was 0.266 without defense, whereas it improved to 0.704 with CIV. In addition, CIV outperformed existing Byzantine-robust aggregation methods in 48 out of 60 baseline-comparison α–β settings (80%) and achieved an average F1-score approximately 31% higher than Trimmed Mean, the strongest baseline.
Think Where It Matters: Role-Specific Thinking Mode Allocation in Multi-Agent LLM Debate
ABSTRACT. Reasoning-capable large language models and multi-agent debate systems have each advanced AI problem-solving, yet their intersection remains unexplored. We present a systematic ablation study of role-specific thinking mode allocation in a three-agent (Proposer, Critic, Judge) debate framework. Evaluating all eight thinking-mode configurations across three model families (Gemini 2.5 Flash, Claude Sonnet 4, OpenAI o4-mini) and three benchmarks (GSM8K, MATH-500, GPQA-Diamond), we demonstrate that the all-ON configuration is suboptimal in most settings. Selective thinking allocation not only reduces cost but can improve accuracy: on MATH-500, OpenAI’s Judge-only thinking achieves 81.0% versus 78.0% for all-ON, while costing only 1.09x the baseline. Our results reveal that optimal allocation depends on model family, task difficulty, and agent role, with verification roles (Critic, Judge) generally benefiting more than the generation role (Proposer). These findings suggest that reasoning capacity should be treated as a selectively allocable resource, particularly in operational settings where cost, reliability, and degraded operating conditions matter. We provide practical guidelines for cost-efficient and cyber-resilience-aware deployment of thinking-enabled multi-agent systems.
Automatic Attack Scenario Reconstruction with Large Language Models: Threat Intelligence Extraction Strategies and Techniques
ABSTRACT. Recently, the application of large language models (LLMs) has been gradually extended to the information security domain to assist security professionals in vulnerability identification, classification, and penetration testing. However, research on reproducing the entire cyber kill chain remains relatively scarce, with few public studies available due to constraints related to commercial interests and technical thresholds. This paper proposes a system architecture that systematically divides the process of attack reproduction into three stages: threat intelligence organization, scenario construction, and attack script generation. The system is built on open-source software, integrating the functions of LLMs and virtual machine construction, allowing users to reproduce attack processes recorded in threat intelligence through a visualized web interface in a unified platform, gaining a deeper understanding of the sequence of attack events. With the aid of an LLM, this paper successfully applies the system to reproduce common vulnerabilities and exposures (CVE) attack scenarios and the attack techniques of advanced persistent threat (APT) organizations, significantly shortening the time required to reproduce the complicated process and operation time of previous security attacks.
Temporal Edge Weighting for Graph Collaborative Filtering
ABSTRACT. Graph collaborative filtering is widely used for learning user and item representations from user--item interaction graphs. However, many existing backbones rely on a largely static interaction graph, where observed interactions are treated uniformly regardless of their timestamps. In this paper, we propose a lightweight plug-and-play temporal edge weighting scheme that directly incorporates temporal recency into the propagation graph. The proposed method assigns time-aware weights to user--item edges and can be instantiated with personalized, global, and hybrid recency strategies, without modifying the original backbone architectures. We apply the proposed scheme to representative graph collaborative filtering backbones, including NGCF, LightGCN, and LR-GCCF, and evaluate it on Yelp2018 and ML-1M. Experimental results show that temporal edge weighting can improve recommendation performance, with more consistent gains on ML-1M, while introducing no additional learnable parameters and only modest runtime overhead in most settings. These findings suggest that edge-level temporal recency modeling can serve as a practical and backbone-preserving enhancement for graph-based recommendation.
History Packaging Policies for LLM Recommendation: Evidence from Real LLM Scoring Under Prompt Budgets
ABSTRACT. On e-business ranking surfaces, LLM-based recommenders operate under a fixed prompt budget where prompt tokens directly drive serving cost. Recent work has shown that increasing the retained history length yields diminishing or no quality gains, suggesting that shorter histories are sufficient for cost-effective deployment. We argue that this length-only view is incomplete: the marginal value of additional history depends on which selection rule populates that history. We test this through a factorial design under real LLM scoring, crossing three selection policies---candidate-conditioned (CC), Recency, and Random---with retained history length $K \in \{4, 8, 16, 32\}$, producing a 12-cell matrix on MovieLens-1M and BookCrossing. Selection policy is the dominant effect (variance share 0.13 versus 0.05 for length), and the selection $\times$ length interaction (0.02) is large enough to reverse policy preferences across datasets: BookCrossing favors CC across matched $K$, while MovieLens-1M favors Recency through $K \le 16$ and converges only at $K = 32$. Saturation is also policy-specific: CC and Recency flatten at high $K$, whereas Random improves monotonically from a much weaker baseline---a recovery pattern, not genuine superiority. For e-business deployments, the implication is that history packaging cannot be reduced to a length decision: selection policy and retained length must be chosen jointly against the target token budget and quality threshold.
Cyberly: A Gamified Android Application for Learning Basic Cybersecurity Concepts
ABSTRACT. This paper presents the design and development of Cyberly, a gamified Android application for learning basic cybersecurity concepts. The application is addressed to vulnerable Internet users such as children and young people, elderly individuals, and people with limited knowledge regarding digital security. Many of these users are daily Internet users without being aware of the risks it may involve and the threats they may face. The selection of this topic was based on the rapid development of digitalization and technology, especially in the current era with the use of Artificial Intelligence, which creates new challenges as well as security gaps. The work presents basic concepts of cybersecurity and analyzes common and dangerous Internet threats, while also using gamification in education in order to create a more understandable and engaging way of learning.
