TNSM Searchable Index

Author(s)	Title	Year	Publication	Keywords
Shaimaa Alkaabi, Mark A Gregory, Shuo Li	A Stateless Orchestrated Handover Protocol for Multi-Access Edge Computing	2026	Early Access		In Multi-access Edge Computing (MEC) environments, session continuity during user mobility remains a pressing challenge due to decentralized infrastructure and high-throughput, latency-sensitive applications. Existing mobility protocols often rely on stateful mechanisms or centralized control, leading to increased signaling overhead, limited scalability, and vulnerability to performance degradation in dynamic networks. This paper introduces the Server Search and Select Algorithm Protocol (SSSAP), a lightweight, UDP-based handover protocol tailored for MEC deployments. The protocol is an extension of our previous work on a handover Server Search and Selection Algorithm (SSSA). SSSAP enables seamless session redirection through a three-phase signaling scheme (pre-handover, handover initiation, and handover termination), preserving service continuity without coupling session state to transport layers. The protocol’s design features extensible headers for multi-metric evaluation and future security adaptation while maintaining minimal dependency on intermediary control nodes. Through extensive simulation and testing, we have validated the SS-SAP efficiency across user equipment nodes and MEC servers. Results demonstrate high handover success rates, low-session setup delays, and balanced server load distribution. SSSAP achieves superior performance in mobility robustness, packet loss mitigation, and integration simplicity. The research outcomes position SSSAP as a scalable and application-agnostic mobility protocol for MEC systems, especially in vehicular and high-mobility scenarios.	10.1109/TNSM.2026.3692555
Dinghao Zeng, Fagui Liu, Runbin Chen, Jingwei Tan, Dishi Xu, Qingbo Wu, C.L. Philip Chen	CoreScaler: A Resource-Efficient Hybrid Scaling Framework for Dynamic Workloads in Cloud	2026	Early Access	Resource management Central Processing Unit Memory	Containerized microservices face significant challenges in balancing service quality and resource efficiency under dynamic workloads. Existing approaches suffer from horizontal scaling’s cold start latency, vertical scaling’s resource ceilings, and hybrid methods’ limited adaptability. We present CoreScaler, a resource-efficient hybrid scaling framework based on analysis of CPU usage patterns revealing substantial consumption differences between working mode and waiting mode instances. This insight drives our dual-mode instance management model that distinguishes between working instances actively handling requests and waiting instances maintaining hot standby with minimal resource allocation. CoreScaler employs a master-subordinate distributed architecture where the master node performs capacity planning using multi-confidence interval predictions and contextual multi-armed bandit optimization, while subordinate nodes execute mode-aware CPU quota adjustments. Comprehensive evaluation on a Kubernetes cluster with a typical microservice system under four representative production work-loads demonstrates that CoreScaler maintains SLO compliance while reducing CPU and memory allocation by 22.53% and 30.83% respectively compared to state-of-the-art solutions. The framework achieves substantially higher resource utilization than single-dimension scaling approaches, validating the effectiveness of coordinated hybrid scaling for dynamic cloud environments.	10.1109/TNSM.2026.3692955
Minh-Thuyen Thi, Mohan Gurusamy	Multi-dimensional Cross-granularity Open-set Network Intrusion Detection	2026	Early Access	Modeling Labeling Distance measurement	Network intrusion detection systems (NIDSs) face critical challenges from continuously evolving cyber-attacks. Traditional machine learning methods, while requiring extensive labeled training data, still often fail against unknown and out-of-distribution (OOD) attacks. Furthermore, new sophisticated adversaries are exploiting the detection blind spots inherent in traditional feature representation approaches that do not provide adequate comprehensive traffic analysis. In this paper, we propose MDCG-IDS, an NIDS framework that introduces multi-dimensional cross-granularity (MDCG) feature representation for open-set detection, in which network traffic is analyzed thoroughly across three complementary dimensions (traffic statistics, temporal, spatial), each at multiple granularity levels. These dimensions and granularities jointly capture the structures of sophisticated attacks that may be invisible from single analytical perspectives. We design a tensor structure that provides a unified encoding for the MDCG features while supporting the use of optimal transport theory to measure the distance between benign traffic and known or unknown attacks. MDCG-IDS uses a semi-supervised learning model that is trained exclusively on benign traffic and validated on a small set of labeled data, significantly reducing the effort of data labeling. Experiments on various datasets achieve AUC-ROC scores of more than 0.948, exceeding the best competing state-of-the-art methods by up to 7%. Regarding the amount of labeled validating data, MDCG-IDS obtains an AUC-ROC score of over 0.94 with only 3% of entire validating samples, outperforming the baseline models.	10.1109/TNSM.2026.3693141
Yuxiang Wang, Jiao Zhang, Leixin Cai, Tao Huang	Mercury: Multipath Spraying for Joint Congestion and Reordering Control in RDMA	2026	Early Access		Due to the low entropy traffic characteristics of LLM (Large Language Model) training, existing load balancing mechanisms such as Equal-Cost Multi-Path (ECMP) fail to fully utilize the redundant bandwidth between computing nodes in RDMA over Converged Ethernet (RoCE). Packet spraying mechanism has become a typical solution to the load balancing problem in RoCEs. However, it has a negative effect on congestion control mechanisms and suffers severe out-of-order problems. In this paper, we propose Mercury, a host-driven spraying scheme that synergizes congestion feedback and reordering control. Mercury selects paths by leveraging ECN, RTT, and reordering metrics, adjusts rates via multi-metric window. It also employs receiver-side buffers with priority-based dropping to mitigate out-of-order penalties. Evaluations in ns-3 under AllReduce and All-to-All traffic show that Mercury consistently outperforms the ECMP-based baselines, including DCQCN, TIMELY, HPCC, SWIFT, and BOLT, with the largest reduction in Max FCT reaching 63%. Under multi-path load balancing, Mercury delivers the lowest Max FCT for large messages in AllReduce and for most message sizes in All-to-All. It outperforms STRACK and MP-RDMA by up to 28% and 35% in AllReduce, and by up to 25% and 30% in All-to-All.	10.1109/TNSM.2026.3692452
Jiale Zhu, Xiaoyao Zheng, Shukai Ye, Ming Zheng, Liping Sun, Liangmin Guo, Qingying Yu, Yonglong Luo	Federated Recommendation Model Based on Personalized Attention and Privacy-Preserving Dynamic Graph	2026	Early Access	Modeling Federated learning Privacy	Graph Neural Networks (GNNs) have been widely adopted in recommendation systems. When integrated into a federated learning framework, GNNs can enhance the model’s expressive capability. However, challenges arise in personalized representation and graph expansion due to the heterogeneity and locality of user data in federated recommendation systems. To address these challenges, we propose a federated recommendation model based on personalized attention and privacy-preserving dynamic graphs. The method first matches neighbor users for each selected client. Subsequently, it counts the interaction frequencies of items for both local and neighbor users to construct personalized weights, which captures the unique characteristics of different users. Additionally, we designs a method for constructing privacy-preserving dynamic graphs. In each round of federated training, the selected client adds pseudo-interaction items to its own interaction subgraph, perturbing the real interactions. After completing local training, the noisy interaction subgraph is incorporated into the global graph to capture higher-order connectivity information among users while safeguarding their interaction privacy. We conduct extensive experiments on three benchmark datasets, and the results demonstrate that the proposed PADG method achieves superior performance while effectively protecting privacy.	10.1109/TNSM.2026.3691659