Design of a Low-Latency RDMA-Based Publish/Subscribe Framework for Inter-Machine GPU Communications
ABSTRACT. Modern GPU-centric applications increasingly execute as multi-stage pipelines in which one stage produces large payloads directly in GPU memory and multiple downstream stages must consume the same data with low latency. In conventional Publish/Subscribe models, messages are disseminated from a publisher to all subscribers registered to a specific topic. However, this paradigm is rarely applied to GPU-centric applications. This paper presents Remote GPU-Aware Publish/Subscribe (RGAPS), a low-latency framework for cross-machine GPU communication. RGAPS extends single-host GPU-aware pub/sub to a two-host distributed setting by combining shared CUDA-RDMA pinned memory for intra-node aggregation, RDMA Write with Immediate for CPU-bypassing inter-node transport, and a shared GPU memory pool for one-time materialization and local fan-out on the subscriber machine. The design preserves the ``publish once, fan-out many'' principle across machines while avoiding per-subscriber payload duplication. Experiments on a real two-node platform with RTX~3090 GPUs, ConnectX-7 RNICs, PCIe Gen4, and InfiniBand NDR show that RGAPS reduces end-to-end latency by roughly 6×–10× relative to conventional CPU-centric baselines and keeps local fan-out cost nearly insensitive to the number of subscribers. These results demonstrate that a carefully integrated RDMA-based data plane can substantially improve the subscriber scalability and latency of inter-machine GPU publish/subscribe communication.
A Hybrid EDHOC Protocol Post-Quantum Secure against Key Compromise Impersonation
ABSTRACT. Recently, the IETF LAKE working group has standardized the EDHOC (Ephemeral Diffie-Hellman Over COSE) protocol [47] that is a lightweight and application-layer authenticated key exchange protocol tailored for resource-constrained IoT devices and networks. In this paper, we propose a hybrid EDHOC (for short, Hybrid-EDHOC2) protocol that provides both classical security and PQ security by instantiating KEM (resp., signature scheme) with PQ KEM (resp., PQ signature scheme). In the Hybrid-EDHOC2 protocol, initiator $I$ and responder $R$ share an authenticated session key. Also, we discuss several classical and PQ security properties (mutual authentication, security of session key, forward secrecy, identity protection, security against identity misbinding, and security against key compromise impersonation) of the Hybrid-EDHOC2 protocol. In addition, we conduct extensive comparisons of the EDHOC [47], PQ-EDHOC [26], PQ-EDHOC1 [25], PQ-EDHOC2 [25], Hybrid-EDHOC [61], and Hybrid-EDHOC2 protocols with respect to security properties and computation/communication efficiency.
Compound Structural-Semantic Fingerprinting for On-Device AI Copyright Verification
ABSTRACT. On-device AI deployment has heightened concerns about model intellectual property, where adversaries may extract a deployed model and reuse, fine-tune, or obfuscate it for commercial purposes. Conventional graph-based fingerprinting captures topological structure but is known to misclassify independently trained models that share the same architecture. We propose a compound fingerprint that fuses a structural score (PKG hash and approximate graph edit distance) with a semantic score derived from weight distribution, quantization parameters, and tensor-shape statistics, all extracted directly from TFLite buffers. The structural score serves as a fast first-stage filter and the semantic vector enables refined verdicts. Evaluation on MobileNetV1 quantized versus floating-point pairs shows high structural overlap but clearly separated semantic signatures, demonstrating that structural-semantic fusion reduces the false positives caused by same-architecture ambiguity.
Evaluating LLM Performance for Cyberattack Anomaly Detection in O-RAN A Zero-shot and Few-shot Analysis
ABSTRACT. This study systematically evaluates the security event analysis capabilities of Large Language Models (LLMs) within the O-RAN environment. Four commercial LLMs—GPT-4o, GPT-4o-mini, GPT-4.1-mini, and Claude Sonnet 4.6—were tested on O-CU network layer and O-DU radio layer data using zero-shot and few-shot strategies. The experimental results yielded three key findings. First, the study demonstrated the semantic limitations of each data layer and the dramatic impact of few-shot prompting. In the O-CU layer, where prior knowledge is applicable, meaningful performance (F1 0.51–0.86) was achieved even with zero-shot learning. However, the models failed to detect threats in the O-DU layer (F1 ≈ 0.0), which consists of domain-specific data. Notably, providing only three examples caused the O-DU F1 score to surge up to 0.95, suggesting significant potential for performance improvement through future fine-tuning. Second, the models confirmed capabilities surpassing existing deep learning in specific attack detection. In O-CU web attack detection (GPT-4.1-mini, F1 0.99) and Probe detection (Claude Sonnet 4.6, F1 0.82), the LLMs significantly outperformed the accuracy of traditional CNNs. However, they exhibited common limitations in the detailed classification of attacks with similar traffic structures, such as DoS and DDoS. Third, the study proposes an optimal operating environment based on interpretive capabilities that complement deep learning. Although the LLMs exceeded real-time processing constraints (1,000ms), they demonstrated a unique ability to generate specific attack reasoning and response recommendations beyond simple classification. This research suggests that LLMs are suitable as post-analysis tools to complement deep learning-based detection within the Non-RT RIC environment.
Evaluation of PQC-based System Availability in Iridium Satellite Communications
ABSTRACT. Given the threat posed by quantum computing and the long operational lifespan of satellite systems, examining the applicability of Post-Quantum Cryptography (PQC) over low-data-rate satellite links is an urgent challenge. This paper deploys NIST-standardized PQC algorithms on an actual Iridium SBD link and empirically analyzes the latency incurred under strict payload constraints.
Impedance-Based Localization of Injected Attack ECUs in In-Vehicle CAN Networks
ABSTRACT. The Controller Area Network (CAN) bus is widely used for real-time communication among in-vehicle Electronic Control Units (ECUs). Since CAN_H and CAN_L form a differential pair and multiple ECUs are connected through stubs, the CAN bus can be interpreted not only as a communication network but also as a physical transmission-line structure. From this perspective, each ECU transceiver and its internal circuit act as an impedance load on the bus. When an unauthorized attack ECU is additionally inserted into the CAN network, the existing branch configuration and impedance distribution of the bus may change, which can lead to signal reflection, attenuation, and waveform distortion. This work investigates a passive impedance-based localization concept for estimating the physical connection distance or location of an additionally inserted attack ECU in an in-vehicle CAN network. The proposed approach focuses on the additional ECU insertion scenario, where legitimate ECUs remain attached to the CAN bus while an unauthorized ECU is newly connected. In this scenario, the inserted ECU introduces a new branch and electrical load into the existing bus structure. These location-dependent physical-layer changes can be reflected in ordinary CAN communication signals and may provide useful clues for identifying where the unauthorized ECU is connected. Prior work has shown that physical-layer changes in CAN networks can be exploited for device detection and localization. Previous studies have shown that physical-layer changes in CAN networks can be exploited for device detection and localization. One prior work uses active Time Domain Reflectometry (TDR) to detect unknown CAN devices and estimate their cable distances, while another work uses deep features extracted from voltage signals to detect physical intrusions and localize their connection points on an in-vehicle CAN bus. Unlike active TDR-based approaches, which inject a separate probing pulse and estimate distance from reflection delay, the proposed concept aims to use ordinary CAN communication signals without additional signal injection. The CAN bus is modeled as a distributed-parameter transmission line, and location-dependent waveform changes are interpreted as clues caused by impedance mismatch, reflection, and attenuation. Candidate measurement features include CAN signal overshoot, rising time, falling time, ringing, edge distortion, and frequency-dependent impedance variation according to branch length and insertion position. Future work will implement a CAN bus testbed, insert an unauthorized ECU at controlled positions and branch lengths, and compare measured waveform features with transmission-line-model-based profiles and normal CAN bus baselines. The final goal is to evaluate whether passive localization of an additionally inserted attack ECU is feasible using only ordinary CAN communication signals, thereby supporting the identification and removal of unauthorized ECUs from in-vehicle CAN networks.
Specification-Based Cellular Trust at the Device Edge: A Building Block for the Evolution of Mobile E-Business Information Systems
ABSTRACT. Mobile commerce, mobile banking, and Internet of Things (IoT) supply chains rest on the implicit assumption that a User Equipment (UE) is connected to a legitimate cellular network. False Base Station (FBS) attacks break this assumption by exploiting the asymmetric authentication of Long-Term Evolution (LTE) and 5G radio access, exposing e-business platforms to identity theft, transaction fraud, and regulatory exposure under the General Data Protection Regulation (GDPR) and the Network and Information Security Directive 2 (NIS2). This poster paper takes a position-paper view of the radio access trust gap as it affects e-business information systems. It relates the gap to the wider migration of e-business services toward edge-resident architectures, discusses how standards-grounded detection evidence at the device edge may help organizations address audit expectations on data-bearing channels, and sketches practical considerations for enterprises and platform operators that may layer such assurance alongside existing fraud and transaction monitoring stacks. The aim is to surface cellular-layer trust as a topic for the EBISION community rather than to claim a finished solution.
Cross-Layer State Consistency in Consumer Remote SIM Provisioning
ABSTRACT. Consumer Remote SIM Provisioning enables digital mobile operators, travel connectivity platforms, and device-based subscription services to sell and activate mobile connectivity without physical SIM distribution. However, a Consumer RSP transaction is not only a technical profile download. It is a business workflow involving order creation, payment confirmation, activation-code delivery, profile download, customer entitlement, billing activation, service suspension, refund, profile deletion, and subscription revocation. This paper presents a practical methodology for testing whether Consumer RSP business processes remain consistent with technical profile state and network access. We build an open testbed using osmo-smdpp, lpac, sysmoEUICC-C2T, Open5GS, and UERANSIM to model the lifecycle of a Consumer RSP service from purchase to network admission. We define cross-layer invariants that connect business state, SM-DP+ state, eUICC profile state, notification status, mobile-core subscriber state, and registration outcome. We study failure cases such as reused activation codes, failed downloads after payment, deleted profiles with active billing, revoked subscriptions that still receive network access, and stale customer entitlements after profile deletion. We propose receipt-based reconciliation as a lightweight mechanism for aligning provisioning, billing, customer support, and network-control systems. This work provides a reproducible foundation for evaluating Consumer RSP platforms as end-to-end digital service businesses, not only as telecom provisioning systems.