Arad Kotzer, Tom Azoulay, Yoad Abels, Aviv Yaish, Ori Rottenstreich	SoK: DeFi Lending and Yield Aggregation Protocol Taxonomy, Empirical Measurements, and Security Challenges	2026	Early Access	Filtering Application specific integrated circuits Filters	Decentralized Finance (DeFi) lending protocols implement programmable credit markets without intermediaries. This paper systematizes the DeFi lending ecosystem, spanning collateralized lending (including over- and under- collateralized designs, and zero-liquidation loans), uncollateralized primitives (e.g., flashloans), and yield aggregation protocols which allocate capital across underlying lending platforms. Beyond a taxonomy of mechanisms and comparing protocols, we provide empirical on-chain measurements of lending activity and user behavior, using Compound V2 and AAVE V2 as case studies, and connect empirical observations to protocol design choices (e.g., interestrate models and liquidation incentives). We then characterize vulnerabilities that arise due to notable designs, focusing on interestrate setting mechanisms and time-measurement approaches. Finally, we outline open questions at the intersection of mechanism design, empirical measurement and security for future research.	10.1109/TNSM.2026.3682174
Jing Zhang, Chao Luo, Rui Shao	MTG-GAN: A Masked Temporal Graph Generative Adversarial Network for Cross-Domain System Log Anomaly Detection	2026	Early Access	Anomaly detection Adaptation models Generative adversarial networks	Anomaly detection of system logs is crucial for the service management of large-scale information systems. Nowadays, log anomaly detection faces two main challenges: 1) capturing evolving temporal dependencies between log events to adaptively tackle with emerging anomaly patterns, 2) and maintaining high detection capabilities across varies data distributions. Existing methods rely heavily on domain-specific data features, making it challenging to handle the heterogeneity and temporal dynamics of log data. This limitation restricts the deployment of anomaly detection systems in practical environments. In this article, a novel framework, Masked Temporal Graph Generative Adversarial Network (MTG-GAN), is proposed for both conventional and cross-domain log anomaly detection. The model enhances the detection capability for emerging abnormal patterns in system log data by introducing an adaptive masking mechanism that combines generative adversarial networks with graph contrastive learning. Additionally, MTG-GAN reduces dependency on specific data distribution and improves model generalization by using diffused graph adjacency information deriving from temporal relevance of event sequence, which can be conducive to improve cross-domain detection performance. Experimental results demonstrate that MTG-GAN outperforms existing methods on multiple real-world datasets in both conventional and cross-domain log anomaly detection.	10.1109/TNSM.2026.3654642
Deemah H. Tashman, Soumaya Cherkaoui	Trustworthy AI-Driven Dynamic Hybrid RIS: Joint Optimization and Reward Poisoning-Resilient Control in Cognitive MISO Networks	2026	Early Access	Reconfigurable intelligent surfaces Reliability Optimization	Cognitive radio networks (CRNs) are a key mechanism for alleviating spectrum scarcity by enabling secondary users (SUs) to opportunistically access licensed frequency bands without harmful interference to primary users (PUs). To address unreliable direct SU links and energy constraints common in next-generation wireless networks, this work introduces an adaptive, energy-aware hybrid reconfigurable intelligent surface (RIS) for underlay multiple-input single-output (MISO) CRNs. Distinct from prior approaches relying on static RIS architectures, our proposed RIS dynamically alternates between passive and active operation modes in real time according to harvested energy availability. We also model our scenario under practical hardware impairments and cascaded fading channels. We formulate and solve a joint transmit beamforming and RIS phase optimization problem via the soft actor-critic (SAC) deep reinforcement learning (DRL) method, leveraging its robustness in continuous and highly dynamic environments. Notably, we conduct the first systematic study of reward poisoning attacks on DRL agents in RIS-enhanced CRNs, and propose a lightweight, real-time defense based on reward clipping and statistical anomaly filtering. Numerical results demonstrate that the SAC-based approach consistently outperforms established DRL base-lines, and that the dynamic hybrid RIS strikes a superior trade-off between throughput and energy consumption compared to fully passive and fully active alternatives. We further show the effectiveness of our defense in maintaining SU performance even under adversarial conditions. Our results advance the practical and secure deployment of RIS-assisted CRNs, and highlight crucial design insights for energy-constrained wireless systems.	10.1109/TNSM.2026.3660728