Design and Evaluation of a Scalable Ticketing System using Microservices Architecture in High-Traffic Environment
ABSTRACT. A ticketing system must be capable of handling a large volume of traffic generated within a short period of time. This study proposes a microservice-based ticketing system and a challenge-based macro bot detection method. The proposed approach enhances scalability by decomposing core functionalities into microservices. The performance evaluation results showed that the microservice-based system exhibited faster response times compared to the conventional monolithic service. This demonstrates that the system can respond more rapidly to large-scale requests.
A Survey of Image Transformation Based Network Intrusion Detection Systems
ABSTRACT. AI-driven cyberattacks demand accurate intrusion detection systems (IDS). Recent studies transform network traffic into two-dimensional images to overcome the limits of one-dimensional vectors and apply vision models. This paper compares these studies by conversion unit, conversion method, temporal encoding, and intent of conversion.
Adversarial Vulnerabilities in Vision-Language-Action Models: A Survey
ABSTRACT. This paper analyzes four recent adversarial attack studies on Vision-Language-
Action (VLA) models, which are vulnerable to complex structural manipulations
despite their multimodal integration capabilities.
Toward a Zero Trust-Based Multi-Layer Security Architecture for Open RAN
ABSTRACT. Open Radio Access Network (Open RAN) disaggregates the RAN into multi-vendor, cloud-native, AI-driven components linked by open interfaces, structurally dissolving the implicit perimeter on which legacy RAN security relied. Recent state-sponsored campaigns have shifted Open RAN threats from speculative to operational. We argue that Open RAN security cannot be achieved by patching individual controls; it requires a Zero Trust multi-layer architecture in which trust establishment, data integrity, and runtime security are jointly governed by a single Policy Decision Point. We identify three structural gaps in standard defenses, propose a three-layer architecture mapping decentralized PKI, hash-based broadcast integrity, and kernel-level runtime telemetry with AI-assisted analysis onto the NIST SP 800-207 control plane, and formalize a multi-signal Trust Algorithm. Two cross-layer scenarios show that single-layer defenses are demonstrably insufficient.
Large Language Model-Based Explainable Anomaly Detection Using Prompt Engineering in Operational Data
ABSTRACT. Reliable anomaly detection is critical in Industrial Control System because malfunctions can lead to physical damage and human casualties. To address the lack of explainability in existing machine learning models, we propose an explainable method leveraging prompt engineering and Large Language Model. This method transforms multivariate time-series data into textual context to extract natural language rules that capture complex sensor-actuator relationships. By providing detection results alongside violated rules and logical rationales, this approach significantly enhances the transparency and trustworthiness of the system.
Understanding Negative User Responses to Generative AI Errors in E-Business Information Systems through Expectation Rigidity and Cognitive Shock
ABSTRACT. Generative AI is increasingly embedded in e-business information systems, but its erroneous outputs may trigger negative user reactions. This study proposes a research model explaining how users develop anger and dissatisfaction when generative AI fails. Drawing on expectation-confirmation theory and the violation of expectation perspective, the model suggests that AI dependence and anthropomorphism increase expectation rigidity, which intensifies cognitive shock when users encounter AI errors. Cognitive shock, in turn, is expected to increase anger and dissatisfaction. Error severity is also proposed as a moderator strengthening these relationships. This research contributes to e-business information systems literature by shifting attention from AI adoption to the cognitive and emotional consequences of AI service failure.
Development of a 5G Core NAS Replay Inspection Tool using UERANSIM
ABSTRACT. This paper develops an automated tool to verify the 5G NAS signaling replay
vulnerability. We modified UERANSIM to inject duplicate response messages during
Security Mode negotiation. Evaluation on an Open5GS testbed showed that the AMF
successfully discarded the duplicate message received after 0.00004 seconds,
completing registration and establishing the virtual interface (uesimtun1). This tool can
automate security compliance audits in private 5G networks.
Development and Verification of a 5G-AKA Security Inspection Tool Based on UERANSIM
ABSTRACT. This paper proposes a security inspection tool for verifying the 5G-AKA authentication procedure in an Open5GS environment. The proposed tool was implemented by modifying the UE module of UERANSIM to transmit abnormal Authentication Response messages containing manipulated RES* values. Experimental results show that Open5GS successfully detected the abnormal authentication response and rejected the registration procedure. These results confirm that Open5GS properly validates authentication messages and maintains the security policy of the 5G-AKA procedure.
Development and Validation of a Inspection Tool for 5G Core Network Authentication Bypass
ABSTRACT. Private 5G networks are increasingly used in industrial environments such as smart factories, autonomous systems, and IoT-based services. Since the 5GC(5G Core Network) manages UE registration, authentication, security mode establishment, and session management, it is important to verify whether an abnormal UE can access the network without completing authentication. This paper proposes a UERANSIM-based inspection tool for testing authentication bypass attempts in a 5G core network. The proposed tool modifies the NAS message processing behavior of the UE simulator so that it sends a Security Mode Complete message without transmitting a normal Authentication Response. The experiment was conducted in an Open5GS-based 5G testbed, and the results were analyzed using Wireshark packet capture and core log output. Experimental results show that the Open5GS core network did not send Registration Accept or proceed to PDU Session Establishment for the abnormal UE, confirming that the network blocked access from a UE that had not completed authentication.