Songshou Dong, Yanqing Yao, Huaxiong Wang, Yining Liu	LCMS: Efficient Lattice-based Conditional Privacy-preserving Multi-receiver Signcryption Scheme for Internet of Vehicles	2026	Early Access	Optical waveguides Optical fibers Broadcasting	Internet of Vehicles (IoV) requires robust security and privacy protection mechanisms to enable trusted traffic information exchange, while also requiring low communication and low computing overhead to meet the real-time requirements of IoV. Existing signcryption schemes suffer from quantum vulnerability, inadequate unlinkability/vehicle anonymity, absence of revocability, poor scalability, inadequate management of malicious entities, and high communication and computational overhead. So we propose an efficient lattice-based conditional privacy-preserving multi-receiver signcryption scheme (LCMS) that systematically addresses these gaps through three core innovations: 1) Privacy preservation is achieved via a pseudonym mechanism integrated with certificateless key generation, which ensures vehicle anonymity and weak unlinkability while preventing malicious key generation center and key escrow; 2) Malicious entity management through dynamic revocability and distributed decryption among roadside units, preventing unilateral message access; and 3) Post-quantum efficiency is achieved by leveraging the Learning With Rounding problem to eliminate expensive Gaussian sampling, combined with ciphertext packing techniques. This reduces time overhead, the size of signcryptexts, and communication overhead, while lowering the overall storage overhead of the scheme through the MP12 trapdoor. Security proofs show LCMS achieves Existential Unforgeability under Adaptive Identity Chosen-Message Attack and Indistinguishability under Adaptive Identity Chosen-Ciphertext Attack in the Random Oracle Model, with rigorously validated resistance against multiple IoV-specific attacks. Experimental results via SageMath implementation demonstrate that our scheme exhibits a smaller signcryptext size and lower signcryption/unsigncryption time compared to existing random lattice-based signcryption schemes. Scalability tests with 300 vehicles and 300 roadside units (RSUs) were completed within 230 seconds. Communication overhead analysis confirms practical feasibility for IEEE 802.11p vehicle communication protocol, and RSU serving capability evaluation under realistic vehicle density (100–200/km2) and speed (40–60 km/h) further validates system practicality. LCMS provides a quantum-resistant, privacy-preserving, and efficient solution for production IoV.	10.1109/TNSM.2026.3688507
Jiang Mo, Ke Zhao, Limei Peng, Hsiao-Chun Wu	PDO-SFCM: Prediction-Driven Orchestration for SFC Migration in SAGIN via Fine-Tuned Large Time-Series Model and DRL	2026	Early Access	Modeling Space-air-ground integrated networks Timing	Space-air-ground integrated networks (SAGINs) have emerged as an appealing enabling technology for the next-generation ubiquitous connectivity. By extending terrestrial networks with aerial and space platforms, SAGIN can provide seamless coverage and flexible resource-access across various altitudes. However, dynamic link conditions, intermittent connectivity, and heterogeneous latency constraints would often introduce serious challenges to the service function chain (SFC) migration and orchestration. In this work, we introduce a novel PDO-SFCM (prediction-driven orchestration for SFC migration) approach, which utilizes a fine-tuned large time-series model (LTM) for network status prediction and a deep reinforcement learning (DRL) module for proactive SFC migration in SAGINs. In detail, the fine-tuned LTM predicts multi-horizon estimates of SFC arrivals and per virtual network function (per-VNF) resource demands, which will form the observation space of the DRL agent. The DRL module thus schedules appropriate migration actions on the cost-augmented time-expanded graph (C-eTEG), which can satisfy the feasibility subject to the bandwidth, buffering, and precedence constraints. Extensive simulation results demonstrate that our proposed new PDO-SFCM scheme consistently greatly improves the acceptance rate, reduces the end-to-end delay, and lowers the migration cost in comparison with DRL baselines under different prediction settings. Our proposed new scheme can significantly leverage the SAGIN performance by the devised foundation-level time-series prediction and learning-based orchestration mechanisms.	10.1109/TNSM.2026.3694203