A NAS-Layer Inspection Tool for Verifying Rejection of Spoofed Emergency Registration in 5G Private Networks
ABSTRACT. The 5G Emergency Registration procedure is an exceptional control-plane path in which the normal authentication flow may be shortened or omitted. If a core network fails to reject an unregistered User Equipment (UE) that abuses this path, unauthorized network access becomes possible, violating the “blocking unauthorized UEs” requirement of the Korea Internet & Security Agency (KISA) 5G private network security guideline. This paper proposes a Non-Access Stratum (NAS)-layer inspection tool that modifies the sendInitialRegistration() function of UERANSIM to send Emergency Registration requests from an unregistered International Mobile Subscriber Identity (IMSI), and judges the result from Access and Mobility Management Function (AMF) responses and UE state transitions. Experiments on an Open5GS testbed show that the AMF rejects the request with cause FIVEG_SERVICES_NOT_ALLOWED before the authentication procedure begins, confirming standard-compliant behavior.
Toward a qSIM-Based PQC-QKD Hybrid Secure Tunnel for MUM-T
ABSTRACT. MUM-T environments require secure communication between unmanned platforms and command-and-control systems. However, these links are exposed to real-time eavesdropping and Harvest-Now-Decrypt-Later threats, while direct QKD deployment on mobile vehicles remains challenging due to weight, cost, and operational constraints. This paper proposes Quantum Secure Tunnel (QST), which pre-injects QKD-derived PSKs into a KCMVP Security Level 2 cryptographic module (qSIM) and establishes a TLS 1.3 psk_dhe_ke tunnel combining the preloaded PSK with X25519MLKEM768, conveying the key_id via the standard pre_shared_key identity field without protocol modification. A Raspberry Pi prototype verifies qSIM PSK loading, QKMS recovery, and TLS 1.3 tunnel establishment.
Performance Analysis of IPsec IKEv2 Rekeying Interval in 5G Backhaul Environments
ABSTRACT. In 5G mobile networks, IPsec with IKEv2 is mandated to secure the backhaul segment per 3GPP TS 33.501. However, periodic CHILD_SA rekeying introduces cryptographic overhead that may degrade performance, and 3GPP does not specify a recommended interval. In this paper, we analyze the impact of varying rekeying intervals on throughput and TCP retransmissions in a 5G backhaul environment, and derive guidelines for selecting an optimal interval.
Trust-Anchored Federated Learning for Robust Specification-AI Hybrid Detection of False Base Station Attacks
ABSTRACT. False Base Stations (FBS) remain a persistent threat to 4G LTE and 5G networks, enabling identity catching, service downgrading, and denial-of-service attacks by exploiting the asymmetric authentication model of cellular protocols. Specification-based detection systems derive formally verified behavior rules from 3GPP normative clauses and achieve complete coverage on known attack classes, while recent hybrid extensions augment these static rules with LSTM-based binary classifiers trained across user equipment (UE) via Federated Learning (FL) to capture multi-step temporal attack sequences. However, existing hybrid architectures assume that all participating UEs are honest, leaving the FL aggregation step exposed to compromised devices that submit poisoned model updates. This paper proposes a trust-anchored aggregation mechanism that closes this deployability gap. The aggregator maintains a small set of formally verified clean LTE captures as a root reference dataset and, in each FL round, computes its own honest update against this reference; each client’s submitted update is then scored by directional consistency with the reference and rescaled to a bounded magnitude before contributing to the global model. A second behavioral trust anchor cross-checks each client’s local LSTM predictions against
the underlying formally verified behavior rules, demoting clients whose models persistently disagree with normatively-grounded ground truth regardless of how their weight-space updates appear. The combined mechanism is designed to defend against backdoor injection, untargeted gradient poisoning, scaled-magnitude attacks, and Sybil collusion without requiring prior knowledge of the Byzantine fraction. This work proposes a threat model for adversarial federated FBS detection that formalizes the deployability gap in prior hybrid architectures, a trust-anchored aggregation rule that fuses weight-space directional consistency with specification-rule behavioral verification into a unified per-client trust score, and a proposed evaluation framework targeting on-device deployment via a rooted Android UE connected to an Open5GS core with srsRAN eNodeB, with simulated federation peers and varying compromise fractions.
Security Requirements and Inspection Tool Development for 5G Private Network Deployment in Smart Factories
ABSTRACT. This paper defines production continuity as a key security requirement for smart factories deploying 5G NPN (Non-Public Network) and develops an automated tool that
verifies AMF/SEAF (Access and Mobility Management Function/Security Anchor Function) compliance with 3GPP (3rd Generation Partnership Project) TS 33.501 exception
handling during device authentication. Open5GS-based testbed, where Open5GS demonstrated satisfactory security for both inspection items.