Xingyu He, Nianci Li, Panxing Huang, Chunhua Gu, Guisong Yang, Yunhuai Liu	Dynamic Spatiotemporal Dual-Encoder Transformer for Long-Term Traffic Prediction in LEO Satellite Networks	2026	Early Access	Satellites Modeling Low earth orbit satellites	Accurate long-term traffic prediction in Low Earth Orbit (LEO) satellite networks is essential for proactive resource allocation and congestion avoidance, yet remains challenging due to highly dynamic topologies, intermittent connectivity, and scarce real traffic data. Existing approaches are largely limited to short-term prediction or assume static spatial dependencies, making them inadequate for non-stationary LEO environments. To address these challenges, this paper proposes DST-DEformer, a dynamic spatial–temporal Transformer framework that jointly models evolving inter-satellite topology and multi-scale temporal dependencies. Specifically, a topology-adaptive graph convolution module captures time-varying spatial correlations, while a dual temporal encoder decouples long-term global trend modeling from short-term local fluctuation learning. In addition, a hybrid simulation–calibration framework is developed to generate realistic satellite traffic by incorporating orbital dynamics, demographic information, and real-world traffic trends. Extensive experiments on simulated LEO satellite traffic and the PEMS08 benchmark show that DST-DEformer consistently outperforms state-of-the-art methods in long-term prediction, achieving 4%-13% reductions in MSE and MAE and significantly slower error accumulation as the prediction horizon increases. These results demonstrate the effectiveness and robustness of DST-DEformer for long-term traffic prediction under dynamic network topologies.	10.1109/TNSM.2026.3693648
Jiahang Pu, Hongyu Ye, Jing Cheng, Feng Shan, Runqun Xiong	Balancing Timeliness and Accuracy: A Hybrid Data-Control Plane Framework for Volumetric DDoS Defense in IoT	2026	Early Access	Modeling Internet of Things Planing	Resource-constrained IoT devices in Industrial Internet environments are highly vulnerable to DDoS attacks due to infrequent security updates and insufficient built-in protection mechanisms. Existing defense solutions primarily rely on external filtering servers or programmable switches, but these approaches fail to simultaneously meet the stringent real-time performance and high accuracy requirements of industrial applications. To address these limitations, we propose a novel cross-plane defense framework that exploits the temporal invariance characteristics of attack traffic patterns. In the data plane, an adaptive variance threshold mechanism immediately mitigates high-volume, low-variance traffic flows, while a bidirectional dual-hash table captures low-collision flow features for efficient export to the control plane. The control plane constructs temporally-enhanced flow sequences that enable deep learning models to perform accurate attack detection, subsequently directing the data plane to block identified malicious sources. We implemented and evaluated a prototype of this framework on a software switch platform using both real-world attack datasets and custom-generated traffic patterns. Experimental results demonstrate that our framework successfully mitigates 86% of attack traffic within milliseconds and achieves complete source blocking within 52 seconds. Compared to baseline methods, our framework can effectively counter both DoS and DDoS attacks without generating false positives on benign traffic.	10.1109/TNSM.2026.3693266
Awaneesh Kumar Yadav, Madhusanka Liyanage, An Braeken	An Improved and Provably Secure EDHOC Protocol Supporting the Extended Canetti–Krawczyk (eCK) Security Model	2026	Early Access	Aerospace and electronic systems Telemetry Central Processing Unit	Transport Layer Security (TLS) is considered to be the most used standard security protocol for the Internet of Things (IoT). However, as TLS was originally designed for computer networks, it is not optimal with respect to efficiency. Therefore, a new protocol called Object Security for Constrained RESTful Environments (OSCORE) has been standardized for securing constrained devices. Currently, the Ephemeral Diffie Hellman Over COSE (EDHOC) protocol, which is a key exchange protocol to define a session key used in OSCORE, is also in the process of being standardized. This paper shows that the four authentication modes of the EDHOC protocol are vulnerable in the extended Canetti–Krawczyk (eCK) security model, which is a common security model used in IoT. In addition, also resistance to Distributed Denial of Service (DDoS) attacks is weak. Taking this into account, we propose two new variants of EDHOC. The first variant, EDHOC2, is able to overcome both issues but has a slightly higher cost for communication, computation, storage, and energy consumption. The second variant, EDHOC3, offers only additional protection in the eCK security model and has, on average, similar, even better performance in one authentication mode, compared to EDHOC. Additionally, the Real-Or-Random (ROR) logic and Scyther validation tool are employed to ensure the security of the designed variants. Furthermore, a prototype implementation is conducted to demonstrate the real-time deployment of the designed versions.	10.1109/TNSM.2026.3690530
Ashely Li, Jeffrey Chang, Steven S. W. Lee	Modeling and Optimization Algorithm for Capacity Planning in Hose Model VPN Networks	2026	Early Access		Hose-based VPNs offer greater bandwidth flexibility, as they allow traffic to and from a hose endpoint to be arbitrarily distributed across other endpoints. Existing studies on hose-based VPNs have primarily focused on VPN provisioning algorithms, while optimal capacity planning for hose-based VPN networks remains largely unexplored. Given budget constraints and forecasts of future bandwidth demands at VPN endpoints, the capacity planning problem requires the joint optimization of routing decisions and link capacity allocation. Although the problem can be formulated as a nonlinear programming model, its nonconvex nature makes direct solution computationally challenging. To address this issue, we reformulate the problem as a sequence of linear programming problems and develop a solution framework based on a water-filling algorithm. For any defined budget and relative tolerance, the proposed algorithm yields a near-optimal solution where the network expansion cost stays within the allowed margin. Numerical results demonstrate that the proposed approach efficiently solves the hose-based VPN capacity planning problem within practical computation time.	10.1109/TNSM.2026.3694390
Devanshu Anand, Gabriel-Miro Muntean	Mitigating Interferences in 5G O-RAN HetNets Through ML-Driven xAPP to Enhance Users’ QoS	2026	Vol. 23, Issue	Interference 5G mobile communication Quality of service	In today’s rapidly evolving telecommunications landscape, the demand for seamless connectivity and top-tier network performance has reached unprecedented levels. Traditional cellular systems, while valiant in their service, now struggle under the weight of spiraling data demands, spectrum scarcity, and power inefficiency. The era of ultra-dense mobile networks, with Heterogeneous Networks (HetNets) at the forefront, ushers in improved throughput, spectral efficiency, and energy management. To tackle these challenges, this paper introduces MLCIMO (Machine Learning-enhanced Classification for Interference Management and Offloading) into 5G HetNets. MLCIMO employs a multi-binary classification strategy to categorize users based on interference types and levels. It also introduces an offloading scheme tailored to user service priorities, enhancing the user quality of experience, while conserving energy. It seamlessly aligns with the evolving needs of the HetNets, addressing some of the issues introduced by small cell deployments. Simulation results show that MLCIMO achieves the highest throughput, shortest delay, and lowest packet loss ratio in comparison with alternative approaches. In a comprehensive analysis, the varying degrees of interference encountered by users under different schemes are unveiled, further establishing MLCIMO’s distinguished position in mitigating interference.	10.1109/TNSM.2026.3667462
Mahnoor Sajid, Mohib Ullah Khan, KyungHi Chang	Intelligent Xn-Based Energy-Aware Handover Optimization in 5G Networks via NWDAF-Orchestrated Agent Framework	2026	Vol. 23, Issue	Handover 5G mobile communication Quality of service	Energy-aware mobility management in dense Fifth Generation (5G) networks is increasingly challenged by frequent handovers and unnecessary activation of sleeping next-generation NodeBs (gNBs), which lead to excessive energy consumption and degraded mobility reliability. Conventional Xn-based handover schemes rely on static radio thresholds and implicitly assume always-active gNBs, while existing NWDAF-enabled approaches improve stability but do not explicitly account for energy costs during handover execution. To address these limitations, this paper proposes the Intelligent Energy-Aware Handover Framework (IEAHF), a NWDAF-orchestrated architecture that integrates coordinated agent-based control for energy-aware mobility management. The proposed framework introduces an Energy-Aware Handover Optimization Agent (EA-HOA) to guide reliability-driven handover decisions and a Handover Energy Evaluation Agent (HEEA) to assess the energy impact of candidate handover actions, with both agents operating within a closed-loop control process enforced through Operations, Administration, and Maintenance (OAM). By reformulating handover success to incorporate energy inefficiency and enabling per-handover gNB energy reasoning at decision time, IEAHF jointly optimizes service continuity and energy efficiency. System-level simulations demonstrate that the proposed Agent-NWDAF configuration consistently outperforms baseline and analytics-only schemes, achieving tightly concentrated Energy-Aware Handover Success Rates of approximately 0.98, reducing the Energy-Aware Handover Failure Rate to the range of 0.007–0.015, and delivering up to a 32% reduction in average gNB power consumption relative to an always-on baseline. These results indicate that IEAHF provides a scalable and effective solution for energy-efficient mobility management in 5G networks and establishes a foundation for energy-aware handover control in future Sixth Generation (6G) systems.	10.1109/TNSM.2026.3668238
Jesus Omaña Iglesias, Carlos Segura Perales, Stefan Geißler, Diego Perino, Andra Lutu	Anomaly Detection for IoT Global Connectivity	2026	Vol. 23, Issue	Internet of Things Anomaly detection Ecosystems	Internet of Things (IoT) application providers rely on Mobile Network Operators (MNOs) and roaming infrastructures to deliver their services globally. In this complex ecosystem, where the end-to-end communication path traverses multiple entities, it became increasingly challenging to guarantee communication availability and reliability. Further, most platform operators use a reactive approach to communication issues, responding to user complaints only after incidents have become severe, compromising service quality. This paper presents our experience in the design and deployment of ANCHOR–an unsupervised anomaly detection solution for the IoT connectivity service of a large global roaming platform. ANCHOR assists engineers by filtering vast amounts of data to identify potential problematic clients (i.e., those with connectivity issues affecting several of their IoT devices), enabling proactive issue resolution before the service is critically impacted. We first describe the IoT service, infrastructure, and network visibility of the IoT connectivity provider we operate. Second, we describe the main challenges and operational requirements for designing an unsupervised anomaly detection solution on this platform. Following these guidelines, we propose different statistical rules, and machine- and deep-learning models for IoT verticals anomaly detection based on passive signaling traffic. We describe the steps we followed working with the operational teams on the design and evaluation of our solution on the operational platform, and report an evaluation on operational IoT customers.	10.1109/TNSM.2026.3666123
Ke Wu, Yaguang Lin, Xiaoming Wang, Liang Wang	Multimodal Learning-Based Relational Graph Neural Networks for Social Bot Detection	2026	Vol. 23, Issue	Chatbots Feature extraction Social networking (online)	Social bots are virtual accounts controlled by automated programs that can disseminate harmful content on social media and even manipulate public opinion. Social bot detection aims to identify bot accounts, which is crucial for maintaining a healthy online ecosystem. However, advances in multimedia technology and smart device prevalence have diversified user-generated social media content, which now encompasses text, images, videos, and more. Effectively leverage multimodal content for robust social bot detection presents a significant research challenge. Furthermore, existing detection methods often overlook the latent social relationships, which we believe can significantly enhance bot detection. To address the issues, in this paper we propose a novel approach for social bot detection that comprehensively leverages users’ multimodal information. Specifically, we first develop an adaptive multimodal fusion mechanism capable of effectively integrating heterogeneous modal information under imbalanced data distributions to obtain more discriminative user representations. Second, we design a latent social