AIMer-Q: AI-Driven Adaptive Trust Resilience for Quantum Safe E-Business System
ABSTRACT. The convergence of 6G, quantum computing, and AI-driven services introduces major
security challenges for future E-Business Information Systems (EBIS). This work
proposes AIMER-Q, a reinforcement learning–driven mitigation framework for hybrid
PQC–QKD networks using the Quantum Attack Surface Index (QASI) and a Deep Q-
Network (DQN) agent for adaptive exposure control. Experimental results show >60%
exposure reduction and approximately 3× higher survival probability than static and rule-
based baselines.
Reducing False Positives in CAN Fuzzing through Reproducibility-Aware Validation and Multi-Monitor Integration
ABSTRACT. Real-vehicle CAN fuzzing environments exhibit non-deterministic ECU behavior and black-box characteristics, making single-execution analysis unreliable.
This study proposes a multi-monitor CAN fuzzing framework integrating Timing, DBC, and UDS information with reproduction-based verification to filter transient anomalies and identify actual failures.
Experimental results from 27 hours of fuzzing on an Audi A5 showed that, among 11 fail candidates, 5 were consistently reproduced, 2 were classified as partial failures, and 4 were classified as non-reproducible transient anomalies. To the best of our knowledge, this is among the first studies to combine multi-monitor anomaly detection with reproduction-based verification in real-vehicle CAN fuzzing.
Cross-Domain Statistical Analysis for Robust DoS Detection in Heterogeneous Network Environments
ABSTRACT. Network Intrusion Detection Systems (NIDS) often suffer from severe performance degradation in unseen environments due to domain shift across datasets. In this work, we investigate whether common statistical characteristics of Denial-of-Service (DoS) traffic can be identified across heterogeneous NIDS datasets. We unified flow-level statistical features and analyzed five public intrusion detection datasets through Kernel Density Estimation (KDE)-based distribution analysis. Our observations revealed significant distributional differences in conventional flow features, indicating strong dataset dependency. To better capture intrinsic attack behaviors, we additionally designed TCP flag ratio-based features using SYN and ACK packet statistics.
ABSTRACT. Recent encrypted traffic classification studies have adopted AI models using behavioral features such as SPLT. Although SHAP identifies important features contributing to model decisions, it remains difficult to trace these explanations back to the original packet sequence. To address this limitation, we propose SPLT-SHAP matching, which maps SHAP-derived explanations to packet-level behavioral regions in encrypted traffic. The proposed method enables intuitive behavior-level interpretation by visually linking feature-level evidence with the original SPLT sequence.
Knowledge-Guided Hierarchical CVE-to-CWE Mapping using HMCN and Cross-Attention
ABSTRACT. CVE-to-CWE mapping is important for vulnerability root-cause analysis and automated security response. However, most existing approaches rely on flat multi-label classification structures that do not sufficiently reflect hierarchical relationships among CWE categories. In this paper, we propose a knowledge-guided CVE-to-CWE mapping framework based on Hierarchical Multi-label Classification Networks (HMCN) and cross-attention mechanisms. The proposed framework reflects the VIEW-1000 CWE hierarchy and incorporates semantic information through a static CWE knowledge base. The proposed model progressively propagates hierarchical contextual information across multiple HMCN levels while repeatedly applying cross-attention using CWE semantic embeddings. In addition, global classification loss, local hierarchical loss, and hierarchy-aware constraint loss are jointly optimized to improve hierarchical consistency. Preliminary experiments using NVD CVE records and MITRE CWE data show that the proposed approach reduces hierarchy violations while maintaining competitive classification performance.
ABSTRACT. In security operation centers (SOCs), high rates of false positives in Network Intrusion Detection System (NIDS) alerts increase analysts’ workload and reduce monitoring efficiency. However, many existing approaches rely on either statistical features or raw payload data alone, limiting their ability to exploit heterogeneous NIDS log information. This study proposes a feature-aware heterogeneous ensemble method for true-positive and false-positive (TP/FP) classification using real-world KISTI NIDS logs. The method combines packet metadata (PM), payload byte frequency (PBF), and raw payload (RP). ML models process structured features, while DL models learn raw payload patterns. The 1D-CNN + XGBoost ensemble using PM + PBF + RP achieved the best performance, with accuracy of 0.9818, an F1-score of 0.9782, and an AUC of 0.9949. These results show that heterogeneous feature integration improves AI-based NIDS alert classification.
Feasibility of Locality-Sensitive Hashing Filters for Data Leakage Prevention
ABSTRACT. We evaluate the Locality-Sensitive Hashing Filter (LSHF) as an offline pre-filtering
mechanism for Data Leakage Prevention. By utilizing Content-Defined Chunking and
dual-threshold tuning, LSHF effectively identifies suspicious similarities locally with near-zero false negatives. Our analysis shows it filters up to 90% of benign queries, providing a highly efficient solution for resource-constrained security environments.
Content-Based Identification of Harmful Websites in Encrypted Traffic Environments
ABSTRACT. With the widespread adoption of encrypted traffic, techniques that rely on network-layer identifiers for harmful website identification have become increasingly inadequate. In this paper, we propose CB-HWI, a content-based similarity algorithm for harmful website identification. Experimental results on real-world website datasets demonstrate that existing similarity measurement techniques achieve a maximum F1-score of 0.67, whereas the proposed algorithm achieves an F1-score of 0.92, validating its practical applicability.