relationship mining algorithm that reconstructs more complete social graphs to enhance the objectivity and completeness of user multimodal representations. Finally, on the basis of our proposed multimodal information fusion mechanism and latent social relationship mining algorithm, we design a new social bot detection model. We conduct extensive experiments on the TwiBot-20 dataset, demonstrating superior performance over baseline methods with significant improvements in both detection accuracy and F1-score. Comprehensive ablation studies and dimensionality-reduced visualizations of user representations further validate the critical role of multimodal information and the effectiveness of our proposed model.	10.1109/TNSM.2026.3667016
Fernando Martinez-Lopez, Lesther Santana, Mohamed Rahouti, Abdellah Chehri, Shawqi Al-Maliki, Gwanggil Jeon	Learning in Multiple Spaces: Prototypical Few-Shot Learning With Metric Fusion for Next-Generation Network Security	2026	Vol. 23, Issue	Measurement Prototypes Extraterrestrial measurements	As next-generation communication networks increasingly rely on AI-driven automation, ensuring robust and secure intrusion detection becomes critical, especially under limited labeled data. In this context, we introduce Multi-Space Prototypical Learning (MSPL), a few-shot intrusion detection framework that improves prototype-based classification by fusing complementary metric-induced spaces (Euclidean, Cosine, Chebyshev, and Wasserstein) via a constrained weighting mechanism. MSPL further enhances stability through Polyak-averaged prototype generation and balanced episodic training to mitigate class imbalance across diverse attack categories. In a few-shot setting with as few as 200 training samples, MSPL consistently outperforms single-metric baselines across three benchmarks: on CICEVSE Network2024, AUPRC improves from 0.3719 to 0.7324 and F1 increases from 0.4194 to 0.8502; on CICIDS2017, AUPRC improves from 0.4319 to 0.4799; and on CICIoV2024, AUPRC improves from 0.5881 to 0.6144. These results demonstrate that multi-space metric fusion yields more discriminative and robust representations for detecting rare and emerging attacks in intelligent network environments.	10.1109/TNSM.2026.3665647
Adel Chehade, Edoardo Ragusa, Paolo Gastaldo, Rodolfo Zunino	Hardware-Aware Neural Architecture Search for Encrypted Traffic Classification on Resource-Constrained Devices	2026	Vol. 23, Issue	Accuracy Computational modeling Cryptography	This paper presents a hardware-efficient deep neural network (DNN), optimized through hardware-aware neural architecture search (HW-NAS); the DNN supports the classification of session-level encrypted traffic on resource-constrained Internet of Things (IoT) and edge devices. Thanks to HW-NAS, a 1D convolutional neural network (CNN) is tailored on the ISCX VPN-nonVPN dataset to meet strict memory and computational limits while achieving robust performance. The optimized model attains an accuracy of 96.60% with just 88.26K parameters, 10.08M floating-point operations (FLOPs), and a maximum tensor size of 20.12K. Compared to state-of-the-art (SOTA) models, it achieves reductions of up to 444-fold, 312-fold, and 15-fold in these metrics, respectively, significantly minimizing memory footprint and runtime requirements. The model also demonstrates versatility, achieving up to 99.86% across multiple VPN and traffic classification (TC) tasks; it further generalizes to external benchmarks with up to 99.98% accuracy on USTC-TFC and QUIC NetFlow. In addition, an in-depth approach to header-level preprocessing strategies confirms that the optimized model can provide notable performance across a wide range of configurations, even in scenarios with stricter privacy considerations. Likewise, a reduction in the length of sessions of up to 75% yields significant improvements in efficiency while maintaining high accuracy with only a negligible drop of 1-2%. However, the importance of careful preprocessing and session length selection in the classification of raw traffic data is still present, as improper settings or aggressive reductions can bring about a 7% reduction in overall accuracy. The quantized architecture was deployed on STM32 microcontrollers and evaluated across input sizes; results confirm that the efficiency gains from shorter sessions translate to practical, low-latency embedded inference. These findings demonstrate the method’s practicality for encrypted traffic analysis in constrained IoT networks.	10.1109/TNSM.2026.3666676