Q-MAVLink: A qSIM-Based Entity Authentication and Post-Quantum Key Exchange Protocol
ABSTRACT. MAVLink v2 provides an optional Sign field but lacks sufficient confidentiality, entity authentication, and key exchange mechanisms. This paper proposes Q-MAVLink, which combines qSIM-based PSK mutual authentication with ML-KEM-512-based key exchange. The proposed protocol establishes a shared secret between the UAV and GCS, enabling integration with existing MAVLink payload encryption schemes to provide confidentiality, entity authentication, authenticated key establishment, and post-quantum security.
ABSTRACT. Enterprise reliance on third-party Large Language Model (LLM) inference providers has opened a new channel for confidential data leakage. Legacy Data Loss Prevention (DLP) tools based on byte-level fuzzy hashing and lexical matching collapse against paraphrase, translation, and summarization, where surface similarity to the source approaches zero. We propose VS-DLP, a learning-free semantic DLP framework using Sentence-Transformer embeddings, FAISS-HNSW indexing, and per-chunk top-1 voting. Across four datasets covering natural revisions and synthetic paraphrases, VS-DLP attains F1 = 0.894 and PR-AUC = 0.933 at 45 ms per query on a single workstation.
ABSTRACT. Digital commerce platforms increasingly rely on coupons, loyalty credits, membership benefits, and access tokens. However, in many current deployments, the issuance and redemption of tokens remain operationally linkable, enabling platforms or merchants to correlate user activity across transactions. Blind signatures offer a natural way to authorize a token without revealing its final redeemable form to the signer, while recent progress in lattice-based blind signatures suggests that this functionality can be studied in a post-quantum setting. This poster investigates how lattice-based blind signatures can serve as the foundation of privacy tokens for e-business systems. We focus on anonymous coupon and loyalty-token redemption, define a simple issuer-user-verifier model, identify the core requirements of blindness, unlinkability, unforgeability, double spending prevention, and deployability, and explain why this application setting exposes practical trade-offs that are not fully captured by primitive-level efficiency results alone. Our contribution is a preliminary, application-oriented design and analysis that connects recent lattice-based blind-signature research to concrete digital-commerce requirements.
ABSTRACT. Subscriber identity protection is a critical requirement for 5G and future 6G e-business services such as mobile payments and digital identity wallets. In 5G systems, the Subscription Permanent Identifier (SUPI) is concealed as a Subscription Concealed Identifier (SUCI) before transmission. However, current implementations rely on classical elliptic-curve public-key cryptography, which is vulnerable to quantum attacks. Recent 3GPP pro- posals have explored several Post-Quantum Cryptography (PQC) migration approaches, including Standalone PQC, Hybrid PQC, Hybrid Nested PQC, Symmetric Cryptography, and Quantum Channel. In this study, we categorize these five migration paths from the official 3GPP drafts and evaluate their practical deployment trade-offs, identifying key architectural bottlenecks for future e-business environments.
Design of a Vulnerability Assessment Tool for Enterprise Linux Servers
ABSTRACT. Cyberattacks caused by insufficient vulnerability management remain a major security threat in enterprise environments. To address this issue, this study designed and implemented a vulnerability assessment tool for enterprise Linux servers based on the KISA security inspection criteria. The proposed tool focuses on administrative vulnerabilities caused by insufficient security configurations, such as account policies, permission settings, service access control, and log management. The tool was developed using Python and YAML and supports both Python 2 and Python 3 environments. It collects system information and derives assessment results by comparing the collected data with predefined policy criteria. Experimental results in two environments confirmed that assessment results may vary depending on the operating system version and default configuration. The results also confirmed that the tool can support vulnerability detection, remediation guidance, and re-assessment. In future work, the number of inspection items will be expanded and UI functions will be improved to enhance the usability and practical applicability of the tool.
ABSTRACT. This paper proposes a lookup-table-based physical-layer intrusion detection system for detecting unauthorized CAN node insertion using ACK-bit differential voltage. The proposed method estimates the number of connected nodes from the measured voltage and detects insertion when the estimated node count exceeds the predefined normal count. A controlled CAN bus testbed was configured with 3 to 11 nodes, and 50 voltage measurements were collected for each node-count condition. The median voltages and the midpoints between adjacent medians were used to construct the lookup table. Two experiments with 100 estimation trials per evaluated condition achieved 100\% node-count estimation accuracy under controlled testbed conditions.
Empirical Alignment of LLM-Derived NGAP FSMs Using an Open-Source 5G Testbed for Specification-Grounded Protocol Fuzzing
ABSTRACT. This study presents a pilot evaluation of the alignment between LLM-derived NGAP finite state machines and real execution traces from an open-source 5G testbed. FSMs were extracted from NGAP procedure text in 3GPP TS 38.413 and filtered into procedure-level core transitions. This study evaluates NG Setup and UE Context Release using PCAP and log evidence. Across 16 in-case FSM transition-case pairs, 14 were exercised in the actual traces, and all 14 exercised transitions aligned with the observed behavior, resulting in a 100.0% alignment rate. The overall trace coverage was 87.5%. In the PLMN mismatch case, the trace confirmed NGSetupFailure and the TimeToWait IE, whereas subsequent retry-related transitions were not included in the analyzed execution trace. Therefore, these transitions were treated as not triggered rather than mismatches. Six additional RAN-initiated UE Context Release pairs were marked as N/E because they could not be exercised in the tested UERANSIM workflow. The results suggest the feasibility of grounding specification-derived FSM transitions in implementation traces for the procedures evaluated and using them as a structured basis for fuzzing feedback analysis.
Beyond the Bias Loop: Dynamic Content Distribution Model for Satisfaction-Driven Recommendation
ABSTRACT. Personalized recommendation systems optimize for short-term click-through rates, inad-
vertently locking users into narrow content zones—a phenomenon we term the bias loop.
We propose a dynamic content distribution model that treats user fatigue as a first-class
variable. User interest is mapped onto a four-stage cosine-similarity spectrum (Z1–Z4),
and an exponential value decay function (V = Vbase · e−λF ) captures the declining utility
of repeatedly served content. A scenario analysis across three system states—initial bias
(T1), fatigue threshold (T2), and dynamic redistribution (T3)—projects a dead-cross sat-
isfaction collapse at T2 and an estimated 1.46× recovery at T3. All numerical outputs are
theoretically motivated estimates pending empirical validation; this work establishes the
mathematical framework and logical foundation for subsequent real-world testing.
Q-SOTA: Enabling Post-Quantum OTA on Resource-Constrained ECUs
ABSTRACT. With the proliferation of Software-Defined Vehicles (SDVs), Over-the-Air (OTA) updates have become a core mechanism for vehicle security. At the same time, the emergence of quantum computing threatens conventional public-key cryptographic systems, necessitating the transition to Post-Quantum Cryptography (PQC) in automotive OTA systems [1]. However, low-performance processor-based ECUs face significant limitations in memory and computational resources required for PQC signature verification [2].
To address this issue, this study proposes Q-SOTA (Quantum-Secure OTA). Q-SOTA adopts an architecture in which a high-performance Gateway performs PQC signature verification on behalf of ECUs and converts the verification result into a lightweight HMAC Token for delivery to the ECU. This design enables resource-constrained ECUs to achieve quantum-resistant security without directly executing PQC signature verification. In addition, inter-ECU version dependencies are validated through a Gateway-centric Version Graph verification structure (VG Summary), thereby structurally preventing version inconsistencies that may arise during partial updates. Comparative experiments with an ECDSA-based approach demonstrate that the performance overhead introduced by PQC transition remains within a practical range.
Experiments were conducted using an STM32MP157D-DK1 (Cortex-A7) as the ECU and an NVIDIA Jetson TX2 (Denver 64-bit + A57 Quad-Core) as the Central Gateway. Five PQC algorithms—Falcon-512, Falcon-1024, and ML-DSA-44/65/87—were evaluated against an ECDSA (P-256) baseline. The Gateway-ECU security processing time of Q-SOTA (10.53–11.29 ms) achieved up to a 58% reduction compared to the ECDSA baseline (25.02 ms). This result shows that by offloading PQC computational overhead to the Gateway, the ECU only needs to perform lightweight HMAC Token verification, enabling even lower processing latency than direct ECDSA verification. Furthermore, the Cloud-Gateway signature transmission time differed by at most 1.9 ms from the ECDSA baseline, demonstrating that the network overhead caused by increased PQC signature sizes can be effectively absorbed at the architectural level. Nevertheless, this study assumes the Gateway to be a trusted entity, and countermeasures against Gateway compromise remain as future work.
A User-Agent Identity Binding Mechanism with Smart Contract-based Accountability
ABSTRACT. A user–agent identity binding mechanism based on users’ biometric information has been proposed to ensure accountability and traceability. However, this approach raises privacy concerns. Therefore, this paper proposes a user–agent identity binding mechanism that focuses on protecting users’ biometric information.
ABSTRACT. For P5G security, AI-based intrusion detection requires network datasets reflecting P5G network characteristics. To address this need, we design attack scenarios targeting four services on a dedicated P5G testbed and collect a network dataset for AI-based intrusion detection in P5G environments.
SparseRank: Explainable Cost-Aware Feature Selection for Anomaly Detection in E-Commerce Microservices
ABSTRACT. Modern e-commerce platforms run on microservice architectures that emits massive
stream of system-level signals. Collecting, storing, and analysing all of them is expensive
and crucial to identify the root cause in case of abnormal behaviour. We present SparseR
ank, a lightweight framework that presents which monitoring signals actually matter for
anomaly detection in a microservice of E-Commerce business. SparseRank reduces moni
tored feature space by 94% while maintaining detection quality by combining sparse feature
selection with an unsupervised anomaly detector and a feature-attribution layer tested on
a real benchmark that covers fourteen fault situations across twelve services.
PersistRank: Duration-Aware Alert Prioritization for E-Commerce Microservice Monitoring
ABSTRACT. In e-commerce microservices, a large volume of anomalies are generated simultaneously,
requiring prioritization ranking for systematic resolve process. Ignoring persistent but less
critical anomaly flags makes the whole system architecture prone to collapse in the time
of service delivery. This work proposes a novel approach,PersistRank, incorporating per
sistence score which has added the duration of the alert as another vital factor for ranking
anomaly alerts. This approach enables the ranking method to count consecutive time win
dows showing the duration of existing anomalous services alongside other parameters. The
evaluation is done using the RS-anomic dataset and PersistRank outperforms the severity
criticality baseline by 7.2 percentage points. An ablation study confirms that persistence
has been treated as an independent and complementary dimension in this approach.